Re: Status of OpenSSL 1.1 support

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 13/10/2017 23:58, Sebastian Andrzej Siewior wrote:
Hi,

more or less a year ago Kurt Roeckx provided an initial port towards the
OpenSSL 1.1 API [0]. The patch has been left untouched [1] and it has
been complained about a missing compat layer of the new vs the old API
within the OpenSSL library [2].
This is how I reconstructed the situation as of today and I am not
aware of any progress in regard to the newer library within the OpenSSH
project. Did I miss any significant development?

In the `meantime', OpenSSL provides a kind of compat layer [3] which
(they suggested) should be included in the downstream projects [4].

Is this enough / acceptable? What would the project like to see? I know
that OpenBSD itself is more focused on the LibreSSL library but I would
like to avoid that every one carries (and maintains) a big patch around.

[0] https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-September/035378.html
[1] I know that Fedora ships it.
[2] https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-November/035456.html
[3] https://wiki.openssl.org/images/e/ed/Openssl-compat.tar.gz
[4] https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes#Compatibility_Layer
For what it is worth - FYI only - I expect on AIX the "1.0.0" ABI will stay around for awhile - e.g., the fileset called openssl-1.0.2 still contains openssl-0.9.8 to support 'historical' applications.
root@x064:[/data/prj/aixtools/curl-7.56.0/lib]ar tv /usr/lib/libssl.a
rwxr-xr-x 537912/767508 726474 Oct 18 11:38 2016 libssl.so
rwxr-xr-x 537912/767508 726474 Oct 18 11:38 2016 libssl.so.1.0.0
rwxr-xr-x 537912/767508 510610 Oct 18 11:39 2016 libssl.so.0.9.8

The "default" - when it comes to new applications is the first archive in the archive - notice the 'named' version is still libfoo.so.1.0.0,

I suppose - if I was running into compatibility conflicts with openssl - I would look at the experimental configure flag (-nossl iirc).

IBM is on their own track - still supplying OpenSSH based on either OpenSSH-6.0p1 or OpenSSH-7.1p1.

From the bits I have read - you will be safe to do whatever you want on openbsd - and the UNIX/Linix distros will follow way behind (Centos-1116 is around: OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 - via the DVD. And, yes - I need to update it. Will get there eventually - part of the project I am working on atm.

My guess is that only OpenBSD and admins that do their own packaging will be current. Thos who depend on the official updates will be behind.

M


Sebastian
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux