Gentoo Archives: gentoo-dev

From: Lars Wendler <polynomial-c@g.o>
To: base-system@g.o
Cc: crypto@g.o, gentoo-dev@l.g.o
Subject: [gentoo-dev] Current status with openssl-1.1
Date: Sat, 09 Jun 2018 08:22:24
Message-Id: 20180609102206.131b1117@abudhabi.paradoxon.rec
1 Hello dear Gentoo Devs,
3 this is somewhat written out of frustration so please bear with me ;)
5 CCing crypto@ in case they can provide some valuable input to the
6 topic. If not, sorry guys for wasting your time.
8 As you might have noticed, although being published back in August
9 2016, we still have openssl-1.1 in package.mask due to the numerous
10 build issues we still have with various packages[1] that uses openssl.
12 "Why is that so?" do I hear you asking. "Debian already switched over
13 to openssl-1.1 for months already".
15 Well... the did not entirely switch yet. There are still packages that
16 are being compiled/linked against openssl-1.0 in Debian because their
17 respective upstreams refuse to collaborate.
19 The most prominent example is openssh[2] which also is the reason that
20 this topic gives me so much frustration. They simply refuse to add
21 compatibility code for openssl-1.1 because openssl upstream did such a
22 silly move with making lots of interfaces opaque and make openssl-1.1
23 mostly incompatible with code written against older openssl versions.
25 This and the fact that you can build openssl-1.1 with three different
26 API versions (0.9.8, 1.0.0 and 1.1.0) makes it exceptionally hard for
27 openssl consumers to migrate their code to openssl-1.1.
29 openssh upstream even raised the idea to simply focus crypto support in
30 their software on libressl which I personally think is a really bad
31 move. But coming from the same people (openssh and libressl are both
32 developed by OpenBSD people), it's no big surprise this idea came up at
33 some point.
35 So, basically openssl is the last big showstopper for openssl-1.1 to
36 get out of p.mask. There are some inofficial patches floating around in
37 the WWW but each one of them has some issues and they all are not
38 really small in size.
39 Last time I checked, the most complete (but still to some degree
40 broken) patch had 2800+ LOC and was 80K in size. This is definitely
41 nothing I want to maintain as downstream, left aside the fact that
42 openssh should not be messed with lightly regarding security
43 implications.
45 My biggest concern right now is that openssh might still block
46 openssl-1.1.1 once that got released. openssl-1.1.1 provides TLSv1.3
47 which is something we should provide to our users as soon as possible
48 and is also targeted as next LTS release.
52 [1]
53 [2]
55 --
56 Lars Wendler
57 Gentoo package maintainer
58 GPG: 21CC CF02 4586 0A07 ED93 9F68 498F E765 960E 9B39


Subject Author
Re: [gentoo-dev] Current status with openssl-1.1 "Michał Górny" <mgorny@g.o>
Re: [gentoo-dev] Current status with openssl-1.1 Pacho Ramos <pacho@g.o>
[gentoo-dev] Re: Current status with openssl-1.1 Martin Vaeth <martin@×××××.de>
[gentoo-dev] Re: Current status with openssl-1.1 Luca Barbato <lu_zero@g.o>
Re: [gentoo-dev] Current status with openssl-1.1 James Cloos <cloos@×××××××.com>