From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BDDD4138334 for ; Sat, 9 Jun 2018 08:22:24 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A3E35E08D3; Sat, 9 Jun 2018 08:22:18 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3CB52E08C9 for ; Sat, 9 Jun 2018 08:22:16 +0000 (UTC) Received: from abudhabi.paradoxon.rec (p54A9D363.dip0.t-ipconnect.de [84.169.211.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: polynomial-c) by smtp.gentoo.org (Postfix) with ESMTPSA id CA062335CA9; Sat, 9 Jun 2018 08:22:14 +0000 (UTC) Date: Sat, 9 Jun 2018 10:22:06 +0200 From: Lars Wendler To: base-system@gentoo.org Cc: crypto@gentoo.org, gentoo-dev@lists.gentoo.org Subject: [gentoo-dev] Current status with openssl-1.1 Message-ID: <20180609102206.131b1117@abudhabi.paradoxon.rec> Organization: Gentoo X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; boundary="Sig_/Q0nP65GEgW1ozLNPAmGDK3o"; protocol="application/pgp-signature" X-Archives-Salt: ea9475d8-2977-4cda-ac03-eac80ae0cfb4 X-Archives-Hash: 125a895823220e28c59eced469c22914 --Sig_/Q0nP65GEgW1ozLNPAmGDK3o Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hello dear Gentoo Devs, this is somewhat written out of frustration so please bear with me ;) CCing crypto@ in case they can provide some valuable input to the topic. If not, sorry guys for wasting your time. As you might have noticed, although being published back in August 2016, we still have openssl-1.1 in package.mask due to the numerous build issues we still have with various packages[1] that uses openssl. "Why is that so?" do I hear you asking. "Debian already switched over to openssl-1.1 for months already". Well... the did not entirely switch yet. There are still packages that are being compiled/linked against openssl-1.0 in Debian because their respective upstreams refuse to collaborate. The most prominent example is openssh[2] which also is the reason that this topic gives me so much frustration. They simply refuse to add compatibility code for openssl-1.1 because openssl upstream did such a silly move with making lots of interfaces opaque and make openssl-1.1 mostly incompatible with code written against older openssl versions. This and the fact that you can build openssl-1.1 with three different API versions (0.9.8, 1.0.0 and 1.1.0) makes it exceptionally hard for openssl consumers to migrate their code to openssl-1.1. openssh upstream even raised the idea to simply focus crypto support in their software on libressl which I personally think is a really bad move. But coming from the same people (openssh and libressl are both developed by OpenBSD people), it's no big surprise this idea came up at some point. So, basically openssl is the last big showstopper for openssl-1.1 to get out of p.mask. There are some inofficial patches floating around in the WWW but each one of them has some issues and they all are not really small in size. Last time I checked, the most complete (but still to some degree broken) patch had 2800+ LOC and was 80K in size. This is definitely nothing I want to maintain as downstream, left aside the fact that openssh should not be messed with lightly regarding security implications. My biggest concern right now is that openssh might still block openssl-1.1.1 once that got released. openssl-1.1.1 provides TLSv1.3 which is something we should provide to our users as soon as possible and is also targeted as next LTS release. [1] https://bugs.gentoo.org/592438 [2] https://bugs.gentoo.org/592578 --=20 Lars Wendler Gentoo package maintainer GPG: 21CC CF02 4586 0A07 ED93 9F68 498F E765 960E 9B39 --Sig_/Q0nP65GEgW1ozLNPAmGDK3o Content-Type: application/pgp-signature Content-Description: Digitale Signatur von OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEWCOBmo8i7LhvVmNAVx3S0DQ8YDkFAlsbji4ACgkQVx3S0DQ8 YDnSXQ//fWNvCdwwuXOFjrEmaMtb8/vlUBkPlimTDtHxzL1UMhFen3ZvUs3XQAkj bwsqkVFZ/1r52PooyqRVnE6/f6d5JZs863ei/ZmehdUGEogTwGPK0nG8yDRJjFW4 aPlacGHgo4NV3kCxdT/tnayFccirU6rnV/3Wd62s7CFwkgXd1ATXr0BwurzzOs28 rYOTFjm25VZC0yXvsHfoEWn1uKyNYs8pq/2ofdfN0AUCeKAEyQRfgrrce3AZVBrm hAO0lWxlYoytH3NcRvZiGuCSWeESQznia/adV1376gb8xeQFXEOICTASFaAYkFUP IvmuFTuBPFGhFr8F5pZBw4h18ZcTTDZdXWdRpoDa7lD9S0rEZI6X2dKuAcVzr4dz uz5t/BBRCrbFZE9aD6XTHv9XGFvlukE2pSJUOE5Cs3wd+hsAVO2+RzAHBFMmCEi2 qHO8koRsgvn87ZF16X5AxyOIFZqnW47bcDUnjjoJHlMuVefjJJwK9RT0kC2fFOU8 dsrFNfnVXBMpo7oijZ9FAh1w6nsbmOsDyygQCgbTd64ov8ID+nZUo0tJ+1++gw0t 0xEnQOmJwuxB4bAUERv0FCzJL5d5xdHBrzdmuLwA4K5N4qNMSHlo3OLz6lgAS/6u 9dRA9PQkNqcrfGAxoSQqQBZWML/L3B/1GM0jyOcfPkpEYrOadSA= =SRCr -----END PGP SIGNATURE----- --Sig_/Q0nP65GEgW1ozLNPAmGDK3o--