On Mon, Nov 14, 2016 at 04:36:28PM +0100, Jakub Jelen wrote: > On 11/02/2016 11:33 PM, Damien Miller wrote: > > On Wed, 2 Nov 2016, Stuart Henderson wrote: > > > >> On 2016-11-02, Jakub Jelen <jjelen@xxxxxxxxxx> wrote: > >>> The current set of patches are rebased on current upstream is attached > >>> with few more tweaks needed to build, pass testsuite and make it work. > >>> The upstream review and insight would be helpful. > >> Since these are going to break things with LibreSSL, I doubt they'll be > >> acceptable as-is. > > This is the nub of the problem: upstream (OpenBSD) OpenSSH targets > > LibreSSL natively (it's also used by Apple for their OS X builds). If we > > pick up the 1.1.0 patch, we'd probably have to do it in portable because > > there's little point in patching OpenBSD for API that doesn't exist > > there. I don't want to have to carry such a major divergence in just the > > portable tree. > > Thank you for the comments. I understand the upstream directions and > that the OpenSSL step is not ideal. The distros will probably have to > carry these patches until the changes will settle down a bit. > > Other possible solution we were discussing here was implementation of > non-OpenSSL specific abstract layer for crypto operations, which would > allow implementation of cryto-library specific bits in separate file > (unlike current situation with calls all over the place) and would > possibly allow different crypto library providers, similar way how the > audit is handled at this moment. It would also abstract the code from > the changes in one or the other crypto library interface. Would > something like this be acceptable for OpenSSH upstream? > All SSL developers have to take into account 1) LibreSSL 2) Openssl 1.0.X and below and 3) OPenssl 1.1 + So stop stop living in the past and march towards the future. > Kind regards, > > -- > Jakub Jelen > Software Engineer > Security Technologies > Red Hat > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- For effective Internet Etiquette and communications read http://catb.org/jargon/html/T/top-post.html, http://idallen.com/topposting.html & http://www.caliburn.nl/topposting.html _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
