Status of OpenSSL 1.1 support - Thoughts

jpbion at jfwest.com jpbion at jfwest.com
Wed Oct 18 23:53:21 AEDT 2017


As far as I can see, here is a summary of the situation, and there's a 
point to this, but I only make it in step (4), needing the first three 
steps to set up a background to keep my own thoughts clear:

1) Fedora (via Jakub) shows it's possible to patch OpenSSH.

2) OpenVPN (via gert) shows it's possible to build a 'shim' of sorts 
that allows code to work with libreSSL and OpenSSL 1.1.0.

3) Using that phrase 'as far as I can see' again, it appears that 
OpenSSH doesn't really care that (1) and (2) are shown as possible. The 
changes required to implement these solutions, in the best view, can be 
seen as violating the 'simple/secure' precepts of OpenBSD - so they 
simply are not desired, independent of feasibility.

4) As a first result, with no judgement on anyone, just looking at the 
data - the root cause of this issue seems to be the split of LibreSSL 
from OpenSSL a while back and we are just dealing with the 
in-hindsight-obvious consequences of that split. With something as 
fundamental as the SSL/TLS stack forking between OpenBSD(LibreSSL 
dominant) and Linux(OpenSSL dominant), it is inevitable that 
applications written on  one or the other will find it harder and harder 
over time to be compatible and usable in both OpenSSL and LibreSSL 
worlds. You think it's hard to build a compatibility layer NOW? What 
happens when OpenSSL 1.2 comes around, then LibreSSL version-next, 
etc... 2-3 years down the road, getting further and further apart, with 
not just accessor functions changing, but with semantics and 'overall 
interface design and philosophy' changing over time. In other words, I 
don't believe ANY package can, over a period of time, realistically 
support both OpenSSL and LibreSSL, given the fact neither seems to have 
a desire to maintain compatibility with the other (again, as far as I 
can see). OpenSSH's decision to not really want to support the changes 
OpenSSL made is just the canary in the coal mine here - others will get 
to that point, too. They just got there first.

5) As a final result, it seems to me that the OpenBSD and Linux worlds 
need to decide if they LIKE and TOLERATE the consequences of the 
long-term split between LibreSSL and OpenSSL - in particular, it being 
harder and harder to share packages between the OpenBSD and Linux 
worlds, if those packages need to interface with diverging SSL/TLS 
stacks. If they don't, they need to do something about it. This has to 
be dealt with by the LibreSSL and OpenSSL teams - looking at OpenSSH is 
looking at the wrong place. If those two SSL/TLS teams don't talk, it 
will just get harder for everyone. In the meantime, because I live in 
the Linux world and not the OpenBSD world, for good or ill, I have to 
face the fact that, as of today, my reliance on the OpenSSH package, 
which I love and trust, has an expiration date, and I need to 
investigate alternatives, all of which are less appealing to me by a 
significant margin.

Oh well.


More information about the openssh-unix-dev mailing list