On 13/10/2017 23:58, Sebastian Andrzej Siewior wrote:
Hi,
more or less a year ago Kurt Roeckx provided an initial port towards the
OpenSSL 1.1 API [0]. The patch has been left untouched [1] and it has
been complained about a missing compat layer of the new vs the old API
within the OpenSSL library [2].
This is how I reconstructed the situation as of today and I am not
aware of any progress in regard to the newer library within the OpenSSH
project. Did I miss any significant development?
In the `meantime', OpenSSL provides a kind of compat layer [3] which
(they suggested) should be included in the downstream projects [4].
Is this enough / acceptable? What would the project like to see? I know
that OpenBSD itself is more focused on the LibreSSL library but I would
like to avoid that every one carries (and maintains) a big patch around.
[0] https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-September/035378.html
[1] I know that Fedora ships it.
[2] https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-November/035456.html
[3] https://wiki.openssl.org/images/e/ed/Openssl-compat.tar.gz
[4] https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes#Compatibility_Layer
For what it is worth - FYI only - I expect on AIX the "1.0.0" ABI will
stay around for awhile - e.g., the fileset called openssl-1.0.2 still
contains openssl-0.9.8 to support 'historical' applications.
root@x064:[/data/prj/aixtools/curl-7.56.0/lib]ar tv /usr/lib/libssl.a
rwxr-xr-x 537912/767508 726474 Oct 18 11:38 2016 libssl.so
rwxr-xr-x 537912/767508 726474 Oct 18 11:38 2016 libssl.so.1.0.0
rwxr-xr-x 537912/767508 510610 Oct 18 11:39 2016 libssl.so.0.9.8
The "default" - when it comes to new applications is the first archive
in the archive - notice the 'named' version is still libfoo.so.1.0.0,
I suppose - if I was running into compatibility conflicts with openssl -
I would look at the experimental configure flag (-nossl iirc).
IBM is on their own track - still supplying OpenSSH based on either
OpenSSH-6.0p1 or OpenSSH-7.1p1.
From the bits I have read - you will be safe to do whatever you want on
openbsd - and the UNIX/Linix distros will follow way behind (Centos-1116
is around:
OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 - via the DVD. And, yes
- I need to update it. Will get there eventually - part of the project I
am working on atm.
My guess is that only OpenBSD and admins that do their own packaging
will be current. Thos who depend on the official updates will be behind.
M
Sebastian
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev