On Mon, Apr 09, 2018 at 04:46:57PM -0400, Phil Pennock via Exim-users wrote: > On 2018-04-09 at 08:14 +0200, Kirill Miazine via Exim-users wrote: > > Hi, Phil > > * Phil Pennock via Exim-users [2018-04-08 17:24]: > > [...] > > > We've said "we only support versions of OpenSSL supported by the > > > upstream project", so now it's time to take advantage of that. > > > > So LibreSSL is not supported officially, is it? If it breaks, it breaks, > > and Exim should be built with OpenSSL? > > Exim is a volunteer project, we live on patches. Our history is full of > features and support provided by drive-by patches, which were massaged > to be somewhat maintainable. Jeremy, Todd and Heiko have done a lot of > work rounding out our test suite to remediate some of the negative > consequences of that. > > When working across multiple choices of provider for a given interface, > the usual approach is a bridge pattern, where we stick to one simpler > subset of functionality and plugging in other providers can satisfy that > bridge. > > If LibreSSL is going to continue to diverge, and if anyone cares enough > to provide patches, then we could easily have a `tls-libressl.c` file > which _implements_ the `SSL_CONF_cmd()` API, dispatching relevant > text-based calls to the correct feature-specific SSL_CTX manipulating > functions. >
I know FreeBSD Porters are compensating for LibreSSL. Maybe the porters can add the code for you. > As someone maintaining an application built on SSL libraries, and > needing to provide tuning to multiple end-sites, while doing too much > already in terms of propagating SSL options and such like, I think that > the SSL_CONF_cmd() API is a great idea. That it would let us change our > configuration to be more extensible, more flexible, easier to maintain > and generally more _useful_, for _less_ ongoing maintenance, is A Good > Thing. I encourage folks to look carefully at what I proposed and how > easy it is to implement with this API and consider if their library > should support it too. > > At present, we "support" GnuTLS and OpenSSL. If anything else happens > to work, that's great for you. If it break, you can either keep the > pieces or provide patches to make it work again, in a way which is > maintainable going forward. > > We've been saying, including on the -announce list, for the past few > _years_ that we'll only support versions of OpenSSL which are supported > upstream and that "some release Real Soon Now" would break compatibility > with older versions. > Like OpenSSL 1.1.1 ? I have yet to try. > -Phil > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism It is through creating, not possessing, that life is revealed. -Vida D. Scudder -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/