[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8445) LibreSSL v2.4 compile
--001a113faca2cd5c170535ccd806
Content-Type: text/plain; charset=UTF-8
This is LibreSSL's response.
---------- Forwarded message ---------
From: Bob Beck <beck@obtuse.com>
Date: Tue, Jun 21, 2016 at 11:45 AM
Subject: Re: OpenSSL v1.1 API
To: Connor Taffe <cpaynetaffe@gmail.com>
Cc: <libressl@openbsd.org>
I would say we would plan on it "when we need it" - We will support TLS
1.3 as
it stabilizes, but at this stage I couldn't say when/if particular
OpenSSL'isms
might be supported.
BoringSSL hasn't pulled in X509_NAME_get0_der either yet - so I think we
will
be taking what I would describe as a cautious and selective approach to
new features from OpenSSL - During the same time as we've moved from about
750,000 of code at the fork to about 350,000 - OpenSSL is now over 1,000,000
lines - So we're probably not going to be about wholesale code importing
from OpenSSL - We will be taking things selectively and with a degree
of caution.
Of note - we *do* support a newer API - libtls - which may be more
than fine for most of OpenLDAP's needs:
See
http://man.openbsd.org/OpenBSD-current/man3/tls_init.3
and/or
http://www.openbsd.org/papers/libtls-fsec-2015/
On Mon, Jun 20, 2016 at 09:21:43AM +0000, Connor Taffe wrote:
> Hey,
>
> Does LibreSSL plan to implement the OpenSSL v1.1 API?
>
> I've submitted a patch to OpenLDAP to allow compilation with LibreSSL
> v2.4.1. The patch currently checks if LIBRESSL_VERSION_NUMBER is defined
> and if so uses the fallback code for versions of OpenSSL < 1.1.
>
> The maintainers would like to cap the version on the LibreSSL check if
> implementation of the OpenSSL v1.1 API is planned.
>
> Specifically (to this case) OpenSSL added the SSL_CTX_up_ref function in
> commit c5ebfcab713a82a1d46a51c8c2668c419425b387 in March of this year, and
> added X509_NAME_get0_der in commit
7ab507495b86371756575d606af556b4fd74e27a
> in January of this year.
>
> ---------- Forwarded message ---------
> From: Howard Chu <hyc@symas.com>
> Date: Mon, Jun 20, 2016 at 1:38 AM
> Subject: Re: (ITS#8445) LibreSSL v2.4 compile
> To: Connor Taffe <cpaynetaffe@gmail.com>, <openldap-its@openldap.org>
>
>
> Connor Taffe wrote:
> > Fixed, attached is a patch.
>
> I'm a bit concerned that you're only checking for the existence of
LIBRESSL
> instead of actually comparing the version number. Since the OpenSSL change
> is
> based on their v1.1 API, do you know if/when LibreSSL plans to adopt the
> new API?
>
> > On Sun, Jun 19, 2016 at 8:02 PM Howard Chu <hyc@symas.com
> > <mailto:hyc@symas.com>> wrote:
> >
> > cpaynetaffe@gmail.com <mailto:cpaynetaffe@gmail.com> wrote:
> > > Full_Name: Connor Taffe
> > > Version: master
> > > OS: Ubuntu devel
> > > URL: ftp://ftp.openldap.org/incoming/
> > > Submission from: (NULL) (50.25.160.41)
> > >
> > >
> > > Compiling against LibreSSL v2.4.1 failed linking with
> SSL_CTX_up_ref and
> > > X509_NAME_get0_der undefined. I added checking if
> > LIBRESSL_VERSION_NUMBER to the
> > > same conditional compilation ifs that are defined for old
versions
> of
> > OpenSSL.
> > >
> > > https://github.com/cptaffe/openldap
> >
> > Please read the Developer Guidelines. I'm not going to pull an
> arbitrary repo
> > to find someone's patch.
> >
> > http://www.openldap.org/devel/contributing.html
> >
> > --
> > -- Howard Chu
> > CTO, Symas Corp. http://www.symas.com
> > Director, Highland Sun http://highlandsun.com/hyc/
> > Chief Architect, OpenLDAP http://www.openldap.org/project/
> >
>
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
--001a113faca2cd5c170535ccd806
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">This is LibreSSL's response.<br><br><div class=3D"gmai=
l_quote"><div dir=3D"ltr">---------- Forwarded message ---------<br>From: B=
ob Beck <<a href=3D"mailto:beck@obtuse.com">beck@obtuse.com</a>><br>D=
ate: Tue, Jun 21, 2016 at 11:45 AM<br>Subject: Re: OpenSSL v1.1 API<br>To: =
Connor Taffe <<a href=3D"mailto:cpaynetaffe@gmail.com">cpaynetaffe@gmail=
.com</a>><br>Cc: <<a href=3D"mailto:libressl@openbsd.org">libressl@o=
penbsd.org</a>><br></div><br><br><br>
I would say we would plan on it=C2=A0 "when we need it" - We will=
support TLS 1.3 as<br>
it stabilizes, but at this stage I couldn't say when/if particular Open=
SSL'isms<br>
might be supported.<br>
<br>
BoringSSL hasn't pulled in X509_NAME_get0_der either yet - so I think w=
e will<br>
be taking what I would describe as a cautious and selective approach to<br>
new features from OpenSSL - During the same time as we've moved from ab=
out<br>
750,000 of code at the fork to about 350,000 - OpenSSL is now over 1,000,00=
0<br>
lines - So we're probably not going to be about wholesale code importin=
g<br>
from OpenSSL - We will be taking things selectively and with a degree<br>
of caution.<br>
<br>
Of note - we *do* support a newer API - libtls - which may be more<br>
than fine for most of OpenLDAP's needs:<br>
<br>
See<br>
<a href=3D"http://man.openbsd.org/OpenBSD-current/man3/tls_init.3" rel=3D"n=
oreferrer" target=3D"_blank">http://man.openbsd.org/OpenBSD-current/man3/tl=
s_init.3</a><br>
and/or<br>
<a href=3D"http://www.openbsd.org/papers/libtls-fsec-2015/" rel=3D"noreferr=
er" target=3D"_blank">http://www.openbsd.org/papers/libtls-fsec-2015/</a><b=
r>
<br>
<br>
On Mon, Jun 20, 2016 at 09:21:43AM +0000, Connor Taffe wrote:<br>
> Hey,<br>
><br>
> Does LibreSSL plan to implement the OpenSSL v1.1 API?<br>
><br>
> I've submitted a patch to OpenLDAP to allow compilation with Libre=
SSL<br>
> v2.4.1. The patch currently checks if LIBRESSL_VERSION_NUMBER is defin=
ed<br>
> and if so uses the fallback code for versions of OpenSSL < 1.1.<br>
><br>
> The maintainers would like to cap the version on the LibreSSL check if=
<br>
> implementation of the OpenSSL v1.1 API is planned.<br>
><br>
> Specifically (to this case) OpenSSL added the SSL_CTX_up_ref function =
in<br>
> commit c5ebfcab713a82a1d46a51c8c2668c419425b387 in March of this year,=
and<br>
> added X509_NAME_get0_der in commit 7ab507495b86371756575d606af556b4fd7=
4e27a<br>
> in January of this year.<br>
><br>
> ---------- Forwarded message ---------<br>
> From: Howard Chu <<a href=3D"mailto:hyc@symas.com" target=3D"_blank=
">hyc@symas.com</a>><br>
> Date: Mon, Jun 20, 2016 at 1:38 AM<br>
> Subject: Re: (ITS#8445) LibreSSL v2.4 compile<br>
> To: Connor Taffe <<a href=3D"mailto:cpaynetaffe@gmail.com" target=
=3D"_blank">cpaynetaffe@gmail.com</a>>, <<a href=3D"mailto:openldap-i=
ts@openldap.org" target=3D"_blank">openldap-its@openldap.org</a>><br>
><br>
><br>
> Connor Taffe wrote:<br>
> > Fixed, attached is a patch.<br>
><br>
> I'm a bit concerned that you're only checking for the existenc=
e of LIBRESSL<br>
> instead of actually comparing the version number. Since the OpenSSL ch=
ange<br>
> is<br>
> based on their v1.1 API, do you know if/when LibreSSL plans to adopt t=
he<br>
> new API?<br>
><br>
> > On Sun, Jun 19, 2016 at 8:02 PM Howard Chu <<a href=3D"mailto:=
hyc@symas.com" target=3D"_blank">hyc@symas.com</a><br>
> > <mailto:<a href=3D"mailto:hyc@symas.com" target=3D"_blank">hyc=
@symas.com</a>>> wrote:<br>
> ><br>
> >=C2=A0 =C2=A0 =C2=A0<a href=3D"mailto:cpaynetaffe@gmail.com" targe=
t=3D"_blank">cpaynetaffe@gmail.com</a> <mailto:<a href=3D"mailto:cpaynet=
affe@gmail.com" target=3D"_blank">cpaynetaffe@gmail.com</a>> wrote:<br>
> >=C2=A0 =C2=A0 =C2=A0 > Full_Name: Connor Taffe<br>
> >=C2=A0 =C2=A0 =C2=A0 > Version: master<br>
> >=C2=A0 =C2=A0 =C2=A0 > OS: Ubuntu devel<br>
> >=C2=A0 =C2=A0 =C2=A0 > URL: <a href=3D"ftp://ftp.openldap.org/i=
ncoming/" rel=3D"noreferrer" target=3D"_blank">ftp://ftp.openldap.org/incom=
ing/</a><br>
> >=C2=A0 =C2=A0 =C2=A0 > Submission from: (NULL) (50.25.160.41)<b=
r>
> >=C2=A0 =C2=A0 =C2=A0 ><br>
> >=C2=A0 =C2=A0 =C2=A0 ><br>
> >=C2=A0 =C2=A0 =C2=A0 > Compiling against LibreSSL v2.4.1 failed=
linking with<br>
> SSL_CTX_up_ref and<br>
> >=C2=A0 =C2=A0 =C2=A0 > X509_NAME_get0_der undefined. I added ch=
ecking if<br>
> >=C2=A0 =C2=A0 =C2=A0LIBRESSL_VERSION_NUMBER to the<br>
> >=C2=A0 =C2=A0 =C2=A0 > same conditional compilation ifs that ar=
e defined for old versions<br>
> of<br>
> >=C2=A0 =C2=A0 =C2=A0OpenSSL.<br>
> >=C2=A0 =C2=A0 =C2=A0 ><br>
> >=C2=A0 =C2=A0 =C2=A0 > <a href=3D"https://github.com/cptaffe/op=
enldap" rel=3D"noreferrer" target=3D"_blank">https://github.com/cptaffe/ope=
nldap</a><br>
> ><br>
> >=C2=A0 =C2=A0 =C2=A0Please read the Developer Guidelines. I'm =
not going to pull an<br>
> arbitrary repo<br>
> >=C2=A0 =C2=A0 =C2=A0to find someone's patch.<br>
> ><br>
> >=C2=A0 =C2=A0 =C2=A0<a href=3D"http://www.openldap.org/devel/contr=
ibuting.html" rel=3D"noreferrer" target=3D"_blank">http://www.openldap.org/=
devel/contributing.html</a><br>
> ><br>
> >=C2=A0 =C2=A0 =C2=A0--<br>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-- Howard Chu<br>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0CTO, Symas Corp. <a href=3D"http=
://www.symas.com" rel=3D"noreferrer" target=3D"_blank">http://www.symas.com=
</a><br>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Director, Highland Sun <a href=
=3D"http://highlandsun.com/hyc/" rel=3D"noreferrer" target=3D"_blank">http:=
//highlandsun.com/hyc/</a><br>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Chief Architect, OpenLDAP <a hre=
f=3D"http://www.openldap.org/project/" rel=3D"noreferrer" target=3D"_blank"=
>http://www.openldap.org/project/</a><br>
> ><br>
><br>
><br>
> --<br>
>=C2=A0 =C2=A0 -- Howard Chu<br>
>=C2=A0 =C2=A0 CTO, Symas Corp.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
<a href=3D"http://www.symas.com" rel=3D"noreferrer" target=3D"_blank">http:=
//www.symas.com</a><br>
>=C2=A0 =C2=A0 Director, Highland Sun=C2=A0 =C2=A0 =C2=A0<a href=3D"http=
://highlandsun.com/hyc/" rel=3D"noreferrer" target=3D"_blank">http://highla=
ndsun.com/hyc/</a><br>
>=C2=A0 =C2=A0 Chief Architect, OpenLDAP=C2=A0 <a href=3D"http://www.ope=
nldap.org/project/" rel=3D"noreferrer" target=3D"_blank">http://www.openlda=
p.org/project/</a><br>
</div></div>
--001a113faca2cd5c170535ccd806--