1 |
On Thu, 2 Apr 2015 16:49:20 -0700 |
2 |
"Paul B. Henson" <henson@×××.org> wrote: |
3 |
|
4 |
> What is the current status/thoughts regarding libressl? Reviewing the |
5 |
> bug and some past threads, it sounds like the initial plan was to make |
6 |
> openssl a virtual and let either classic openssl or libressl fulfull |
7 |
> it? I'm not sure if things have changed from that viewpoint, but it |
8 |
> really doesn't seem they're going to be plug and play compatible 8-/. |
9 |
> libressl offers functionality openssl doesn't and vice versa, and |
10 |
> playing nicely with each other doesn't seem to be on the agenda of |
11 |
> either. |
12 |
|
13 |
The latest state is that there is an overlay, but making the portage |
14 |
tree compatible with libressl is not that trivial. |
15 |
|
16 |
A large number of core packages are upstream-incompatible with |
17 |
libressl. Most of them are actually programming languages (python, php, |
18 |
ruby) that contain bindings to functions libressl has removed. |
19 |
This could be fixed by the upstreams with some ifdefs, but right now |
20 |
you can't just switch out libressl. |
21 |
|
22 |
|
23 |
> It seems it might make more sense to treat them more like |
24 |
> openssl and gnutls, where they both provide similar ssl functionality |
25 |
> but a given package might use one, the other, or either? |
26 |
|
27 |
Tricky thing here, because then you'd need to rename the libs. E.g. |
28 |
libssl to liblibressl or something. |
29 |
But then every program with a build environment to link to libssl would |
30 |
first have to be patched to link to our specialized libressl variant. |
31 |
|
32 |
|
33 |
> The specific reason for my current inquiry is that the latest openntpd |
34 |
> release includes the new support from openbsd for "constraints", where |
35 |
> basically you can verify ntp time sources by checking their time |
36 |
> relative to a trusted TLS server (which provides the time in HTTP |
37 |
> headers). This functionality requires libtls, part of libressl. |
38 |
> openssl provides no compatible functionality, so this is a case where |
39 |
> they're not plug-and-play, openntpd requires libressl specifically. |
40 |
|
41 |
I'm eager to use that, too, and was disappointed to read it requires |
42 |
libressl :-) |
43 |
Is there a way to split libtls off libressl? Because that might be at |
44 |
least for this case an option: Continue to use openssl, but have libtls |
45 |
laying around. Not sure if it is possible to have libtls using |
46 |
libcrypt/libssl functions from openssl. |
47 |
|
48 |
|
49 |
-- |
50 |
Hanno Böck |
51 |
http://hboeck.de/ |
52 |
|
53 |
mail/jabber: hanno@××××××.de |
54 |
GPG: BBB51E42 |