Status of OpenSSL 1.1 support

Damien Miller djm at mindrot.org
Sat Oct 14 11:40:30 AEDT 2017


On Fri, 13 Oct 2017, Sebastian Andrzej Siewior wrote:

> Hi,
> 
> more or less a year ago Kurt Roeckx provided an initial port towards the
> OpenSSL 1.1 API [0]. The patch has been left untouched [1] and it has
> been complained about a missing compat layer of the new vs the old API
> within the OpenSSL library [2].
> This is how I reconstructed the situation as of today and I am not
> aware of any progress in regard to the newer library within the OpenSSH
> project. Did I miss any significant development?
> 
> In the `meantime', OpenSSL provides a kind of compat layer [3] which
> (they suggested) should be included in the downstream projects [4].

The compatibility layer is unversioned, incomplete, barely documented
and seems to be unmaintained. Because it isn't a library, they require
it to be added to downstream projects directly. This isn't even close
to a solution.

In the absence of any progress, I'm considering adding some build sugar
to simplify the process of building (and possibly fetching) LibreSSL as
port of the OpenSSH build process. AFAIK Apple's OpenSSH distribution is
already linked against LibreSSL (and of course, OpenBSD does too), so
IMO it's had enough road-testing for general use.

-d



More information about the openssh-unix-dev mailing list