Status of OpenSSL 1.1 support

Michael Felt michael at felt.demon.nl
Tue Oct 17 05:04:55 AEDT 2017


On 13/10/2017 23:58, Sebastian Andrzej Siewior wrote:
> Hi,
>
> more or less a year ago Kurt Roeckx provided an initial port towards the
> OpenSSL 1.1 API [0]. The patch has been left untouched [1] and it has
> been complained about a missing compat layer of the new vs the old API
> within the OpenSSL library [2].
> This is how I reconstructed the situation as of today and I am not
> aware of any progress in regard to the newer library within the OpenSSH
> project. Did I miss any significant development?
>
> In the `meantime', OpenSSL provides a kind of compat layer [3] which
> (they suggested) should be included in the downstream projects [4].
>
> Is this enough / acceptable? What would the project like to see? I know
> that OpenBSD itself is more focused on the LibreSSL library but I would
> like to avoid that every one carries (and maintains) a big patch around.
>
> [0] https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-September/035378.html
> [1] I know that Fedora ships it.
> [2] https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-November/035456.html
> [3] https://wiki.openssl.org/images/e/ed/Openssl-compat.tar.gz
> [4] https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes#Compatibility_Layer
For what it is worth - FYI only - I expect on AIX the "1.0.0" ABI will 
stay around for awhile - e.g., the fileset called openssl-1.0.2 still 
contains openssl-0.9.8 to support 'historical' applications.
root at x064:[/data/prj/aixtools/curl-7.56.0/lib]ar tv /usr/lib/libssl.a
rwxr-xr-x 537912/767508 726474 Oct 18 11:38 2016 libssl.so
rwxr-xr-x 537912/767508 726474 Oct 18 11:38 2016 libssl.so.1.0.0
rwxr-xr-x 537912/767508 510610 Oct 18 11:39 2016 libssl.so.0.9.8

The "default" - when it comes to new applications is the first archive 
in the archive - notice the 'named' version is still libfoo.so.1.0.0,

I suppose - if I was running into compatibility conflicts with openssl - 
I would look at the experimental configure flag (-nossl iirc).

IBM is on their own track - still supplying OpenSSH based on either 
OpenSSH-6.0p1 or OpenSSH-7.1p1.

 From the bits I have read - you will be safe to do whatever you want on 
openbsd - and the UNIX/Linix distros will follow way behind (Centos-1116 
is around:
OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 - via the DVD. And, yes 
- I need to update it. Will get there eventually - part of the project I 
am working on atm.

My guess is that only OpenBSD and admins that do their own packaging 
will be current. Thos who depend on the official updates will be behind.

M

>
> Sebastian
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




More information about the openssh-unix-dev mailing list