Status of OpenSSL 1.1 support

Colin Watson cjwatson at
Tue Oct 17 03:38:56 AEDT 2017

On Mon, Oct 16, 2017 at 05:18:59PM +0200, Ingo Schwarze wrote:
> Colin Watson wrote on Mon, Oct 16, 2017 at 10:26:03AM +0100:
> > Which leads me back to my previous question: what conversations have
> > there been between the OpenSSH and OpenSSL developers about this
> > problem?  Has OpenSSL upstream actually been told directly by OpenSSH
> > that this is a problem, or are they only hearing about this from users
> > trying to compile OpenSSH against 1.1?  I've only found evidence of the
> > latter in public mailing list posts so far.
> I'm not completely sure, i don't know all the private communications
> either.

Right, that's why I keep asking. :-)  I'm not interested in rehashing
communication problems, just trying to find out what the state of play
is; for example if the answer is that nobody has really properly brought
this to the OpenSSL developers then an obvious way in which I could at
least try to improve the situation would be to do so!  (It might not
solve the problem, but it would be better than for example assuming
they're aware of it when they aren't.)

> > If my only other option is to use LibreSSL, then that will mean
> > packaging LibreSSL separately, and
> > seems to have petered out a couple of years ago,
> Reading that thread, my impression is that the main reason is that
> the question "what is this needed for" was never fully answered.
> You don't really have to package a library that nothing is using yet.
> Sure, there were also some technical issues raised, but the thread
> seems generally constructive to me, even if back then, nobody was
> in enough of a fix to actually put in the required work.
> I imagine if you, as the SSH maintainer, spoke up and said: "OpenSSH
> requires an OpenSSL-1.0 compatible API, so we must have either an
> OpenSSL-1.0 or a LibreSSL package in Debian" that might carry some
> weight and may either make people think again about deleting
> OpenSSL-1.0 or revitalize the thread about LibreSSL.

That was indeed on my list of things to do; I've replied to the bug
above with a summary of the situation, and copied debian-devel.

> Doesn't Debian have a policy that established APIs supported upstream
> cannot be deleted while important software still uses them?

Well, in general, sure, that sort of thing is enforced by what amounts
to distribution-wide CI.  But the situation would still amount to a
release-critical bug *somewhere*, and I could well end up in a situation
where I can't effectively upload new changes until it's sorted out.

> I completely understand that you are in a difficult situation and
> that you like none of the options you have:
>  (1) package LibreSSL
>  (2) bundle LibreSSL
>  (3) keep the existing OpenSSL-1.0 package (still supported upstream)

That's an accurate summary, yes.  For completeness, I do think that (4)
apply the patch from Kurt/Fedora is an option.  I don't think it's a
good option, both for the reasons you have and for the reason that it
would be a ton of ongoing maintenance work for me, but it is an option.

We'll see how the debian-devel conversation works out, but I would like
to know the communication status so that (if necessary) I can also
appeal to the OpenSSL folks.

Colin Watson                                       [cjwatson at]

More information about the openssh-unix-dev mailing list