On 2017-10-14 01:24:11 [+0200], Ingo Schwarze wrote: > Hi Sebastian, Hi Ingo, > No, i'm not aware that OpenSSL provided any further help for > downstream projects who are forced to provide continued support > for the 1.0 API. There is just the Wiki things I pointed out. > Note that even switching over LibreSSL to the OpenSSL-1.1 API - which > would be a huge effort, and it's unclear if and when it might happen - > would not solve the main problem because OpenSSH must remain able > to build on operating systems that provide OpenSSL-1.0 only. Yes. The compat layer should be fine. The version check should be #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) to deal with libressl but other than that it should work - it worked for other projects. > That question is slowly turning into a frequently answered one: > > https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-July/036115.html > > Nobody commented on that cautious assessment, so i think it is safe to > reword the answer more explicitly, even though that may seem slightly > more aggressive: > > The so-called "compatibility layer" on that wiki page [4] you quote > appears to be incomplete, untested, unmaintained, hence untrustworthy > and unusable in a security context like OpenSSH. It might be incomplete. I can't comment on maintained. All it really does is to provide access for the opaque structs so I don't understand the "untrustworthy" & "unusable in a security context" because the libressl version would look exactly the same. > Consequently, no support for OpenSSL-1.1 is in sight. And this will remain as-is until in 2020? This is when OpenSSL 1.0.2 is no longer maintained. So by then it has either work with 1.1 or people must use libressl instead. > If you want to run on an operating system that burnt all bridges > and only supports OpenSSL-1.1 but no longer OpenSSL-1.0, then the > only responsible thing you can do is to build OpenSSH against > LibreSSL rather than against OpenSSL on that platform. It should > work quite well because LibreSSL supports a wide range of modern > platforms by now: Responsible you name it. Okay. I would like to find a sollution without the need to package libressl. One way would be to keep 1.0.2 around until 2020 but… > Yours, > Ingo Sebastian _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
