jpbion@xxxxxxxxxx wrote: > i worry if it will be possible to maintain software, over time, that > supports both variants of SSL stack. Sure, of course it will be, as it is now. But it may require a layer of abstraction, such as Emmanuel's shim. If done well, that's not a problem per se, in this general case. > As such, I worry if a day comes that I can’t use openssh, > because too many other things I depend upon CAN'T use libreSSL. Don't worry. A few points in addition to what Ingo mentioned: 1. OpenSSL and LibreSSL can co-exist on a single system in several different ways. Most distributions are far too simplistic to support that, but it is actually pretty straightforward technically. 2. OpenSSH can be built to not need any SSL library, if you rely on the newer ECDSA (ed25519) algorithms. 3. The SSH protocol does not use TLS in any way, so OpenSSH does not need any SSL/TLS implementation, and there might be better a future API for OpenSSH to consume. To 3.: OpenSSH only uses the TLS libraries for the crypto algorithms, which in general are fairly simple, and well-defined. Crypto operations have the same actual inputs and outputs regardless of which implementation provide them. So it is concievable that there will at some point exist a crypto API which is both easy to provide and easy to consume. Maybe LibreSSL already proposes it. In that case OpenSSH is simply an early adopter, albeit a somewhat special one without interest in TLS, and other projects can be expected to move over to LibreSSL. //Peter _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev