On 11/02/2016 01:43 AM, Colin Watson wrote:> On Sun, Sep 18, 2016 at 08:22:31PM +0200, Kurt Roeckx wrote: >> Attached is a patch that add supports for building against OpenSSL >> 1.1.0. I also made a github pull request for it at: >> https://github.com/openssh/openssh-portable/pull/48 > Hi, > > Debian unstable now has OpenSSL 1.1.0 as the default, so I'll have to > take some kind of positive action if I want my OpenSSH packages to keep > building cleanly. I know it's a big patch, but is anyone likely to be > able to look at Kurt's changes soon? I'm not very comfortable with > applying a change of this size as a local patch.Hello Colin, Fedora Rawhide has already OpenSSL 1.1.0 and we use the patch based on the Kurt's one (after fixing initial bugs and extending for GSSAPI and SSH1 client support). The full Fedora patch is available in our git [1]. The current set of patches are rebased on current upstream is attached with few more tweaks needed to build, pass testsuite and make it work. The upstream review and insight would be helpful. [1] https://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.3p1-openssl-1.1.0.patch Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-openssl-1.1.0.patch Type: text/x-patch Size: 123076 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161102/eb27c572/attachment-0001.bin>
On 2016-11-02, Jakub Jelen <jjelen at redhat.com> wrote:> The current set of patches are rebased on current upstream is attached > with few more tweaks needed to build, pass testsuite and make it work. > The upstream review and insight would be helpful.Since these are going to break things with LibreSSL, I doubt they'll be acceptable as-is.
On Wed, 2 Nov 2016, Stuart Henderson wrote:> On 2016-11-02, Jakub Jelen <jjelen at redhat.com> wrote: > > The current set of patches are rebased on current upstream is attached > > with few more tweaks needed to build, pass testsuite and make it work. > > The upstream review and insight would be helpful. > > Since these are going to break things with LibreSSL, I doubt they'll be > acceptable as-is.This is the nub of the problem: upstream (OpenBSD) OpenSSH targets LibreSSL natively (it's also used by Apple for their OS X builds). If we pick up the 1.1.0 patch, we'd probably have to do it in portable because there's little point in patching OpenBSD for API that doesn't exist there. I don't want to have to carry such a major divergence in just the portable tree. I don't know what LibreSSL's plans are wrt the 1.1.x API, but convincing them to adopt it would remove much of the problem. It's disappointing though that OpenSSL didn't see fit to write their own set of 1.0.x->1.1.x API shims and ship it alongside 1.0.x releases. It would have made the transition easier for everyone I think. -d
Jakub Jelen wrote:> On 11/02/2016 01:43 AM, Colin Watson wrote: >> On Sun, Sep 18, 2016 at 08:22:31PM +0200, Kurt Roeckx wrote: >>> Attached is a patch that add supports for building against OpenSSL >>> 1.1.0. [SNIP]Version 9.2 of PKIX-SSH supports OpenSSL API 1.1 (final). It was a continuous process, that stats with v8.7 that move to opaque structures. There is not need to patch anything. You could get all in single source tarball. Version 9.2 is compatible with OpenSSH 7.3 and include more features and improvements.. Regards, Roumen Petrov -- Secure shell with X.509 certificate support http://roumenpetrov.info/secsh/