Status of OpenSSL 1.1 support - Thoughts

Gert Doering gert at
Thu Oct 19 18:11:22 AEDT 2017


On Thu, Oct 19, 2017 at 06:03:29PM +1100, Damien Miller wrote:
> > > You've got this exactly backwards. We don't want a shim that allows
> > > OpenSSL-1.1 to present a OpenSSL-1.0 API. We want a shim that allows
> > > us to use the OpenSSL-1.1 API when using OpenSSL-1.0, so we don't have
> > > to maintain a forest of #ifdefs.
> > 
> > For obvious reasons this shim cannot exist.  If the structure member is
> > not visible anymore (and might not actually look the way you think it
> > does), you cannot provide structure definitons that magically give you
> > access to the members again.
> You might want to read what I wrote again, because you've got it
> backwards too:
> "We want a shim that allows us to use the ***OpenSSL-1.1 API*** when
> using OpenSSL-1.0"

Indeed, sorry.  I overlooked the "don't" in the first sentence, and did
not have enough coffee yet.

> The OpenSSL 1.1 API is the one with the opaque structures, so there's
> no intrinsic problem implementing it for the 1.0 library, which doesn't.


So your main gripe is that you want this to be part of the next OpenSSL 1.0
release, and do not maintain the shim yourself as part of the OpenSSH 
code base?

(The latter is what we did for OpenVPN, and the shim is really very
simple - while it has 650 lines of code, half of that is comment, and
the rest is straightforward and mostly trivial.  Emanuel Deloget wrote
it, who has already offered to help with OpenSSH if the path is acceptable
and the help is welcome)

USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                             gert at
fax: +49-89-35655025                        gert at

More information about the openssh-unix-dev mailing list