Status of OpenSSL 1.1 support - Thoughts

Ingo Schwarze schwarze at
Thu Oct 19 01:15:35 AEDT 2017


jpbion at wrote on Wed, Oct 18, 2017 at 05:53:21AM -0700:

> 4) As a first result, with no judgement on anyone, just looking at the 
> data - the root cause of this issue seems to be the split of LibreSSL 
> from OpenSSL

No, you are totally misrepresenting the situation.  The root cause
is the split of OpenSSL-1.1 from OpenSSL-1.0, and that OpenSSL
dumped the large and dangerous work of dealing with the large-scale
API change on each and every application project instead of providing
an official transition path that can be taken seriously.

LibreSSL has almost nothing to do with the problem.  Even if LibreSSL
had never happened, the same problem would still exists.

Oh, wait, LibreSSL has to do with it in one sense.  It is available
as one possible way to *solve* the problem.  Either temporarily or
for good, whichever you like.

> OpenSSL and LibreSSL, given the fact neither seems to have a desire
> to maintain compatibility with the other (again, as far as I can see).

That is an unfounded allegation.  Of course LibreSSL has a desire
to eventually integrate the 1.1 API.  Joel has said so long ago,
in public, that in principle, opaque structs are a good concept
[for example citation 1: Dec 30, 2016], and i have heard repeated
discussions inside the LibreSSL project on how to get there.  It
is just a lot of work, it is made harder by the lack of a clear
migration path, and it is of limited usefulness as long as application
programs must still support the OpenSSL-1.0 API.  That's what
prevented it from getting done so far.

Given that you got the facts wrong, your conclusions are misleading
as well.  All this was explained already, so your mail sounds almost
trollish: It should already be well-known that the central design
goal of LibreSSL is to be a compatible drop-in replacement for
OpenSSL - at the time of the fork, that was OpenSSL-1.0.  If, after
the fork, OpenSSL breaks its own API and leaves users in the rain,
blaming that on LibreSSL is quite dishonest.  Even if the API break
is so severe that it takes LibreSSL substantially more than a year
to deal with it, even if LibreSSL hasn't yet solved the problem for
its own purposes.

The real problem is:  How is OpenSSH supposed to support OpenSSL-1.0
and OpenSSL-1.1 at the same time, given that the API break is so
severe that switching from one to the other requires a 3000+ line



More information about the openssh-unix-dev mailing list