On 09/06/2018 10:22, Lars Wendler wrote: > Hello dear Gentoo Devs, > > this is somewhat written out of frustration so please bear with me ;) > > CCing crypto@ in case they can provide some valuable input to the > topic. If not, sorry guys for wasting your time. > > As you might have noticed, although being published back in August > 2016, we still have openssl-1.1 in package.mask due to the numerous > build issues we still have with various packages[1] that uses openssl. > > "Why is that so?" do I hear you asking. "Debian already switched over > to openssl-1.1 for months already". > > Well... the did not entirely switch yet. There are still packages that > are being compiled/linked against openssl-1.0 in Debian because their > respective upstreams refuse to collaborate. > > The most prominent example is openssh[2] which also is the reason that > this topic gives me so much frustration. They simply refuse to add > compatibility code for openssl-1.1 because openssl upstream did such a > silly move with making lots of interfaces opaque and make openssl-1.1 > mostly incompatible with code written against older openssl versions. > > This and the fact that you can build openssl-1.1 with three different > API versions (0.9.8, 1.0.0 and 1.1.0) makes it exceptionally hard for > openssl consumers to migrate their code to openssl-1.1. > > openssh upstream even raised the idea to simply focus crypto support in > their software on libressl which I personally think is a really bad > move. But coming from the same people (openssh and libressl are both > developed by OpenBSD people), it's no big surprise this idea came up at > some point.
Is libressl providing an API that is less silly and somehow compatible with applications using the openssl-1.1 API ? Do we have an openssh alternative that is interoperable AND usable? Is it possible to have the never-libressl software use another TLS/crypto provider? lu
