Status of OpenSSL 1.1 support - Thoughts
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Thu Oct 19 11:35:50 AEDT 2017
Well, in that case, didn't Fedora provide exactly what you say you want?
Then the path forward for OpenSSH is sensible: port the code to the new API, and include Fedora-like library to interface with OpenSSL-1.0.x.
So what's the problem? ;-)
Regards,
Uri
Sent from my iPhone
> On Oct 18, 2017, at 18:44, Damien Miller <djm at mindrot.org> wrote:
>
>> On Wed, 18 Oct 2017, Blumenthal, Uri - 0553 - MITLL wrote:
>>
>> OpenSSL developers believed that there was a need for a significant
>> change. A part of that change was a conscious choice to break (some
>> of) the existing API. They considered that pain unavoidable. So far I
>> happen to agree with their rationale and approach. Move from visible
>> internal structures to accessor functions is a good thing, regardless
>> of what you may think of it. And the new API *is* better, again like
>> it or not.
>>
>> I understand the frustration with lack of a “migration library”,
>> but how to you see a “shim” that allows code that relies on being
>> able to directly access members of structures, run unmodified (just
>> recompiled)?
>
> You've got this exactly backwards. We don't want a shim that allows
> OpenSSL-1.1 to present a OpenSSL-1.0 API. We want a shim that allows
> us to use the OpenSSL-1.1 API when using OpenSSL-1.0, so we don't have
> to maintain a forest of #ifdefs.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5801 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20171019/d41da141/attachment-0001.p7s>
More information about the openssh-unix-dev
mailing list