Status of OpenSSL 1.1 support
Michael Felt
michael at felt.demon.nl
Tue Oct 17 05:04:55 AEDT 2017
On 13/10/2017 23:58, Sebastian Andrzej Siewior wrote:
> Hi,
>
> more or less a year ago Kurt Roeckx provided an initial port towards the
> OpenSSL 1.1 API [0]. The patch has been left untouched [1] and it has
> been complained about a missing compat layer of the new vs the old API
> within the OpenSSL library [2].
> This is how I reconstructed the situation as of today and I am not
> aware of any progress in regard to the newer library within the OpenSSH
> project. Did I miss any significant development?
>
> In the `meantime', OpenSSL provides a kind of compat layer [3] which
> (they suggested) should be included in the downstream projects [4].
>
> Is this enough / acceptable? What would the project like to see? I know
> that OpenBSD itself is more focused on the LibreSSL library but I would
> like to avoid that every one carries (and maintains) a big patch around.
>
> [0] https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-September/035378.html
> [1] I know that Fedora ships it.
> [2] https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-November/035456.html
> [3] https://wiki.openssl.org/images/e/ed/Openssl-compat.tar.gz
> [4] https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes#Compatibility_Layer
For what it is worth - FYI only - I expect on AIX the "1.0.0" ABI will
stay around for awhile - e.g., the fileset called openssl-1.0.2 still
contains openssl-0.9.8 to support 'historical' applications.
root at x064:[/data/prj/aixtools/curl-7.56.0/lib]ar tv /usr/lib/libssl.a
rwxr-xr-x 537912/767508 726474 Oct 18 11:38 2016 libssl.so
rwxr-xr-x 537912/767508 726474 Oct 18 11:38 2016 libssl.so.1.0.0
rwxr-xr-x 537912/767508 510610 Oct 18 11:39 2016 libssl.so.0.9.8
The "default" - when it comes to new applications is the first archive
in the archive - notice the 'named' version is still libfoo.so.1.0.0,
I suppose - if I was running into compatibility conflicts with openssl -
I would look at the experimental configure flag (-nossl iirc).
IBM is on their own track - still supplying OpenSSH based on either
OpenSSH-6.0p1 or OpenSSH-7.1p1.
From the bits I have read - you will be safe to do whatever you want on
openbsd - and the UNIX/Linix distros will follow way behind (Centos-1116
is around:
OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 - via the DVD. And, yes
- I need to update it. Will get there eventually - part of the project I
am working on atm.
My guess is that only OpenBSD and admins that do their own packaging
will be current. Thos who depend on the official updates will be behind.
M
>
> Sebastian
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list