Hi Sebastian, Sebastian Andrzej Siewior wrote on Fri, Oct 13, 2017 at 11:58:12PM +0200: > more or less a year ago Kurt Roeckx provided an initial port towards the > OpenSSL 1.1 API [0]. The patch has been left untouched [1] and it has > been complained about a missing compat layer of the new vs the old API > within the OpenSSL library [2]. > This is how I reconstructed the situation as of today and I am not > aware of any progress in regard to the newer library within the OpenSSH > project. Did I miss any significant development? No, i'm not aware that OpenSSL provided any further help for downstream projects who are forced to provide continued support for the 1.0 API. Note that even switching over LibreSSL to the OpenSSL-1.1 API - which would be a huge effort, and it's unclear if and when it might happen - would not solve the main problem because OpenSSH must remain able to build on operating systems that provide OpenSSL-1.0 only. > In the `meantime', OpenSSL provides a kind of compat layer [3] which > (they suggested) should be included in the downstream projects [4]. > > Is this enough / acceptable? What would the project like to see? I know > that OpenBSD itself is more focused on the LibreSSL library but I would > like to avoid that every one carries (and maintains) a big patch around. > > [0] https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-September/035378.html > [1] I know that Fedora ships it. > [2] https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-November/035456.html > [3] https://wiki.openssl.org/images/e/ed/Openssl-compat.tar.gz > [4] https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes#Compatibility_Layer That question is slowly turning into a frequently answered one: https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-July/036115.html Nobody commented on that cautious assessment, so i think it is safe to reword the answer more explicitly, even though that may seem slightly more aggressive: The so-called "compatibility layer" on that wiki page [4] you quote appears to be incomplete, untested, unmaintained, hence untrustworthy and unusable in a security context like OpenSSH. Consequently, no support for OpenSSL-1.1 is in sight. If you want to run on an operating system that burnt all bridges and only supports OpenSSL-1.1 but no longer OpenSSL-1.0, then the only responsible thing you can do is to build OpenSSH against LibreSSL rather than against OpenSSL on that platform. It should work quite well because LibreSSL supports a wide range of modern platforms by now: https://www.libressl.org/releases.html Note that on operating systems with a good package manager, it *is* possible to install LibreSSL and OpenSSL in parallel. For example, OpenBSD contains LibreSSL by default, yet you can easily install a port of OpenSSL in parallel if you want to, simply by issuing the command # pkg_add openssl without need for any further manual configuration. The reverse can be implemented on systems that use OpenSSL by default. Yours, Ingo _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev