On Sat, Oct 14, 2017 at 11:40:30AM +1100, Damien Miller wrote: > On Fri, 13 Oct 2017, Sebastian Andrzej Siewior wrote: > > more or less a year ago Kurt Roeckx provided an initial port towards the > > OpenSSL 1.1 API [0]. The patch has been left untouched [1] and it has > > been complained about a missing compat layer of the new vs the old API > > within the OpenSSL library [2]. > > This is how I reconstructed the situation as of today and I am not > > aware of any progress in regard to the newer library within the OpenSSH > > project. Did I miss any significant development? > > > > In the `meantime', OpenSSL provides a kind of compat layer [3] which > > (they suggested) should be included in the downstream projects [4]. > > The compatibility layer is unversioned, incomplete, barely documented > and seems to be unmaintained. Because it isn't a library, they require > it to be added to downstream projects directly. This isn't even close > to a solution. Fair enough; but at the risk of telling you something you already know, the situation where distributions that want to get off old versions of OpenSSL have to choose between packaging LibreSSL (and thus, in practice, ending up maintaining multiple SSL library versions, which is exactly what our security teams tend to want to keep to a minimum) or passing around samizdat versions of an enormous patch is not exactly ideal either. It's kind of an unedifying stalemate. https://mta.openssl.org/pipermail/openssl-users/2017-April/005540.html suggests that the OpenSSL folks want an external contributor to maintain such a layer. I've been trawling back through OpenSSL mailing lists and not found much else in the way of discussion about this, although of course I could have missed something. Has there been any discussion between the two sets of developers about all this, or is it all sort of arm's length? Is it actually a requirement that an API compatibility layer be maintained by the OpenSSL team, or could a hypothetical group of external developers interested in breaking this stalemate fork openssl-compat.tar.gz, stick it in a git repository somewhere, and start making versioned releases and trying to address the other problems you describe? Of course that's only really a worthwhile exercise if OpenSSH would be willing to use it, and it would be good to limit the scope of the problem to "things needed by the handful of projects that really need this" rather than "the entire OpenSSL 1.0 API". (I am not at all sure I want to be one of such a hypothetical group of developers, and I definitely don't want to be in it on my own, but it might be better than the alternatives. At the moment it seems clear that neither the OpenSSL nor OpenSSH developers want the task.) > In the absence of any progress, I'm considering adding some build sugar > to simplify the process of building (and possibly fetching) LibreSSL as > port of the OpenSSH build process. AFAIK Apple's OpenSSH distribution is > already linked against LibreSSL (and of course, OpenBSD does too), so > IMO it's had enough road-testing for general use. This would be a pretty bad option for me as a distributor - it'd mean I'd have to keep track of LibreSSL security updates. -- Colin Watson [cjwatson@xxxxxxxxxx] _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev