Status of OpenSSL 1.1 support
Sebastian Andrzej Siewior
openssh at ml.breakpoint.cc
Mon Oct 16 06:16:13 AEDT 2017
On 2017-10-14 01:24:11 [+0200], Ingo Schwarze wrote:
> Hi Sebastian,
> No, i'm not aware that OpenSSL provided any further help for
> downstream projects who are forced to provide continued support
> for the 1.0 API.
There is just the Wiki things I pointed out.
> Note that even switching over LibreSSL to the OpenSSL-1.1 API - which
> would be a huge effort, and it's unclear if and when it might happen -
> would not solve the main problem because OpenSSH must remain able
> to build on operating systems that provide OpenSSL-1.0 only.
Yes. The compat layer should be fine. The version check should be
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
to deal with libressl but other than that it should work - it worked for
> That question is slowly turning into a frequently answered one:
> Nobody commented on that cautious assessment, so i think it is safe to
> reword the answer more explicitly, even though that may seem slightly
> more aggressive:
> The so-called "compatibility layer" on that wiki page  you quote
> appears to be incomplete, untested, unmaintained, hence untrustworthy
> and unusable in a security context like OpenSSH.
It might be incomplete. I can't comment on maintained. All it really
does is to provide access for the opaque structs so I don't understand
the "untrustworthy" & "unusable in a security context" because the
libressl version would look exactly the same.
> Consequently, no support for OpenSSL-1.1 is in sight.
And this will remain as-is until in 2020? This is when OpenSSL 1.0.2 is
no longer maintained. So by then it has either work with 1.1 or people
must use libressl instead.
> If you want to run on an operating system that burnt all bridges
> and only supports OpenSSL-1.1 but no longer OpenSSL-1.0, then the
> only responsible thing you can do is to build OpenSSH against
> LibreSSL rather than against OpenSSL on that platform. It should
> work quite well because LibreSSL supports a wide range of modern
> platforms by now:
Responsible you name it. Okay. I would like to find a sollution without
the need to package libressl. One way would be to keep 1.0.2 around
until 2020 but…
More information about the openssh-unix-dev