| 1 |
On Fri, Apr 03, 2015 at 01:59:25AM +0200, Hanno Böck wrote: |
| 2 |
|
| 3 |
> Tricky thing here, because then you'd need to rename the libs. E.g. |
| 4 |
> libssl to liblibressl or something. |
| 5 |
> But then every program with a build environment to link to libssl would |
| 6 |
> first have to be patched to link to our specialized libressl variant. |
| 7 |
|
| 8 |
Yah, I dunno. But I don't have a warm fuzzy about them being |
| 9 |
interchangable any time soon or even longterm. It's not a goal AFAIK. |
| 10 |
|
| 11 |
> Is there a way to split libtls off libressl? Because that might be at |
| 12 |
> least for this case an option: Continue to use openssl, but have libtls |
| 13 |
> laying around. Not sure if it is possible to have libtls using |
| 14 |
> libcrypt/libssl functions from openssl. |
| 15 |
|
| 16 |
I'm pretty sure libtls won't currently compile against openssl, although |
| 17 |
I haven't taken a detailed look as to why. It is true that openntpd has |
| 18 |
no direct dependency on libressl, only the libtls API, so theoretically |
| 19 |
if libressl's libtls could be patched to work with openssl or if openssl |
| 20 |
released their own API compatible libtls it would be happy. |
| 21 |
|
| 22 |
I asked a similar question on the pkgsrc mailing list: |
| 23 |
|
| 24 |
http://mail-index.netbsd.org/tech-pkg/2015/03/30/msg014532.html |
| 25 |
|
| 26 |
They're pretty much decided on allowing both openssl and libressl to be |
| 27 |
installed concurrently and for a given application to use one or the |
| 28 |
other. The specific method for that packaging system is what they call a |
| 29 |
prefix; basically instead of /usr/pkg/lib/libssl it would be |
| 30 |
/usr/pkg/libressl/lib/libssl, and packages that needed it would get the |
| 31 |
right magic flags for the headers and libraries to be found. |
| 32 |
|
| 33 |
All openntpd does is use libtls to make an HTTPS HEAD request. It might |
| 34 |
be simpler to just have it use libcurl or some other existing https |
| 35 |
library instead of trying to get libressl/libtls working, although that |
| 36 |
would decrease the "security" aspect of it only using openbsd audited code. |
Archives