My apologies - stuck in Draft for a week -
I think if I wanted to “experiment“ I would look at the compile flag to
not use either openssl or libressl. (also hinted at in another post -
and see below).
As AIX uses archives - rather than .so files (actually can use both) -
both libressl and openssl "members" can be in the same archive. How
well, or how broken - supporting a mixed openssl-1.0, openssl-1.0 and
libressl-X.Y depends on the effort spent by 'the vendor' or packager.
As a packager - I may even consider using static linking - rather than
dynamic linking - at least until the dust settles.
IMHO - there is no fear of OpenSSH going away. (Where the is a will -
there is a way)
Actually - what is the 'state of the world' these days?
e.g., fedora has been mentioned, but my linux focus is more on centos
(currently 11-16). The DVD installs (release 1116) OpenSSH_6.6.1p1,
OpenSSL 1.0.1e-fips 11 Feb 2013 - not my idea of latest and greatest.
So, maybe fedora is closer to latest and greatest. (I have my reasons
for not chasing the latest updates - have a lot to test at an officially
recognized level before throwing updates on).
In other words - do not compare Linux/UNIX - vendor - releases with OpenBSD.
If I understand many of the comments - OpenSSL - has basically put 'the
world' into a difficult situation - but until someone (i.e., a
commercial vendor) has a release that can be sold to a government
organization (I am thinking US DoD projects) - we can expect many
applications to have two branches - if they need OpenSSL at all - and
support for the old branch shall wither and die. My humble opinion.
Another reason I do not worry is because I have learned to package the
bits of the world that are important to me - and maybe getting budget to
do this in your organization is a wise move.
The other thing I am going to look into is changing my current
sshd_config (if I read an earlier note correctly) from:
#HostKey /var/openssh/etc/ssh_host_rsa_key
#HostKey /var/openssh/etc/ssh_host_dsa_key
#HostKey /var/openssh/etc/ssh_host_ecdsa_key
#HostKey /var/openssh/etc/ssh_host_ed25519_key
to
#HostKey /var/openssh/etc/ssh_host_rsa_key
#HostKey /var/openssh/etc/ssh_host_dsa_key
#HostKey /var/openssh/etc/ssh_host_ecdsa_key
HostKey /var/openssh/etc/ssh_host_ed25519_key
i.e., whatever key that is going to work without OpenSSL. Very easy to
test - and 'reset' if it isn't working.
My motto: what is easy to do - and easy to undo - with resources at hand.
Sent from my iPhone
On 14 Oct 2017, at 11:23, Peter Stuge <peter@xxxxxxxx> wrote:
Damien Miller wrote:
I'm considering adding some build sugar to simplify the process of
building (and possibly fetching) LibreSSL as port of the OpenSSH
build process.
Please don't add any fetching, even opt-in, at the very least. It's
often a mistake, and a decision that is difficult to revert once it
becomes taken for granted.
Thanks
//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev