On 09/06/2018 10:22, Lars Wendler wrote:
> Hello dear Gentoo Devs,
>
> this is somewhat written out of frustration so please bear with me ;)
>
> CCing crypto@ in case they can provide some valuable input to the
> topic. If not, sorry guys for wasting your time.
>
> As you might have noticed, although being published back in August
> 2016, we still have openssl-1.1 in package.mask due to the numerous
> build issues we still have with various packages[1] that uses openssl.
>
> "Why is that so?" do I hear you asking. "Debian already switched over
> to openssl-1.1 for months already".
>
> Well... the did not entirely switch yet. There are still packages that
> are being compiled/linked against openssl-1.0 in Debian because their
> respective upstreams refuse to collaborate.
>
> The most prominent example is openssh[2] which also is the reason that
> this topic gives me so much frustration. They simply refuse to add
> compatibility code for openssl-1.1 because openssl upstream did such a
> silly move with making lots of interfaces opaque and make openssl-1.1
> mostly incompatible with code written against older openssl versions.
>
> This and the fact that you can build openssl-1.1 with three different
> API versions (0.9.8, 1.0.0 and 1.1.0) makes it exceptionally hard for
> openssl consumers to migrate their code to openssl-1.1.
>
> openssh upstream even raised the idea to simply focus crypto support in
> their software on libressl which I personally think is a really bad
> move. But coming from the same people (openssh and libressl are both
> developed by OpenBSD people), it's no big surprise this idea came up at
> some point.
Is libressl providing an API that is less silly and somehow compatible
with applications using the openssl-1.1 API ?
Do we have an openssh alternative that is interoperable AND usable?
Is it possible to have the never-libressl software use another
TLS/crypto provider?
lu
