Status of OpenSSL 1.1 support

Ingo Schwarze schwarze at usta.de
Tue Oct 17 05:49:52 AEDT 2017


Salut Emmanuel,

this is merely a minor side-note, but anyway...

Emmanuel Deloget wrote on Mon, Oct 16, 2017 at 06:56:44PM +0200:

> Let's restate these in numbered bullet points:
> 
> (a) somebody sufficiently qualified maintains a compat library
> (b) LibreSSL gains 1.1-compatible interfaces
> (c) OpenSSH switches over

So far, that's an accurate representation of what i tried to
describe as a possible complete solution.

> I'm not sure point (b) is necessary.

I am quite convinced that it is.

The high quality of the OpenSSH codebase is in part due to the
fact that it is an integral part of the OpenBSD base system and
that the compatibility additions in the portable version are kept
minimal.

> The goal of the shim is to
> emulate the OpenSSL 1.1 interface by encapsulating OpenSSL 1.0 /
> LibreSSL code, so no change is needed in the upstream library (that
> would make the change really impossible IMHO). So the problem goes
> down to 2 point: (a) and (c).

No, that is not sufficient, because that would require including the
compat library into the OpenBSD base system.  I cannot imagine how
that could possibly ever happen, no matter how excellent the quality
of the hypothetical compat library would be.

For the possible full solution that i tried to describe, all three
steps are required, and both (a) and (b) must come before (c).


Of course, it might happen that the LibreSSL and OpenSSH developers
eventually come up with completely different solutions that i'm not
yet aware of, but the above is my understanding of the situation at
this point.

Yours,
  Ingo


More information about the openssh-unix-dev mailing list