Status of OpenSSL 1.1 support - Thoughts
jpbion at jfwest.com
jpbion at jfwest.com
Wed Oct 18 23:53:21 AEDT 2017
As far as I can see, here is a summary of the situation, and there's a
point to this, but I only make it in step (4), needing the first three
steps to set up a background to keep my own thoughts clear:
1) Fedora (via Jakub) shows it's possible to patch OpenSSH.
2) OpenVPN (via gert) shows it's possible to build a 'shim' of sorts
that allows code to work with libreSSL and OpenSSL 1.1.0.
3) Using that phrase 'as far as I can see' again, it appears that
OpenSSH doesn't really care that (1) and (2) are shown as possible. The
changes required to implement these solutions, in the best view, can be
seen as violating the 'simple/secure' precepts of OpenBSD - so they
simply are not desired, independent of feasibility.
4) As a first result, with no judgement on anyone, just looking at the
data - the root cause of this issue seems to be the split of LibreSSL
from OpenSSL a while back and we are just dealing with the
in-hindsight-obvious consequences of that split. With something as
fundamental as the SSL/TLS stack forking between OpenBSD(LibreSSL
dominant) and Linux(OpenSSL dominant), it is inevitable that
applications written on one or the other will find it harder and harder
over time to be compatible and usable in both OpenSSL and LibreSSL
worlds. You think it's hard to build a compatibility layer NOW? What
happens when OpenSSL 1.2 comes around, then LibreSSL version-next,
etc... 2-3 years down the road, getting further and further apart, with
not just accessor functions changing, but with semantics and 'overall
interface design and philosophy' changing over time. In other words, I
don't believe ANY package can, over a period of time, realistically
support both OpenSSL and LibreSSL, given the fact neither seems to have
a desire to maintain compatibility with the other (again, as far as I
can see). OpenSSH's decision to not really want to support the changes
OpenSSL made is just the canary in the coal mine here - others will get
to that point, too. They just got there first.
5) As a final result, it seems to me that the OpenBSD and Linux worlds
need to decide if they LIKE and TOLERATE the consequences of the
long-term split between LibreSSL and OpenSSL - in particular, it being
harder and harder to share packages between the OpenBSD and Linux
worlds, if those packages need to interface with diverging SSL/TLS
stacks. If they don't, they need to do something about it. This has to
be dealt with by the LibreSSL and OpenSSL teams - looking at OpenSSH is
looking at the wrong place. If those two SSL/TLS teams don't talk, it
will just get harder for everyone. In the meantime, because I live in
the Linux world and not the OpenBSD world, for good or ill, I have to
face the fact that, as of today, my reliance on the OpenSSH package,
which I love and trust, has an expiration date, and I need to
investigate alternatives, all of which are less appealing to me by a
significant margin.
Oh well.
More information about the openssh-unix-dev
mailing list