Building OpenSSH 7.7p1 with OpenSSL 1.1.0h
Ingo Schwarze
schwarze at usta.de
Wed Apr 18 01:24:53 AEST 2018
Hi Rob,
Rob Marshall wrote on Tue, Apr 17, 2018 at 10:53:12AM -0400:
> I tried to build and install OpenSSL 1.1.0 on my system but the build
> fails due to some assembler instruction. The first OpenSSL 1.1.0
> version that seems to build OK is 1.1.0d but the "make test" fails. So
> I tried 1.1.0h which builds and the "make test" passes. However when I
> try to build OpenSSH 7.7.p1 I get:
>
> checking OpenSSL library version... configure: error: OpenSSL >= 1.1.0
> is not yet supported (have "1010008f (OpenSSL 1.1.0h 27 Mar 2018)")
This has been discussed over and over again.
Please read the list archives.
In a nutshell, the problem is that between 1.0 and 1.1, the OpenSSL
development team very badly broke huge parts of their API in a way
that is completely incompatible both ways and that requires huge
changes to all application programs, but they consistently refuse
to provide any help with the migration, so OpenSSH still cannot
support the new OpenSSL-1.1 API.
I recently (less than a month ago) sent a bugfix patch to one of
the chief OpenSSL developers. The patch was gladly accepted and
we discussed licensing at length (i ended up releasing the patch
into the public domain because they considered the ISC license not
free enough for them), and i also asked again about 1.0 to 1.1
migration support in that context. That question was totally
ignored, so still no help is coming from OpenSSL.
Help may be coming from LibreSSL in the future because LibreSSL has
started integrating 1.1 APIs in a backward compatible way, avoiding
the egregious API break mistakes made by OpenSSL. But that work
is still far from finished, and i'm not aware that the (substantial)
work required for using the fruits in OpenSSH has even been started
yet.
> If I modify configure to allow for 1.1.0h will that be a problem?
That will be a problem indeed. It simply won't compile at all.
Trying to compile OpenSSH against GNUTLS instead of OpenSSL by
changing nothing but ./configure has about the same chances of
success.
OpenSSL-1.0 and OpenSSL-1.1 are two very different APIs.
LibreSSL is compatible with OpenSSL-1.0. LibreSSL is now
compatible with quite some parts of OpenSSL-1.1. But
OpenSSL-1.0 and OpenSSL-1.1 are totally incompatible with
each other.
This is purely an OpenSSL problem, nothing is wrong with OpenSSH.
Yours,
Ingo
More information about the openssh-unix-dev
mailing list