Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Luca Barbato <lu_zero@g.o>
To: Lars Wendler <polynomial-c@g.o>, base-system@g.o
Cc: crypto@g.o, gentoo-dev@l.g.o
Subject: [gentoo-dev] Re: Current status with openssl-1.1
Date: Sat, 09 Jun 2018 11:55:45
Message-Id: bb7d8055-0996-81b1-c9d6-082554b5bcb7@gentoo.org
In Reply to: [gentoo-dev] Current status with openssl-1.1 by Lars Wendler
1 On 09/06/2018 10:22, Lars Wendler wrote:
2 > Hello dear Gentoo Devs,
3 >
4 > this is somewhat written out of frustration so please bear with me ;)
5 >
6 > CCing crypto@ in case they can provide some valuable input to the
7 > topic. If not, sorry guys for wasting your time.
8 >
9 > As you might have noticed, although being published back in August
10 > 2016, we still have openssl-1.1 in package.mask due to the numerous
11 > build issues we still have with various packages[1] that uses openssl.
12 >
13 > "Why is that so?" do I hear you asking. "Debian already switched over
14 > to openssl-1.1 for months already".
15 >
16 > Well... the did not entirely switch yet. There are still packages that
17 > are being compiled/linked against openssl-1.0 in Debian because their
18 > respective upstreams refuse to collaborate.
19 >
20 > The most prominent example is openssh[2] which also is the reason that
21 > this topic gives me so much frustration. They simply refuse to add
22 > compatibility code for openssl-1.1 because openssl upstream did such a
23 > silly move with making lots of interfaces opaque and make openssl-1.1
24 > mostly incompatible with code written against older openssl versions.
25 >
26 > This and the fact that you can build openssl-1.1 with three different
27 > API versions (0.9.8, 1.0.0 and 1.1.0) makes it exceptionally hard for
28 > openssl consumers to migrate their code to openssl-1.1.
29 >
30 > openssh upstream even raised the idea to simply focus crypto support in
31 > their software on libressl which I personally think is a really bad
32 > move. But coming from the same people (openssh and libressl are both
33 > developed by OpenBSD people), it's no big surprise this idea came up at
34 > some point.
35
36 Is libressl providing an API that is less silly and somehow compatible
37 with applications using the openssl-1.1 API ?
38
39 Do we have an openssh alternative that is interoperable AND usable?
40
41 Is it possible to have the never-libressl software use another
42 TLS/crypto provider?
43
44 lu
Report Message
Find on MARC Find on Google Groups