Re: Status of OpenSSL 1.1 support - Thoughts

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



As far as I can see, here is a summary of the situation, and there's a point to this, but I only make it in step (4), needing the first three steps to set up a background to keep my own thoughts clear:

1) Fedora (via Jakub) shows it's possible to patch OpenSSH.

2) OpenVPN (via gert) shows it's possible to build a 'shim' of sorts that allows code to work with libreSSL and OpenSSL 1.1.0.

3) Using that phrase 'as far as I can see' again, it appears that OpenSSH doesn't really care that (1) and (2) are shown as possible. The changes required to implement these solutions, in the best view, can be seen as violating the 'simple/secure' precepts of OpenBSD - so they simply are not desired, independent of feasibility.

4) As a first result, with no judgement on anyone, just looking at the data - the root cause of this issue seems to be the split of LibreSSL from OpenSSL a while back and we are just dealing with the in-hindsight-obvious consequences of that split. With something as fundamental as the SSL/TLS stack forking between OpenBSD(LibreSSL dominant) and Linux(OpenSSL dominant), it is inevitable that applications written on one or the other will find it harder and harder over time to be compatible and usable in both OpenSSL and LibreSSL worlds. You think it's hard to build a compatibility layer NOW? What happens when OpenSSL 1.2 comes around, then LibreSSL version-next, etc... 2-3 years down the road, getting further and further apart, with not just accessor functions changing, but with semantics and 'overall interface design and philosophy' changing over time. In other words, I don't believe ANY package can, over a period of time, realistically support both OpenSSL and LibreSSL, given the fact neither seems to have a desire to maintain compatibility with the other (again, as far as I can see). OpenSSH's decision to not really want to support the changes OpenSSL made is just the canary in the coal mine here - others will get to that point, too. They just got there first.

5) As a final result, it seems to me that the OpenBSD and Linux worlds need to decide if they LIKE and TOLERATE the consequences of the long-term split between LibreSSL and OpenSSL - in particular, it being harder and harder to share packages between the OpenBSD and Linux worlds, if those packages need to interface with diverging SSL/TLS stacks. If they don't, they need to do something about it. This has to be dealt with by the LibreSSL and OpenSSL teams - looking at OpenSSH is looking at the wrong place. If those two SSL/TLS teams don't talk, it will just get harder for everyone. In the meantime, because I live in the Linux world and not the OpenBSD world, for good or ill, I have to face the fact that, as of today, my reliance on the OpenSSH package, which I love and trust, has an expiration date, and I need to investigate alternatives, all of which are less appealing to me by a significant margin.

Oh well.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux