From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 0211E138334 for ; Sat, 9 Jun 2018 09:16:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 35A5EE0975; Sat, 9 Jun 2018 09:16:22 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B828AE096F for ; Sat, 9 Jun 2018 09:16:21 +0000 (UTC) Received: from [10.100.0.6] (fisi34.ciencias.uniovi.es [156.35.97.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: pacho) by smtp.gentoo.org (Postfix) with ESMTPSA id 8625B335C9C; Sat, 9 Jun 2018 09:16:18 +0000 (UTC) Message-ID: <1528535762.7621.1.camel@gentoo.org> Subject: Re: [gentoo-dev] Current status with openssl-1.1 From: Pacho Ramos To: gentoo-dev@lists.gentoo.org, base-system@gentoo.org Cc: crypto@gentoo.org Date: Sat, 09 Jun 2018 11:16:02 +0200 In-Reply-To: <20180609102206.131b1117@abudhabi.paradoxon.rec> References: <20180609102206.131b1117@abudhabi.paradoxon.rec> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.24.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-Archives-Salt: 1cb7830f-5bae-440f-8bbe-f7f6d74cbf23 X-Archives-Hash: 6e3762012947a909905c029f715b054d El sáb, 09-06-2018 a las 10:22 +0200, Lars Wendler escribió: > > [...[ > some point. > > So, basically openssl is the last big showstopper for openssl-1.1 to > get out of p.mask. There are some inofficial patches floating around in > the WWW but each one of them has some issues and they all are not > really small in size. > Last time I checked, the most complete (but still to some degree > broken) patch had 2800+ LOC and was 80K in size. This is definitely > nothing I want to maintain as downstream, left aside the fact that > openssh should not be messed with lightly regarding security > implications. Why don't try to use RedHat/Fedora patch for openssl-1.1 compat? It seems they are taking care of maintaining that patch on their side > > My biggest concern right now is that openssh might still block > openssl-1.1.1 once that got released. openssl-1.1.1 provides TLSv1.3 > which is something we should provide to our users as soon as possible > and is also targeted as next LTS release. > > > > [1] https://bugs.gentoo.org/592438 > [2] https://bugs.gentoo.org/592578 >