Hello, First, sorry for the inconvenience: this message is not attached to the remaining of the discussion (I just joined the ML so I cannot answer to a one week old message). That being said:
On Mon, Feb 13, 2017 at 08:17:58PM +0100, Christian Hesse wrote: > Arch Linux is about to upgrade openssl to version 1.1.0. OpenVPN does not > compile against this version. Did anybody start the work to support latest > openssl versions? I did (yesterday). So far, I made good progress on many front, although I'm not sure the path I took is what you would expect. One of the main change in OpenSSL 1.1 is that types are now opaque, meaning that you need to access the internal fields using various (mostly short) functions. For most of them, these functions has been added to the API. To make OpenVPN support OpenSSL, I decided to 1. check whether the functions I need are in OpenSSL at configure time. The function list is quite large. 2. reimplement the missing functions as static inlines in an openssl_compat.h header, using the OpenSSL prototypes. 3. use the new interface in the OpenVPN code. 4. when possible (i.e. when the interface already exists in OpenSSL 1.0), use this interface The motivation behind this is to ease the porting of OpenVPN to a new OpenSSL API -- if the code is already using the latest API, the next changes are going to be less radical. Having done 2/3 of the job, the patch set is about +900 insertion, -200 deletion (or something like that). I still have a lot of things to do and I should finish my first pass at the beginning of newt week. I don't expect the patch set to be much longer than it already is. Now, I have a question which is related to this. The way I'm doing things, I will make sure that the new code is compatible with both OpenSSL 1.0.x and OpenSSL 1.1. There is a good chance that it will be compatible with version 0.9.8 as well, yet I can't stop wondering if this is a good thing. OpenSSL 0.9.8 has been EoL'ed 12 month ago and I believe it's OK to let it die. OpenVPN cannot rely on a dead SSL library -- unless it wants to make sure that future vulnerabilities in this old, deprecated version will affect it (and I'm not sure it's a good thing). Same goes for OpenSSL 1.0.1 which has been declared out of support in January 2017. I understand that I'm the new guy in town, but can you allow me to make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and require at least version 1.0.2? Best regards, -- Emmanuel Deloget ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
