Re: Status of OpenSSL 1.1 support

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



My apologies - stuck in Draft for a week -

I think if I wanted to “experiment“ I would look at the compile flag to not use either openssl or libressl. (also hinted at in another post - and see below).

As AIX uses archives - rather than .so files (actually can use both) - both libressl and openssl "members" can be in the same archive. How well, or how broken - supporting a mixed openssl-1.0, openssl-1.0 and libressl-X.Y depends on the effort spent by 'the vendor' or packager.

As a packager - I may even consider using static linking - rather than dynamic linking - at least until the dust settles.

IMHO - there is no fear of OpenSSH going away. (Where the is a will - there is a way)

Actually - what is the 'state of the world' these days?

e.g., fedora has been mentioned, but my linux focus is more on centos (currently 11-16). The DVD installs (release 1116) OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 - not my idea of latest and greatest. So, maybe fedora is closer to latest and greatest. (I have my reasons for not chasing the latest updates - have a lot to test at an officially recognized level before throwing updates on).

In other words - do not compare Linux/UNIX - vendor - releases with OpenBSD.

If I understand many of the comments - OpenSSL - has basically put 'the world' into a difficult situation - but until someone (i.e., a commercial vendor) has a release that can be sold to a government organization (I am thinking US DoD projects) - we can expect many applications to have two branches - if they need OpenSSL at all - and support for the old branch shall wither and die. My humble opinion.

Another reason I do not worry is because I have learned to package the bits of the world that are important to me - and maybe getting budget to do this in your organization is a wise move.

The other thing I am going to look into is changing my current sshd_config (if I read an earlier note correctly) from:

#HostKey /var/openssh/etc/ssh_host_rsa_key
#HostKey /var/openssh/etc/ssh_host_dsa_key
#HostKey /var/openssh/etc/ssh_host_ecdsa_key
#HostKey /var/openssh/etc/ssh_host_ed25519_key

to

#HostKey /var/openssh/etc/ssh_host_rsa_key
#HostKey /var/openssh/etc/ssh_host_dsa_key
#HostKey /var/openssh/etc/ssh_host_ecdsa_key
HostKey /var/openssh/etc/ssh_host_ed25519_key

i.e., whatever key that is going to work without OpenSSL. Very easy to test - and 'reset' if it isn't working.

My motto: what is easy to do - and easy to undo - with resources at hand.

Sent from my iPhone

On 14 Oct 2017, at 11:23, Peter Stuge <peter@xxxxxxxx> wrote:

Damien Miller wrote:
I'm considering adding some build sugar to simplify the process of
building (and possibly fetching) LibreSSL as port of the OpenSSH
build process.

Please don't add any fetching, even opt-in, at the very least. It's
often a mistake, and a decision that is difficult to revert once it
becomes taken for granted.


Thanks

//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux