Re: openssl support
On Fri, May 17, 2019 at 02:13:46PM +0200, Harald Dunkel wrote: > Hi Gilles, > Hi, > I understand that ssl support is a highly complex issue, making it > necessary to focus and to get rid of the cruft. > > It would be a pity if opensmtpd becomes "OpenBSD-only", though. > I agree and being the one in charge of portable OpenSMTPD these days you can trust me that I'm highly annoyed by this situation because I wish we were available to everyone. I should clarify something: I didn't wake up in a mood to kill OpenSSL support in OpenSMTPD. I built OpenSMTPD on a range of machines and realized that, again, I had made no change to the TLS layer but build was broken on half the machines. I did not remove the support, it removed itself when a new version came and it broke existing code. After spending two days trying to unbreak things, I decided to put a stop to this madness and remove all of OpenSSL-specific kludge, ifdefs and autoconf pieces. If OpenSSL can be made to work so we don't have to keep adding conditional tests here and there, I'll be more than happy, in the meanwhile I'm not taking the extra load of work. LibreSSL can be built on machines with OpenSSL and coexist, I've done it on several systems (FreeBSD and various Linux distros) so my take now is that there's no reason not to package it as an alternative and OpenSMTPD can depend on it. There's no good reason not to support both... To finish, I had someone tell me in private that he did not want to rely on LibreSSL because he didn't trust it... some of the commits to our TLS layer were actually done or suggested by the LibreSSL folks. We have the same code standards, to trust us but not LibreSSL is really absurd :-) -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: openssl support
On 17-05-2019 14:13, Harald Dunkel wrote: Hi Gilles, I understand that ssl support is a highly complex issue, making it necessary to focus and to get rid of the cruft. It would be a pity if opensmtpd becomes "OpenBSD-only", though. Regards Harri It's quite possible to build and use LibreSSL on Linux side-by-side with OpenSSL. It's really quite easy thanks to the limited amount of dependencies. At first I was slightly worried that libevent would also have to be built with LibreSSL, but it turns out that all OpenSSL stuff for libevent is in a separate .so, and OpenSMTPD doesn't use it. So the system libevent should work just fine. For example, on Arch Linux you can use these two AUR packages: https://aur.archlinux.org/packages/libressl-side/ https://aur.archlinux.org/packages/opensmtpd-libressl/ It shouldn't be too difficult to do the same for another distribution. -- Maarten P.S. I accidentally sent the reply off-list first. Apologies to Harald for the duplicate. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: openssl support
Hi Gilles, I understand that ssl support is a highly complex issue, making it necessary to focus and to get rid of the cruft. It would be a pity if opensmtpd becomes "OpenBSD-only", though. Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: openssl support
On Fri, May 17, 2019 at 10:00:42AM +0200, Harald Dunkel wrote: > Hi folks, > Hi, > I wonder what became of > > https://github.com/OpenSMTPD/OpenSMTPD/issues/534 > > ? IMHO this issue was closed way too early. Are all OS distros > happy with opensmtpd going libressl-only? Will the rest follow? > > Ticket was created in 2015, we're in 2019, it was not closed too early. To put it blunt, there's no way I can make all distros happy, and in the meantime I get to do the additional work of trying to satisfy all of the different openssl builds, some distros using very old versions that lack features we are forced to ifdef (ie: SNI, AES-GCM, ...), some others are even using different configure flags which end up creating very slightly different libraries carrying the same version, ... I'm no longer interested in having to cope with that, having ifdefs that make the code less readable and create versions of smtpd that I will not be able to properly test because _my_ version never enters an ifdef. My target is now LibreSSL with all of the features we need, and there is no specific code to accomodate OpenSSL. If we can _also_ support OpenSSL by writing code which works for both, I'll happily adapt code so that it makes both happy but I will not support OpenSSL-specific bits anymore. I will also make it clear that we only support the LATEST LibreSSL, that means that I will not accomodate all versions of LibreSSL either. If you have diffs that allow OpenSMTPD to build with latest LibreSSL and latest stock OpenSSL (no weird enable/disable configure flags) and which only achieve so through use of common APIs, I'll accept them happily. -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
openssl support
Hi folks, I wonder what became of https://github.com/OpenSMTPD/OpenSMTPD/issues/534 ? IMHO this issue was closed way too early. Are all OS distros happy with opensmtpd going libressl-only? Will the rest follow? Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org