Re: Status of OpenSSL 1.1 support

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 2017-10-14 01:24:11 [+0200], Ingo Schwarze wrote:
> Hi Sebastian,
Hi Ingo,

> No, i'm not aware that OpenSSL provided any further help for
> downstream projects who are forced to provide continued support
> for the 1.0 API.

There is just the Wiki things I pointed out.

> Note that even switching over LibreSSL to the OpenSSL-1.1 API - which
> would be a huge effort, and it's unclear if and when it might happen -
> would not solve the main problem because OpenSSH must remain able
> to build on operating systems that provide OpenSSL-1.0 only.

Yes. The compat layer should be fine. The version check should be
	#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)

to deal with libressl but other than that it should work - it worked for
other projects.

> That question is slowly turning into a frequently answered one:
> 
>   https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-July/036115.html
> 
> Nobody commented on that cautious assessment, so i think it is safe to
> reword the answer more explicitly, even though that may seem slightly
> more aggressive:
> 
> The so-called "compatibility layer" on that wiki page [4] you quote
> appears to be incomplete, untested, unmaintained, hence untrustworthy
> and unusable in a security context like OpenSSH.

It might be incomplete. I can't comment on maintained. All it really
does is to provide access for the opaque structs so I don't understand
the "untrustworthy" & "unusable in a security context" because the
libressl version would look exactly the same.

> Consequently, no support for OpenSSL-1.1 is in sight.

And this will remain as-is until in 2020? This is when OpenSSL 1.0.2 is
no longer maintained. So by then it has either work with 1.1 or people
must use libressl instead.

> If you want to run on an operating system that burnt all bridges
> and only supports OpenSSL-1.1 but no longer OpenSSL-1.0, then the
> only responsible thing you can do is to build OpenSSH against
> LibreSSL rather than against OpenSSL on that platform.  It should
> work quite well because LibreSSL supports a wide range of modern
> platforms by now:

Responsible you name it. Okay. I would like to find a sollution without
the need to package libressl.  One way would be to keep 1.0.2 around
until 2020 but…

> Yours,
>   Ingo

Sebastian
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux