Just commenting on this: I had very few problems moving from 1.0.2 to 1.1.0. We'd already cleaned up most of the issues OpenSSL fixed between 1.0.2 and 1.1.0, those fixups were well isolated so migrating was just a matter of ifdef'ing out accessors/allocators/deallocators we'd created to civilize the API and replace those with the equivalents native to 1.1.0.
Things like that you can't fix without breaking someone, and without fixing that you can't provide stable ABI's going forward, as Richard says someone will break at some point when you do that anyway. I'll concede we realized ABI stability would be an issue well in advance of 1.1.0 but it was just good defensive programming practice achieved that, not inside information.
Mind you, some of the problems in 1.1.0x are awesome, older HP/UX PA-RISC compilers turn some of the macros deep in OpenSSL to local functions - embedded in every object file. Our footprint there went from 2M to 20M. Solaris had similar issues but not quite as bad in practice.
Peter
-----"openssl-dev" <openssl-dev-boun...@openssl.org> wrote: -----
To: openssl-dev@openssl.org
From: Richard Levitte
Sent by: "openssl-dev"
Date: 03/21/2017 06:56PM
Subject: Re: [openssl-dev] please make clear on website that 1.1.0e is Development release, not GA / Production release
From: Richard Levitte
Sent by: "openssl-dev"
Date: 03/21/2017 06:56PM
Subject: Re: [openssl-dev] please make clear on website that 1.1.0e is Development release, not GA / Production release
In message <calyzvky_y0ewaupzbwsyrq2k+onzyfran1t8c7upox5_0jp...@mail.gmail.com> on Tue, 21 Mar 2017 00:13:57 +0000, Jason Vas Dias <jason.vas.d...@gmail.com> said:
jason.vas.dias> On 20/03/2017, Kurt Roeckx <k...@roeckx.be> wrote:
jason.vas.dias> > The ed25519 support in openssh doesn't even come from openssl.
jason.vas.dias> >
jason.vas.dias> What happens is OpenSSH's cipher.c calls
jason.vas.dias> if (EVP_CipherInit(cc->evp, type, NULL, (u_char *)iv,
jason.vas.dias> (do_encrypt == CIPHER_ENCRYPT)) == 0) {
jason.vas.dias> ret = SSH_ERR_LIBCRYPTO_ERROR;
jason.vas.dias> goto out;
jason.vas.dias> }
jason.vas.dias> which always does 'goto out' for any ED25519 file.
That would happen if ssh_host_ed25519_key is password protected and
the cipher used to encrypt the key isn't recognised in OpenSSL 1.1.0
(and considering the current master of openssh-portable doesn't build
cleanly against OpenSSL 1.1.0e and I therefore suppose you've hacked
around, I can't even begin to say where the fault came in). It also
depends on your OpenSSL configuration, since you can disable most
algorithms it carries...
jason.vas.dias> >> which mainly
jason.vas.dias> >> involved including the '*_lo?cl.h' & '*_int.h' headers
jason.vas.dias> >
jason.vas.dias> > Including the internal headers is not a good patch. This will
jason.vas.dias> > break.
jason.vas.dias> >
jason.vas.dias>
jason.vas.dias> It doesn't break at all - the code remains 100% unchanged - just different
jason.vas.dias> headers need including - and seems to work fine including the API
jason.vas.dias> hiding headers.
The structures you find in there are made private for a reason, we
need the liberty to make changes in them in future developments
without disturbing the ABI (not just the API). So some time in the
future, it will break.
jason.vas.dias> And my point is really not to criticize your effort, it is just a plea to make
jason.vas.dias> clear on the web-page that the 1.1.0 branch is a development branch and
jason.vas.dias> does not work yet with most OpenSSL using applications .
It isn't a development branch. We see it as a stable release, i.e. no
further development apart from bug fixes. "master" is the development
branch.
jason.vas.dias> OpenSSL in its 1.0.2 incarnation has been hardened by over (10,15,20)? years
jason.vas.dias> of testing , and its API is usable by all OpenSSL using applications,
jason.vas.dias> unlike 1.1.0 .
Jyst to put things in perspective, OpenSSL 1.0.0 was released
2010-Mar-29. That was the start of the 1.0.x series. OpenSSL 1.0.2
was released 2015-Jan-22.
OpenSSL 1.1.0 marks the start of the 1.1.x series, which isn't source
compatible with the 1.0.x series. We have talked about this in
different ways even before the first Alpha release was made (over a
year ago).
Either way, the 1.0.2 branch is supported until the end of 2019.
One could say that's how long other application authors have to rework
their source, although that's not really true since anyone can keep
the 1.0.2 source around as long as they want (hey, even we do).
Maybe you expected all applications to have converted the moment we
declared our 1.1.0 release stable? That will not happen... as far as
we've observed, most are hardly even looking before we've made a
stable release (which I agree is unfortunate).
Cheers,
Richard
--
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
jason.vas.dias> On 20/03/2017, Kurt Roeckx <k...@roeckx.be> wrote:
jason.vas.dias> > The ed25519 support in openssh doesn't even come from openssl.
jason.vas.dias> >
jason.vas.dias> What happens is OpenSSH's cipher.c calls
jason.vas.dias> if (EVP_CipherInit(cc->evp, type, NULL, (u_char *)iv,
jason.vas.dias> (do_encrypt == CIPHER_ENCRYPT)) == 0) {
jason.vas.dias> ret = SSH_ERR_LIBCRYPTO_ERROR;
jason.vas.dias> goto out;
jason.vas.dias> }
jason.vas.dias> which always does 'goto out' for any ED25519 file.
That would happen if ssh_host_ed25519_key is password protected and
the cipher used to encrypt the key isn't recognised in OpenSSL 1.1.0
(and considering the current master of openssh-portable doesn't build
cleanly against OpenSSL 1.1.0e and I therefore suppose you've hacked
around, I can't even begin to say where the fault came in). It also
depends on your OpenSSL configuration, since you can disable most
algorithms it carries...
jason.vas.dias> >> which mainly
jason.vas.dias> >> involved including the '*_lo?cl.h' & '*_int.h' headers
jason.vas.dias> >
jason.vas.dias> > Including the internal headers is not a good patch. This will
jason.vas.dias> > break.
jason.vas.dias> >
jason.vas.dias>
jason.vas.dias> It doesn't break at all - the code remains 100% unchanged - just different
jason.vas.dias> headers need including - and seems to work fine including the API
jason.vas.dias> hiding headers.
The structures you find in there are made private for a reason, we
need the liberty to make changes in them in future developments
without disturbing the ABI (not just the API). So some time in the
future, it will break.
jason.vas.dias> And my point is really not to criticize your effort, it is just a plea to make
jason.vas.dias> clear on the web-page that the 1.1.0 branch is a development branch and
jason.vas.dias> does not work yet with most OpenSSL using applications .
It isn't a development branch. We see it as a stable release, i.e. no
further development apart from bug fixes. "master" is the development
branch.
jason.vas.dias> OpenSSL in its 1.0.2 incarnation has been hardened by over (10,15,20)? years
jason.vas.dias> of testing , and its API is usable by all OpenSSL using applications,
jason.vas.dias> unlike 1.1.0 .
Jyst to put things in perspective, OpenSSL 1.0.0 was released
2010-Mar-29. That was the start of the 1.0.x series. OpenSSL 1.0.2
was released 2015-Jan-22.
OpenSSL 1.1.0 marks the start of the 1.1.x series, which isn't source
compatible with the 1.0.x series. We have talked about this in
different ways even before the first Alpha release was made (over a
year ago).
Either way, the 1.0.2 branch is supported until the end of 2019.
One could say that's how long other application authors have to rework
their source, although that's not really true since anyone can keep
the 1.0.2 source around as long as they want (hey, even we do).
Maybe you expected all applications to have converted the moment we
declared our 1.1.0 release stable? That will not happen... as far as
we've observed, most are hardly even looking before we've made a
stable release (which I agree is unfortunate).
Cheers,
Richard
--
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
