Status of OpenSSL 1.1 support

Sebastian Andrzej Siewior openssh at ml.breakpoint.cc
Mon Oct 16 06:16:13 AEDT 2017


On 2017-10-14 01:24:11 [+0200], Ingo Schwarze wrote:
> Hi Sebastian,
Hi Ingo,

> No, i'm not aware that OpenSSL provided any further help for
> downstream projects who are forced to provide continued support
> for the 1.0 API.

There is just the Wiki things I pointed out.

> Note that even switching over LibreSSL to the OpenSSL-1.1 API - which
> would be a huge effort, and it's unclear if and when it might happen -
> would not solve the main problem because OpenSSH must remain able
> to build on operating systems that provide OpenSSL-1.0 only.

Yes. The compat layer should be fine. The version check should be
	#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)

to deal with libressl but other than that it should work - it worked for
other projects.

> That question is slowly turning into a frequently answered one:
> 
>   https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-July/036115.html
> 
> Nobody commented on that cautious assessment, so i think it is safe to
> reword the answer more explicitly, even though that may seem slightly
> more aggressive:
> 
> The so-called "compatibility layer" on that wiki page [4] you quote
> appears to be incomplete, untested, unmaintained, hence untrustworthy
> and unusable in a security context like OpenSSH.

It might be incomplete. I can't comment on maintained. All it really
does is to provide access for the opaque structs so I don't understand
the "untrustworthy" & "unusable in a security context" because the
libressl version would look exactly the same.

> Consequently, no support for OpenSSL-1.1 is in sight.

And this will remain as-is until in 2020? This is when OpenSSL 1.0.2 is
no longer maintained. So by then it has either work with 1.1 or people
must use libressl instead.

> If you want to run on an operating system that burnt all bridges
> and only supports OpenSSL-1.1 but no longer OpenSSL-1.0, then the
> only responsible thing you can do is to build OpenSSH against
> LibreSSL rather than against OpenSSL on that platform.  It should
> work quite well because LibreSSL supports a wide range of modern
> platforms by now:

Responsible you name it. Okay. I would like to find a sollution without
the need to package libressl.  One way would be to keep 1.0.2 around
until 2020 but…

> Yours,
>   Ingo

Sebastian


More information about the openssh-unix-dev mailing list