1 |
On Fri, Apr 03, 2015 at 01:59:25AM +0200, Hanno Böck wrote: |
2 |
|
3 |
> Tricky thing here, because then you'd need to rename the libs. E.g. |
4 |
> libssl to liblibressl or something. |
5 |
> But then every program with a build environment to link to libssl would |
6 |
> first have to be patched to link to our specialized libressl variant. |
7 |
|
8 |
Yah, I dunno. But I don't have a warm fuzzy about them being |
9 |
interchangable any time soon or even longterm. It's not a goal AFAIK. |
10 |
|
11 |
> Is there a way to split libtls off libressl? Because that might be at |
12 |
> least for this case an option: Continue to use openssl, but have libtls |
13 |
> laying around. Not sure if it is possible to have libtls using |
14 |
> libcrypt/libssl functions from openssl. |
15 |
|
16 |
I'm pretty sure libtls won't currently compile against openssl, although |
17 |
I haven't taken a detailed look as to why. It is true that openntpd has |
18 |
no direct dependency on libressl, only the libtls API, so theoretically |
19 |
if libressl's libtls could be patched to work with openssl or if openssl |
20 |
released their own API compatible libtls it would be happy. |
21 |
|
22 |
I asked a similar question on the pkgsrc mailing list: |
23 |
|
24 |
http://mail-index.netbsd.org/tech-pkg/2015/03/30/msg014532.html |
25 |
|
26 |
They're pretty much decided on allowing both openssl and libressl to be |
27 |
installed concurrently and for a given application to use one or the |
28 |
other. The specific method for that packaging system is what they call a |
29 |
prefix; basically instead of /usr/pkg/lib/libssl it would be |
30 |
/usr/pkg/libressl/lib/libssl, and packages that needed it would get the |
31 |
right magic flags for the headers and libraries to be found. |
32 |
|
33 |
All openntpd does is use libtls to make an HTTPS HEAD request. It might |
34 |
be simpler to just have it use libcurl or some other existing https |
35 |
library instead of trying to get libressl/libtls working, although that |
36 |
would decrease the "security" aspect of it only using openbsd audited code. |