Status of OpenSSL 1.1 support

Colin Watson cjwatson at debian.org
Mon Oct 16 08:51:46 AEDT 2017 

On Sat, Oct 14, 2017 at 11:40:30AM +1100, Damien Miller wrote:
> On Fri, 13 Oct 2017, Sebastian Andrzej Siewior wrote:
> > more or less a year ago Kurt Roeckx provided an initial port towards the
> > OpenSSL 1.1 API [0]. The patch has been left untouched [1] and it has
> > been complained about a missing compat layer of the new vs the old API
> > within the OpenSSL library [2].
> > This is how I reconstructed the situation as of today and I am not
> > aware of any progress in regard to the newer library within the OpenSSH
> > project. Did I miss any significant development?
> > 
> > In the `meantime', OpenSSL provides a kind of compat layer [3] which
> > (they suggested) should be included in the downstream projects [4].
> 
> The compatibility layer is unversioned, incomplete, barely documented
> and seems to be unmaintained. Because it isn't a library, they require
> it to be added to downstream projects directly. This isn't even close
> to a solution.

Fair enough; but at the risk of telling you something you already know,
the situation where distributions that want to get off old versions of
OpenSSL have to choose between packaging LibreSSL (and thus, in
practice, ending up maintaining multiple SSL library versions, which is
exactly what our security teams tend to want to keep to a minimum) or
passing around samizdat versions of an enormous patch is not exactly
ideal either.  It's kind of an unedifying stalemate.

https://mta.openssl.org/pipermail/openssl-users/2017-April/005540.html
suggests that the OpenSSL folks want an external contributor to maintain
such a layer.  I've been trawling back through OpenSSL mailing lists and
not found much else in the way of discussion about this, although of
course I could have missed something.  Has there been any discussion
between the two sets of developers about all this, or is it all sort of
arm's length?

Is it actually a requirement that an API compatibility layer be
maintained by the OpenSSL team, or could a hypothetical group of
external developers interested in breaking this stalemate fork
openssl-compat.tar.gz, stick it in a git repository somewhere, and start
making versioned releases and trying to address the other problems you
describe?  Of course that's only really a worthwhile exercise if OpenSSH
would be willing to use it, and it would be good to limit the scope of
the problem to "things needed by the handful of projects that really
need this" rather than "the entire OpenSSL 1.0 API".

(I am not at all sure I want to be one of such a hypothetical group of
developers, and I definitely don't want to be in it on my own, but it
might be better than the alternatives.  At the moment it seems clear
that neither the OpenSSL nor OpenSSH developers want the task.)

> In the absence of any progress, I'm considering adding some build sugar
> to simplify the process of building (and possibly fetching) LibreSSL as
> port of the OpenSSH build process. AFAIK Apple's OpenSSH distribution is
> already linked against LibreSSL (and of course, OpenBSD does too), so
> IMO it's had enough road-testing for general use.

This would be a pretty bad option for me as a distributor - it'd mean
I'd have to keep track of LibreSSL security updates.

-- 
Colin Watson                                       [cjwatson at debian.org]

More information about the openssh-unix-dev mailing list