I know it has been stated that OpenSSL 1.1.0 is a non-starter for
OpenSSH until a better compatibility system is provided by OpenSSL,
allowing a single code-base to support interacting with both OpenSSL
1.0.x and 1.1.x.
I also know various people have provided patches to OpenSSH offering
such support, but it also seems as if OpenSSH is waiting for something
official. These patches offered to OpenSSH may have forced users of
OpenSSH to move to OpenSSL 1.1.x - I haven't checked that out, and I
know that would be a non-starter. But perhaps they did offer a
compatibility layer.
Finally, I also realize OpenSSH has to work with multiple different SSL
providers, not just OpenSSL, and that OpenSSL has forced a whole slew of
changes on its 'customers'.
I worry about a deadlock, though. Does the OpenSSL team even know that
the OpenSSH project will not move toward 1.1.0 support until it provides
a simpler and official multi-version compatibility system? If there is
no communication with them, it is unlikely they'll think of working on
the compatibility system themselves (else it would have already been
provided, because it's a rather obvious and important need.) Or is the
OpenSSH team simply saying "until there is one, we won't support OpenSSL
1.1.0" - hoping it just happens - but not making effort to see that it
does?
OpenSSH is one of the more important SSL 'customers' The view of "nope;
I won't code a custom compatibility system" may absolutely be the right
thing to say and do. But do we even have OpenSSL's ear, to make sure
what was said here was heard?
Thanks!
Joel
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev