On Thu, 15 Sep 2021, Dmitry Belyavskiy wrote: > Dear colleagues, > > OpenSSL 3.0 has deprecated a lot of (mostly low-level) functions. They are > still available but not recommended for usage in future. > > OpenSSH uses approximately 75 deprecated OpenSSL functions in ~300 lines of > code. I understand that OpenSSL is just one of the supported crypto > libraries and OpenSSL 3.0 is not widely deployed yet, but I wonder if the > OpenSSH upstream has any ideas/plans about getting rid of such functions? > At least some of them could be just eliminated and replaced with EVP_PKEY > functions present since OpenSSL 1.0 age. It will probably be pretty uncontroversial to switch to functions that are supported by all of OpenSSL 1.x/3.x and LibreSSL 2.x, though I don't know how many of these there are. For things that don't exist in LibreSSL or OpenSSL 1.x, the best path IMO is to get support implemented in LibreSSL and then use that as the basis for any compatibility code needed in portable OpenSSH. This approach also keeps us building against BoringSSL, which doesn't seem to track the bleeding edge OpenSSL closely. The LibreSSL team have been receptive in the past to reasonable API compatibility requests. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
