Hi, On Sun, Oct 15, 2017 at 10:51:46PM +0100, Colin Watson wrote: > https://mta.openssl.org/pipermail/openssl-users/2017-April/005540.html > suggests that the OpenSSL folks want an external contributor to maintain > such a layer. I've been trawling back through OpenSSL mailing lists and > not found much else in the way of discussion about this, although of > course I could have missed something. Has there been any discussion > between the two sets of developers about all this, or is it all sort of > arm's length? Speaking for Open*VPN*, we have done that change, and it was fairly painless. All the code has been converted to use OpenSSL 1.1 accessor functions, and when compiling against OpenSSL 1.0 or LibreSSL, a set of compat accessor functions is used (configure tells what is needed). Our shim is here: https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/openssl_compat.h and it's really very straightforward. The commits in question if you want to see what was changed in the code are commit 8d00afae88b626c9cf14170a943b33a7ed378070 commit c828ffc648eebda20e2f9087248944fa0f52a582 commit 09776c5b52df13121504e07894a26d5cd1883317 commit 47191f49890ee5c53fa78a8ce9bf96b9c8d27a82 commit f05665df4150c6a345eec5432a02fd799bea0f2c commit 6554ac9fed9c5680f22aa4722e6e07ebf3aa3441 commit 88046ad9e8e333259ae6fb4a295a9931a1a0e47f commit 6ddc43d1bf9b3ea3ee5db8c50d56a98fe4db4c97 (I was about to offer the shim to OpenSSH, but license collision - ours is GPLed, which is a bit annoying. OTOH it is from a single author, so if there is interest here, maybe we can ask Emmanuel Deloget whether he's fine with dual-licensing this piece of code) > Is it actually a requirement that an API compatibility layer be > maintained by the OpenSSL team, or could a hypothetical group of > external developers interested in breaking this stalemate fork > openssl-compat.tar.gz, stick it in a git repository somewhere, and start > making versioned releases and trying to address the other problems you > describe? Of course that's only really a worthwhile exercise if OpenSSH > would be willing to use it, and it would be good to limit the scope of > the problem to "things needed by the handful of projects that really > need this" rather than "the entire OpenSSL 1.0 API". The catch here is: the shim does not provide "the OpenSSL 1.0 API" - it provides the OpenSSL *1.1* API to projects being compiled against 1.0. In other words: the compat libary alone won't help, the code needs to be converted to use the accessor functions, and everything needs to be very well tested. So even having the compat library/shim around does not make this trivial. Note: I'm no way trying to tell either folk what to do. I'm just explaining what we did over at OpenVPN, and stating that while it was quite a bit of work, we're happy that we got it done. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert@xxxxxxxxxxxxxx fax: +49-89-35655025 gert@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev