Status of OpenSSL 1.1 support - Thoughts

Emmanuel Deloget logout at
Thu Oct 19 02:45:40 AEDT 2017

Hi Ingo,

On Wed, Oct 18, 2017 at 4:15 PM, Ingo Schwarze <schwarze at> wrote:
> Hi,
> jpbion at wrote on Wed, Oct 18, 2017 at 05:53:21AM -0700:
>> 4) As a first result, with no judgement on anyone, just looking at the
>> data - the root cause of this issue seems to be the split of LibreSSL
>> from OpenSSL
> No, you are totally misrepresenting the situation.  The root cause
> is the split of OpenSSL-1.1 from OpenSSL-1.0, and that OpenSSL
> dumped the large and dangerous work of dealing with the large-scale
> API change on each and every application project instead of providing
> an official transition path that can be taken seriously.

Important API change between major releases is something to be
expected. Sometimes the changes are limited, sometimes thay aren't.

The structure of the changes themselves is the reason why the openssl
folks could not provide any migration path (the existance of this path
would have negated the changes themselves). Anyway, this is done, and
I'm not sure we have the power to go back in time to fix that (and I'm
not even sure it's necessary to fix it).

Anyway, I still agree with you: the problem is not the split, it's the
API change.

> LibreSSL has almost nothing to do with the problem.  Even if LibreSSL
> had never happened, the same problem would still exists.
> Oh, wait, LibreSSL has to do with it in one sense.  It is available
> as one possible way to *solve* the problem.  Either temporarily or
> for good, whichever you like.

This is not a good idea IMHO. One want to be able to write
security-related code easily, and the old OpenSSL API (and thus, the
current LibreSSL interface) does not make that simple at all. As a
result, we got many incorrect use of this very API in the past which
led to security issues in many softwares (CVE-2009-0021). While some
degree of API complexity is inherent to the role of the library, I'm
pretty sure you can agree that the simpler it is, the better.

Given the fact that the knowledge of the structures of LibreSSL is
needed to correclty use the library, I hope you'll understand my
point: using LibreSSL as it is today instead of porting to OpenSSL is
not a good idea :)

(Not to mention that more and more software implement compatibility
with OpenSSL 1.1, so asking them to go the other way is not going to
work well).

>> OpenSSL and LibreSSL, given the fact neither seems to have a desire
>> to maintain compatibility with the other (again, as far as I can see).
> That is an unfounded allegation.  Of course LibreSSL has a desire
> to eventually integrate the 1.1 API.  Joel has said so long ago,
> in public, that in principle, opaque structs are a good concept
> [for example citation 1: Dec 30, 2016], and i have heard repeated
> discussions inside the LibreSSL project on how to get there.  It
> is just a lot of work, it is made harder by the lack of a clear
> migration path, and it is of limited usefulness as long as application
> programs must still support the OpenSSL-1.0 API.  That's what
> prevented it from getting done so far.

There is no easy migration path. More precisely, there is only one
migration path, and it's not pretty. To allow applications to do the
jump at their pace, you have to propose both interfaces and mark the
old one as deprecated (and remove it in a subsequent release).

I'd volonteer to do this but given the gigantism of the task, any help
would be appreciated (not to mention that even if Joel agrees with the
idea of having the 1.1 API in LibreSSL, that does not mean he would
agree with my strategy).

> Given that you got the facts wrong, your conclusions are misleading
> as well.  All this was explained already, so your mail sounds almost
> trollish: It should already be well-known that the central design
> goal of LibreSSL is to be a compatible drop-in replacement for
> OpenSSL - at the time of the fork, that was OpenSSL-1.0.  If, after
> the fork, OpenSSL breaks its own API and leaves users in the rain,
> blaming that on LibreSSL is quite dishonest.  Even if the API break
> is so severe that it takes LibreSSL substantially more than a year
> to deal with it, even if LibreSSL hasn't yet solved the problem for
> its own purposes.

I agree with you on this one. The LibreSSL folks are not to be blamed
for this situation.

> The real problem is:  How is OpenSSH supposed to support OpenSSL-1.0
> and OpenSSL-1.1 at the same time, given that the API break is so
> severe that switching from one to the other requires a 3000+ line
> diff?

But at the same time, some ditributions are phasing out OpenSSL 1.0.2
and are integrating OpenSSL 1.1 while at the same time some supported
LTS distributions still rely on older OpenSSL versions. So for a
period of time you'll have to be compatible with both, whether you
like it or not. The question is then: is it up to you to be compatible
with both, or is it up to distributors to provide compatibilty? When
more and more softwares propose their own shim it makes the later less
and less understandable.

> Yours,
>   Ingo


-- Emmanuel Deloget

More information about the openssh-unix-dev mailing list