| 1 |
On Thu, 2 Apr 2015 16:49:20 -0700 |
| 2 |
"Paul B. Henson" <henson@×××.org> wrote: |
| 3 |
|
| 4 |
> What is the current status/thoughts regarding libressl? Reviewing the |
| 5 |
> bug and some past threads, it sounds like the initial plan was to make |
| 6 |
> openssl a virtual and let either classic openssl or libressl fulfull |
| 7 |
> it? I'm not sure if things have changed from that viewpoint, but it |
| 8 |
> really doesn't seem they're going to be plug and play compatible 8-/. |
| 9 |
> libressl offers functionality openssl doesn't and vice versa, and |
| 10 |
> playing nicely with each other doesn't seem to be on the agenda of |
| 11 |
> either. |
| 12 |
|
| 13 |
The latest state is that there is an overlay, but making the portage |
| 14 |
tree compatible with libressl is not that trivial. |
| 15 |
|
| 16 |
A large number of core packages are upstream-incompatible with |
| 17 |
libressl. Most of them are actually programming languages (python, php, |
| 18 |
ruby) that contain bindings to functions libressl has removed. |
| 19 |
This could be fixed by the upstreams with some ifdefs, but right now |
| 20 |
you can't just switch out libressl. |
| 21 |
|
| 22 |
|
| 23 |
> It seems it might make more sense to treat them more like |
| 24 |
> openssl and gnutls, where they both provide similar ssl functionality |
| 25 |
> but a given package might use one, the other, or either? |
| 26 |
|
| 27 |
Tricky thing here, because then you'd need to rename the libs. E.g. |
| 28 |
libssl to liblibressl or something. |
| 29 |
But then every program with a build environment to link to libssl would |
| 30 |
first have to be patched to link to our specialized libressl variant. |
| 31 |
|
| 32 |
|
| 33 |
> The specific reason for my current inquiry is that the latest openntpd |
| 34 |
> release includes the new support from openbsd for "constraints", where |
| 35 |
> basically you can verify ntp time sources by checking their time |
| 36 |
> relative to a trusted TLS server (which provides the time in HTTP |
| 37 |
> headers). This functionality requires libtls, part of libressl. |
| 38 |
> openssl provides no compatible functionality, so this is a case where |
| 39 |
> they're not plug-and-play, openntpd requires libressl specifically. |
| 40 |
|
| 41 |
I'm eager to use that, too, and was disappointed to read it requires |
| 42 |
libressl :-) |
| 43 |
Is there a way to split libtls off libressl? Because that might be at |
| 44 |
least for this case an option: Continue to use openssl, but have libtls |
| 45 |
laying around. Not sure if it is possible to have libtls using |
| 46 |
libcrypt/libssl functions from openssl. |
| 47 |
|
| 48 |
|
| 49 |
-- |
| 50 |
Hanno Böck |
| 51 |
http://hboeck.de/ |
| 52 |
|
| 53 |
mail/jabber: hanno@××××××.de |
| 54 |
GPG: BBB51E42 |
Archives