Having done this with libssh, this is far from trivial, even for the rather simple primitives required by SSH. Abstracting some concepts across very different libraries that deal with them in different ways (e.g. libcrypto vs libgcrypt) can introduce some nasty bugs. OpenSSH has always had KISS in mind so I wouldn't blame them to avoid supporting additional libraries or dropping OpenSSL 1.1 and sticking to LibreSSL altogether. On the subject of OpenSSL, Jakub Jelen provided us with an OpenSSL1.1-to-1.0 shim that works, but is not free of bugs. I would have definitively have appreciated that OpenSSL wrote that shim by themselves (they say it's trivial, of course it is not). The big problem currently is that any application that does nontrivial low-level cryptography cannot use a single API that will work with both of them, they're 100% incompatible. Aris On 24/06/17 14:06, George M. Garner Jr. wrote: > I think that this is the better approach. The question I have is why > the SSH logic should be dependent on the implementation details of ANY > particular cryptographic library (be it openssl, libressl or > whatever)? Proper software design would develop an abstraction layer > with some measure of forward compatibility built in. > > On 6/23/2017 3:16 PM, Douglas E Engert wrote: >> OpenSC has taken a different approach to OpenSSL-1.1. Rather then >> writing >> a shim for OpenSSL-1.1, the OpenSC code has been converted to >> the OpenSSL-1.1 API and a sc-ossl-compat.h" file consisting of >> defines and >> macros was written to support older versions of OpenSSL and Libressl. >> >> https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/sc-ossl-compat.h >> >> >> The nice part of this approach is when using OpenSSL-1.1 >> sc-ossl-compat.h >> does not do anything. It sole purpose to provide calls to the older APIs >> that are not going to change and eventually the sc-ossl-compat.h >> could be >> removed. >> > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev