Status of OpenSSL 1.1 support - Thoughts

jpbion at jpbion at
Thu Oct 19 02:11:05 AEDT 2017

(Re-sent as I used the wrong account before - edited slightly)

I’m sorry you see my post as potentially trollish - it was not meant 
that way. So let me try to restate things.

I have nothing against libreSSL, and I do think the OpenSSL api change 
was poorly executed. I am just speaking, as a solo semi retired 
hobbyist, who spends most of his server coding time on private weather 
station software, (I don’t do this stuff for work - this is all on my 
own time) I feel really left in a bind. OpenSSH is a fantastic tool, but 
I worry I will end up not being able to use it. I am not on all the 
mailing lists - this is why I repeatedly said “as far as I can see” 
acknowledging my limited knowledge of the details. The end users of 
these tools have been dealing with the nightmare of the OpenSSL changes 
for about a year now. Nor do I see this as anyone’s “fault” - except as 
I said OpenSSL created a pile of work for everyone.

The real point of my note is: I don’t see OpenSSL and LibreSSL merging 
any time soon. Even if libreSSL puts in opaque structures, what if the 
two teams view ways to handle the issues of 2018, and beyond 
differently? Is API comparability, a goal at the start, going to remain 
a primary goal of both teams, especially if one of the two teams make 
choices seen as ill-founded by the other? I don’t know - so I ask - and 
without knowing, I worry that more API divergence will occur. Again, the 
OpenSSL changes were a huge gulp - and others may question the wisdom of 
staying in lock-step to those changes. As a result, i worry if it will 
be possible to maintain software, over time, that supports both variants 
of SSL stack. As such, I worry if a day comes that I can’t use openssh, 
because too many other things I depend upon CAN'T use libreSSL.

Please tell me where this core concern of mine is misplaced - because I 
would surely like my concern to be ill-founded and mistaken.

On 2017-10-18 07:15, Ingo Schwarze wrote:
> Hi,
> jpbion at wrote on Wed, Oct 18, 2017 at 05:53:21AM -0700:
>> 4) As a first result, with no judgement on anyone, just looking at the
>> data - the root cause of this issue seems to be the split of LibreSSL
>> from OpenSSL
> No, you are totally misrepresenting the situation.  The root cause
> is the split of OpenSSL-1.1 from OpenSSL-1.0, and that OpenSSL
> dumped the large and dangerous work of dealing with the large-scale
> API change on each and every application project instead of providing
> an official transition path that can be taken seriously.
> LibreSSL has almost nothing to do with the problem.  Even if LibreSSL
> had never happened, the same problem would still exists.
> Oh, wait, LibreSSL has to do with it in one sense.  It is available
> as one possible way to *solve* the problem.  Either temporarily or
> for good, whichever you like.
>> OpenSSL and LibreSSL, given the fact neither seems to have a desire
>> to maintain compatibility with the other (again, as far as I can see).
> That is an unfounded allegation.  Of course LibreSSL has a desire
> to eventually integrate the 1.1 API.  Joel has said so long ago,
> in public, that in principle, opaque structs are a good concept
> [for example citation 1: Dec 30, 2016], and i have heard repeated
> discussions inside the LibreSSL project on how to get there.  It
> is just a lot of work, it is made harder by the lack of a clear
> migration path, and it is of limited usefulness as long as application
> programs must still support the OpenSSL-1.0 API.  That's what
> prevented it from getting done so far.
> Given that you got the facts wrong, your conclusions are misleading
> as well.  All this was explained already, so your mail sounds almost
> trollish: It should already be well-known that the central design
> goal of LibreSSL is to be a compatible drop-in replacement for
> OpenSSL - at the time of the fork, that was OpenSSL-1.0.  If, after
> the fork, OpenSSL breaks its own API and leaves users in the rain,
> blaming that on LibreSSL is quite dishonest.  Even if the API break
> is so severe that it takes LibreSSL substantially more than a year
> to deal with it, even if LibreSSL hasn't yet solved the problem for
> its own purposes.
> The real problem is:  How is OpenSSH supposed to support OpenSSL-1.0
> and OpenSSL-1.1 at the same time, given that the API break is so
> severe that switching from one to the other requires a 3000+ line
> diff?
> Yours,
>   Ingo
> [1]

More information about the openssh-unix-dev mailing list