Status of OpenSSL 1.1 support - Thoughts

[Ingo Schwarze]

Hi Emmanuel,

Emmanuel Deloget wrote on Wed, Oct 18, 2017 at 05:45:40PM +0200:

> Important API change between major releases is something to be
> expected. Sometimes the changes are limited, sometimes thay aren't.
>
> The structure of the changes themselves is the reason why the openssl
> folks could not provide any migration path (the existance of this path
> would have negated the changes themselves).

True, but only in the 1.0 release series, while still attaining the
goal of making the transition manageable for application projects.
When you implement a major redesign, you can never expect to reap
the benefit in the old stable branch.  The way OpenSSL did it doesn't
achieve that either.

> Ingo Schwarze wrote:

>> Oh, wait, LibreSSL has to do with it in one sense.  It is available
>> as one possible way to *solve* the problem.  Either temporarily or
>> for good, whichever you like.

> This is not a good idea IMHO. One want to be able to write
> security-related code easily, and the old OpenSSL API (and thus, the
> current LibreSSL interface) does not make that simple at all. As a
> result, we got many incorrect use of this very API in the past which
> led to security issues in many softwares (CVE-2009-0021). While some
> degree of API complexity is inherent to the role of the library, I'm
> pretty sure you can agree that the simpler it is, the better.
> 
> Given the fact that the knowledge of the structures of LibreSSL is
> needed to correclty use the library, I hope you'll understand my
> point: using LibreSSL as it is today instead of porting to OpenSSL is
> not a good idea :)

For the short term, it is of the same order of quality as using
the officially maintained OpenSSL-1.0 branch, or maybe even a bit
better because it may have fewer bugs.  Of course, neither gets
the benefits of opaque structs, but both allow working around the
transition problem.

In the long term, LibreSSL will hopefully transition to opaque structs
as well, only less rushed and with a better transition plan, at which
point your argument will become moot.

> More precisely, there is only one migration path, and it's not pretty.
> To allow applications to do the jump at their pace, you have to propose
> both interfaces and mark the old one as deprecated (and remove it in
> a subsequent release).

Precisely.  That is how you do a large-scale change that is
incompatible both ways in a widely-used library:

 1. Say you are at version 41.0.
 2. Add the new interfaces in version 41.1 (minor bump).
 3. Invite some application projects to switch to the new interfaces.
 4. Help them with the switch and learn from the experience.
 5. Quite probably, you will have to publish bug fix releases
    41.1.1 and 41.1.2 to improve what you did in steps 2 to 4.
 6. Invite *all* users to switch.
 7. Once many of your users have switched, announce future deprecation.
 8. Wait some time.
 9. Announce end of life for a specific date.
 10. Remove the old interfaces in version 42.0 (major bump).

OpenSSL jumped the shark and skipped steps 3 to 9, doing 1 and 10
in one single leap.

Of course, you can't get the full benefit until step 10, in particular
when the point is to improve encapsulation.  But that's no excuse
for putting users in an impossible situation.

If, for whatever reason, you realize too late that you completely
forgot about steps 3 to 9, you can still mitigate part of the havoc
done by doing step 2 after step 10, enabling the forgotten migration
path.  Better late than never.

> I'd volonteer to do this but given the gigantism of the task, any help
> would be appreciated (not to mention that even if Joel agrees with the
> idea of having the 1.1 API in LibreSSL, that does not mean he would
> agree with my strategy).

You could offer your help for providing that migration path to the
OpenSSL project, if you feel qualified and willing to provide such
help.  I think you should definitely use the expertise of the OpenSSL
developers to make sure that providing the migration path doesn't
introduce bugs and vulnerabilities, and avoid working as a lone
wolf if possible.

> But at the same time, some ditributions are phasing out OpenSSL 1.0.2
> and are integrating OpenSSL 1.1 while at the same time some supported
> LTS distributions still rely on older OpenSSL versions. So for a
> period of time you'll have to be compatible with both, whether you
> like it or not. The question is then: is it up to you to be compatible
> with both,

The OpenSSH project simply doesn't have the manpower to maintain
compatibility with both at the same time, and even if it had, doing
so would compromise the central project goal of security through
simplicity and diligence.

> or is it up to distributors to provide compatibilty?

That will be beyond the means of many distributors, in which case
they either need to use OpenSSL-1.0 or LibreSSL for OpenSSH.

Even for those distributors who can afford the required manpower,
i consider attempting to maintain a 3000+ line vendor patch risky,
and maintaining a non-official compat layer risky as well.  Quite
respectable vendors have screwed up with three-line patches in the
past, how can anybody feel confident about a 3000-line vendor patch?
How sure can you feel that none of these 3000 lines causes non-obvious
problems?  That also answers the question Jakub Jelen asked why i
would feel uncomfortable about using Fedora.

Yours,
  Ingo