Hi all, I have watched with some interest as a number of people have commented on why the OpenSSL team did not make a shim available that provides a 1.1.0 style compat layer for 1.0.2 software. Is everyone watching this aware of this web page: https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes At the bottom is an openssl-compat.tar.gz file, which seems to contain a shim and the copyright seems to indicate that it is being provided by the OpenSSL team itself. From what I have read on this list, having the OpenSSL team provide an official shim seems like an important factor for many people, and while I have not dug into it, it seems maybe they have? Thanks, Devin
Ingo Schwarze
2017-Jul-01 17:48 UTC
OpenSSL 1.1.0 shim - OpenSSL project seems to have one
Hi Devin, Devin Nate wrote on Sat, Jul 01, 2017 at 03:08:59PM +0000:> I have watched with some interest as a number of people have > commented on why the OpenSSL team did not make a shim available > that provides a 1.1.0 style compat layer for 1.0.2 software. > > Is everyone watching this aware of this web page: > https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes > > At the bottom is an openssl-compat.tar.gz file, which seems to > contain a shim and the copyright seems to indicate that it is > being provided by the OpenSSL team itself. From what I have > read on this list, having the OpenSSL team provide an official > shim seems like an important factor for many people, and while > I have not dug into it, it seems maybe they have?After having had a first superficial look at these two files libcrypto-compat.{c,h}, i'm surprised how small they are. They contain about thirty functions. I recently converted the LibreSSL manuals from perlpod(1) to mdoc(7), which was quite some work because there are well above 2000 documented functions (and besides, only a minority of the functions declared in public headers and accessible to application code is documented at all). So i would be somewhat surprised if this compat module containing about thirty functions were complete. Having a *very* superficial first look, i quickly found various functions that are documented in OpenSSL-current and not avaible in LibreSSL that seem to act as accessors for structs that were made opaque, but which don't appear in libcrypto-compat.{c,h}: DH_get_length DH_set_flags DH_set_length DH_test_flags (and it seems there are similar ones for DSA) EVP_CIPHER_CTX_set_cipher_data EVP_PKEY_get0_DSA EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_hmac OBJ_get0_data OBJ_length OCSP_resp_get0_certs RSA_clear_flags RSA_set_flags RSA_test_flags OpenSSL-current also contains *_meth_* functions for other algorithms, not just RSA. Then, i see many accessors in the SSL_* and X509_* namespaces, which i didn't check in detail, but there is nothing from those namespaces in the files you found. Again, the above is not a proper analysis, just examples. I'm sure i missed a lot, and there may also be false positives in my examples. Somebody more familiar with the OpenSSL code could probably comment better whether these two files are closer to an official shim, or closer to a mere collection of a handful of examples. I don't see that the official OpenSSL page addresses that question, or makes any statement whether these two files were tested, and whether and how they are maintained. The fact that the tarball carries no version number and no date doesn't sound too hopeful with respect to maintenance... I mean *if* the OpenSSL team intends to maintain something, they normally do use version numbers in a rather strict way... Yours, Ingo