Howdy all, I know that the OpenSSH team has made a clear and well justified decision regarding interoperability with OpenSSL 1.1. I respect that entirely. That said, I've recently had to deal with a couple of users who had a specific set of requirements with building OpenSSH 7.7 using patches for OpenSSL 1.1 found in the slackware package. (http://slackblog.com/slackware/slackware64-current/source/n/openssh/) I found it annoying that this patch absolutely required OpenSSL 1.1 so I modified it to provide a single patch that will compile under OpenSSL 1.1 as well as earlier versions. Mostly it's just a whole lot of #if/#else/#endifs to work with the different interfaces. I'm not submitting this patch for inclusion into OpenSSH. I'm just providing it in case it might be of value to people in the community. This patch passes all regression tests and seems to work pretty well. If you do get this please be sure to rebuild configure so it picks up the changes in configure.ac. You can grab the patch here https://sourceforge.net/projects/hpnssh/files/OpenSSL-1.1%20Compatibility/ Chris Rapier
On Tue, 2018-06-05 at 14:16 -0400, rapier wrote:> Howdy all, > > I know that the OpenSSH team has made a clear and well justified > decision regarding interoperability with OpenSSL 1.1. I respect that > entirely. That said, I've recently had to deal with a couple of > users > who had a specific set of requirements with building OpenSSH 7.7 > using > patches for OpenSSL 1.1 found in the slackware package. > (http://slackblog.com/slackware/slackware64-current/source/n/openssh/ > ) > > I found it annoying that this patch absolutely required OpenSSL 1.1 > so I > modified it to provide a single patch that will compile under > OpenSSL > 1.1 as well as earlier versions. Mostly it's just a whole lot of > #if/#else/#endifs to work with the different interfaces.I did not read this patch nor your modifications, but why to write lot of ifdefs, when already the first patch submitted (and most of others used) provided a backward compatibility layer for older OpenSSL's? https://github.com/openssh/openssh-portable/pull/48/files#diff-f5f8e30c 8b1505f344c9f3d027b18379 If it did not built for you, there was probably something wrong in that patch (or the compat layer missing since it is not needed for the new OpenSSL). Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
On 6/7/18 1:08 PM, Jakub Jelen wrote:> On Tue, 2018-06-05 at 14:16 -0400, rapier wrote: >> Howdy all, >> >> I know that the OpenSSH team has made a clear and well justified >> decision regarding interoperability with OpenSSL 1.1. I respect that >> entirely. That said, I've recently had to deal with a couple of >> users >> who had a specific set of requirements with building OpenSSH 7.7 >> using >> patches for OpenSSL 1.1 found in the slackware package. >> (http://slackblog.com/slackware/slackware64-current/source/n/openssh/ >> ) >> >> I found it annoying that this patch absolutely required OpenSSL 1.1 >> so I >> modified it to provide a single patch that will compile under >> OpenSSL >> 1.1 as well as earlier versions. Mostly it's just a whole lot of >> #if/#else/#endifs to work with the different interfaces. > > I did not read this patch nor your modifications, but why to write lot > of ifdefs, when already the first patch submitted (and most of others > used) provided a backward compatibility layer for older OpenSSL's?Because I didn't know about it. My interactions with the OpenSSH developer list are limited. I have the ssh variant I work on (hpn-ssh) and that's where I try to maintain my focus. I was asked by someone in the community to look into OpenSSL compatibility for hpn-ssh based on the patch from slackware that I pointed to. That wouldn't compile with older versions of OpenSSL. This seemed silly so I made it so it could. Like I said, I only provided this because I thought someone might find it useful.