Status of OpenSSL 1.1 support

Gert Doering gert at greenie.muc.de
Mon Oct 16 18:35:52 AEDT 2017


Hi,

On Sun, Oct 15, 2017 at 10:51:46PM +0100, Colin Watson wrote:
> https://mta.openssl.org/pipermail/openssl-users/2017-April/005540.html
> suggests that the OpenSSL folks want an external contributor to maintain
> such a layer.  I've been trawling back through OpenSSL mailing lists and
> not found much else in the way of discussion about this, although of
> course I could have missed something.  Has there been any discussion
> between the two sets of developers about all this, or is it all sort of
> arm's length?

Speaking for Open*VPN*, we have done that change, and it was fairly
painless.  

All the code has been converted to use OpenSSL 1.1 accessor functions, 
and when compiling against OpenSSL 1.0 or LibreSSL, a set of compat 
accessor functions is used (configure tells what is needed).

Our shim is here:

https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/openssl_compat.h

and it's really very straightforward.

The commits in question if you want to see what was changed in the code
are

    commit 8d00afae88b626c9cf14170a943b33a7ed378070
    commit c828ffc648eebda20e2f9087248944fa0f52a582
    commit 09776c5b52df13121504e07894a26d5cd1883317
    commit 47191f49890ee5c53fa78a8ce9bf96b9c8d27a82
    commit f05665df4150c6a345eec5432a02fd799bea0f2c
    commit 6554ac9fed9c5680f22aa4722e6e07ebf3aa3441
    commit 88046ad9e8e333259ae6fb4a295a9931a1a0e47f
    commit 6ddc43d1bf9b3ea3ee5db8c50d56a98fe4db4c97


(I was about to offer the shim to OpenSSH, but license collision - ours
is GPLed, which is a bit annoying.  OTOH it is from a single author, so
if there is interest here, maybe we can ask Emmanuel Deloget whether he's
fine with dual-licensing this piece of code)


> Is it actually a requirement that an API compatibility layer be
> maintained by the OpenSSL team, or could a hypothetical group of
> external developers interested in breaking this stalemate fork
> openssl-compat.tar.gz, stick it in a git repository somewhere, and start
> making versioned releases and trying to address the other problems you
> describe?  Of course that's only really a worthwhile exercise if OpenSSH
> would be willing to use it, and it would be good to limit the scope of
> the problem to "things needed by the handful of projects that really
> need this" rather than "the entire OpenSSL 1.0 API".

The catch here is: the shim does not provide "the OpenSSL 1.0 API" - it
provides the OpenSSL *1.1* API to projects being compiled against 1.0.

In other words: the compat libary alone won't help, the code needs to be
converted to use the accessor functions, and everything needs to be very
well tested.  So even having the compat library/shim around does not make
this trivial.


Note: I'm no way trying to tell either folk what to do.  I'm just explaining
what we did over at OpenVPN, and stating that while it was quite a bit of 
work, we're happy that we got it done.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


More information about the openssh-unix-dev mailing list