Re: openssl support

2019-05-17 Thread Gilles Chehade
On Fri, May 17, 2019 at 02:13:46PM +0200, Harald Dunkel wrote:
> Hi Gilles,
> 

Hi,

> I understand that ssl support is a highly complex issue, making it
> necessary to focus and to get rid of the cruft.
> 
> It would be a pity if opensmtpd becomes "OpenBSD-only", though.
> 

I agree and being the one in charge of portable OpenSMTPD these days you
can trust me that I'm highly annoyed by this situation because I wish we
were available to everyone.

I should clarify something:

I didn't wake up in a mood to kill OpenSSL support in OpenSMTPD. I built
OpenSMTPD on a range of machines and realized that, again, I had made no
change to the TLS layer but build was broken on half the machines. I did
not remove the support, it removed itself when a new version came and it
broke existing code. After spending two days trying to unbreak things, I
decided to put a stop to this madness and remove all of OpenSSL-specific
kludge, ifdefs and autoconf pieces. If OpenSSL can be made to work so we
don't have to keep adding conditional tests here and there, I'll be more
than happy, in the meanwhile I'm not taking the extra load of work.

LibreSSL can be built on machines with OpenSSL and coexist, I've done it
on several systems (FreeBSD and various Linux distros) so my take now is
that there's no reason not to package it as an alternative and OpenSMTPD
can depend on it. There's no good reason not to support both...

To finish, I had someone tell me in private that he did not want to rely
on LibreSSL because he didn't trust it... some of the commits to our TLS
layer were actually done or suggested by the LibreSSL folks. We have the
same code standards, to trust us but not LibreSSL is really absurd :-)

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: openssl support

2019-05-17 Thread Maarten de Vries

On 17-05-2019 14:13, Harald Dunkel wrote:

Hi Gilles,

I understand that ssl support is a highly complex issue, making it
necessary to focus and to get rid of the cruft.

It would be a pity if opensmtpd becomes "OpenBSD-only", though.


Regards
Harri



It's quite possible to build and use LibreSSL on Linux side-by-side with 
OpenSSL. It's really quite easy thanks to the limited amount of 
dependencies.


At first I was slightly worried that libevent would also have to be 
built with LibreSSL, but it turns out that all OpenSSL stuff for 
libevent is in a separate .so, and OpenSMTPD doesn't use it. So the 
system libevent should work just fine.


For example, on Arch Linux you can use these two AUR packages:

https://aur.archlinux.org/packages/libressl-side/
https://aur.archlinux.org/packages/opensmtpd-libressl/

It shouldn't be too difficult to do the same for another distribution.

-- Maarten


P.S.

I accidentally sent the reply off-list first. Apologies to Harald for 
the duplicate.



--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: openssl support

2019-05-17 Thread Harald Dunkel

Hi Gilles,

I understand that ssl support is a highly complex issue, making it
necessary to focus and to get rid of the cruft.

It would be a pity if opensmtpd becomes "OpenBSD-only", though.


Regards
Harri

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: openssl support

2019-05-17 Thread Gilles Chehade
On Fri, May 17, 2019 at 10:00:42AM +0200, Harald Dunkel wrote:
> Hi folks,
> 

Hi,


> I wonder what became of
> 
>   https://github.com/OpenSMTPD/OpenSMTPD/issues/534
> 
> ? IMHO this issue was closed way too early. Are all OS distros
> happy with opensmtpd going libressl-only? Will the rest follow?
> 
> 

Ticket was created in 2015, we're in 2019, it was not closed too early.

To put it blunt, there's no way I can make all distros happy, and in the
meantime I get to do the additional work of trying to satisfy all of the
different openssl builds, some distros using very old versions that lack
features we are forced to ifdef (ie: SNI, AES-GCM, ...), some others are
even using different configure flags which end up creating very slightly
different libraries carrying the same version, ...

I'm no longer interested in having to cope with that, having ifdefs that
make the code less readable and create versions of smtpd that I will not
be able to properly test because _my_ version never enters an ifdef.

My target is now LibreSSL with all of the features we need, and there is
no specific code to accomodate OpenSSL. If we can _also_ support OpenSSL
by writing code which works for both, I'll happily adapt code so that it
makes both happy but I will not support OpenSSL-specific bits anymore.

I will also make it clear that we only support the LATEST LibreSSL, that
means that I will not accomodate all versions of LibreSSL either.

If you have diffs that allow OpenSMTPD to build with latest LibreSSL and
latest stock OpenSSL (no weird enable/disable configure flags) and which
only achieve so through use of common APIs, I'll accept them happily.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



openssl support

2019-05-17 Thread Harald Dunkel

Hi folks,

I wonder what became of

https://github.com/OpenSMTPD/OpenSMTPD/issues/534

? IMHO this issue was closed way too early. Are all OS distros
happy with opensmtpd going libressl-only? Will the rest follow?


Regards

Harri

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org