Status of OpenSSL 1.1 support

Michael Felt michael at felt.demon.nl
Fri Oct 20 18:20:58 AEDT 2017


My apologies - stuck in Draft for a week -

I think if I wanted to “experiment“ I would look at the compile flag to 
not use either openssl or libressl. (also hinted at in another post - 
and see below).

As AIX uses archives - rather than .so files (actually can use both) - 
both libressl and openssl "members" can be in the same archive. How 
well, or how broken - supporting a mixed openssl-1.0, openssl-1.0 and 
libressl-X.Y depends on the effort spent by 'the vendor' or packager.

As a packager - I may even consider using static linking - rather than 
dynamic linking - at least until the dust settles.

IMHO - there is no fear of OpenSSH going away. (Where the is a will - 
there is a way)

Actually - what is the 'state of the world' these days?

e.g., fedora has been mentioned, but my linux focus is more on centos 
(currently 11-16). The DVD installs (release 1116) OpenSSH_6.6.1p1, 
OpenSSL 1.0.1e-fips 11 Feb 2013 - not my idea of latest and greatest. 
So, maybe fedora is closer to latest and greatest. (I have my reasons 
for not chasing the latest updates - have a lot to test at an officially 
recognized level before throwing updates on).

In other words - do not compare Linux/UNIX - vendor - releases with OpenBSD.

If I understand many of the comments - OpenSSL - has basically put 'the 
world' into a difficult situation - but until someone (i.e., a 
commercial vendor) has a release that can be sold to a government 
organization (I am thinking US DoD projects) - we can expect many 
applications to have two branches - if they need OpenSSL at all - and 
support for the old branch shall wither and die. My humble opinion.

Another reason I do not worry is because I have learned to package the 
bits of the world that are important to me - and maybe getting budget to 
do this in your organization is a wise move.

The other thing I am going to look into is changing my current 
sshd_config (if I read an earlier note correctly) from:

#HostKey /var/openssh/etc/ssh_host_rsa_key
#HostKey /var/openssh/etc/ssh_host_dsa_key
#HostKey /var/openssh/etc/ssh_host_ecdsa_key
#HostKey /var/openssh/etc/ssh_host_ed25519_key

to

#HostKey /var/openssh/etc/ssh_host_rsa_key
#HostKey /var/openssh/etc/ssh_host_dsa_key
#HostKey /var/openssh/etc/ssh_host_ecdsa_key
HostKey /var/openssh/etc/ssh_host_ed25519_key

i.e., whatever key that is going to work without OpenSSL. Very easy to 
test - and 'reset' if it isn't working.

My motto: what is easy to do - and easy to undo - with resources at hand.

Sent from my iPhone

> On 14 Oct 2017, at 11:23, Peter Stuge <peter at stuge.se> wrote:
> 
> Damien Miller wrote:
>> I'm considering adding some build sugar to simplify the process of
>> building (and possibly fetching) LibreSSL as port of the OpenSSH
>> build process.
> 
> Please don't add any fetching, even opt-in, at the very least. It's
> often a mistake, and a decision that is difficult to revert once it
> becomes taken for granted.
> 
> 
> Thanks
> 
> //Peter
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list