--001a113faca2cd5c170535ccd806 Content-Type: text/plain; charset=UTF-8
This is LibreSSL's response.
---------- Forwarded message --------- From: Bob Beck beck@obtuse.com Date: Tue, Jun 21, 2016 at 11:45 AM Subject: Re: OpenSSL v1.1 API To: Connor Taffe cpaynetaffe@gmail.com Cc: libressl@openbsd.org
I would say we would plan on it "when we need it" - We will support TLS 1.3 as it stabilizes, but at this stage I couldn't say when/if particular OpenSSL'isms might be supported.
BoringSSL hasn't pulled in X509_NAME_get0_der either yet - so I think we will be taking what I would describe as a cautious and selective approach to new features from OpenSSL - During the same time as we've moved from about 750,000 of code at the fork to about 350,000 - OpenSSL is now over 1,000,000 lines - So we're probably not going to be about wholesale code importing from OpenSSL - We will be taking things selectively and with a degree of caution.
Of note - we *do* support a newer API - libtls - which may be more than fine for most of OpenLDAP's needs:
See http://man.openbsd.org/OpenBSD-current/man3/tls_init.3 and/or http://www.openbsd.org/papers/libtls-fsec-2015/
On Mon, Jun 20, 2016 at 09:21:43AM +0000, Connor Taffe wrote:
Hey,
Does LibreSSL plan to implement the OpenSSL v1.1 API?
I've submitted a patch to OpenLDAP to allow compilation with LibreSSL v2.4.1. The patch currently checks if LIBRESSL_VERSION_NUMBER is defined and if so uses the fallback code for versions of OpenSSL < 1.1.
The maintainers would like to cap the version on the LibreSSL check if implementation of the OpenSSL v1.1 API is planned.
Specifically (to this case) OpenSSL added the SSL_CTX_up_ref function in commit c5ebfcab713a82a1d46a51c8c2668c419425b387 in March of this year, and added X509_NAME_get0_der in commit
7ab507495b86371756575d606af556b4fd74e27a
in January of this year.
---------- Forwarded message --------- From: Howard Chu hyc@symas.com Date: Mon, Jun 20, 2016 at 1:38 AM Subject: Re: (ITS#8445) LibreSSL v2.4 compile To: Connor Taffe cpaynetaffe@gmail.com, openldap-its@openldap.org
Connor Taffe wrote:
Fixed, attached is a patch.
I'm a bit concerned that you're only checking for the existence of
LIBRESSL
instead of actually comparing the version number. Since the OpenSSL change is based on their v1.1 API, do you know if/when LibreSSL plans to adopt the new API?
On Sun, Jun 19, 2016 at 8:02 PM Howard Chu <hyc@symas.com mailto:hyc@symas.com> wrote:
cpaynetaffe@gmail.com <mailto:cpaynetaffe@gmail.com> wrote: > Full_Name: Connor Taffe > Version: master > OS: Ubuntu devel > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (50.25.160.41) > > > Compiling against LibreSSL v2.4.1 failed linking withSSL_CTX_up_ref and
> X509_NAME_get0_der undefined. I added checking if LIBRESSL_VERSION_NUMBER to the > same conditional compilation ifs that are defined for old
versions
of
OpenSSL. > > https://github.com/cptaffe/openldap Please read the Developer Guidelines. I'm not going to pull anarbitrary repo
to find someone's patch. http://www.openldap.org/devel/contributing.html -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
--001a113faca2cd5c170535ccd806 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">This is LibreSSL's response.<br><br><div class=3D"gmai= l_quote"><div dir=3D"ltr">---------- Forwarded message ---------<br>From: B= ob Beck <<a href=3D"mailto:beck@obtuse.com">beck@obtuse.com</a>><br>D= ate: Tue, Jun 21, 2016 at 11:45 AM<br>Subject: Re: OpenSSL v1.1 API<br>To: = Connor Taffe <<a href=3D"mailto:cpaynetaffe@gmail.com">cpaynetaffe@gmail= .com</a>><br>Cc: <<a href=3D"mailto:libressl@openbsd.org">libressl@o= penbsd.org</a>><br></div><br><br><br> I would say we would plan on it=C2=A0 "when we need it" - We will= support TLS 1.3 as<br> it stabilizes, but at this stage I couldn't say when/if particular Open= SSL'isms<br> might be supported.<br> <br> BoringSSL hasn't pulled in X509_NAME_get0_der either yet - so I think w= e will<br> be taking what I would describe as a cautious and selective approach to<br> new features from OpenSSL - During the same time as we've moved from ab= out<br> 750,000 of code at the fork to about 350,000 - OpenSSL is now over 1,000,00= 0<br> lines - So we're probably not going to be about wholesale code importin= g<br> from OpenSSL - We will be taking things selectively and with a degree<br> of caution.<br> <br> Of note - we *do* support a newer API - libtls - which may be more<br> than fine for most of OpenLDAP's needs:<br> <br> See<br> <a href=3D"http://man.openbsd.org/OpenBSD-current/man3/tls_init.3" rel=3D"n= oreferrer" target=3D"_blank">http://man.openbsd.org/OpenBSD-current/man3/tl= s_init.3</a><br> and/or<br> <a href=3D"http://www.openbsd.org/papers/libtls-fsec-2015/" rel=3D"noreferr= er" target=3D"_blank">http://www.openbsd.org/papers/libtls-fsec-2015/</a><b= r> <br> <br> On Mon, Jun 20, 2016 at 09:21:43AM +0000, Connor Taffe wrote:<br> > Hey,<br> ><br> > Does LibreSSL plan to implement the OpenSSL v1.1 API?<br> ><br> > I've submitted a patch to OpenLDAP to allow compilation with Libre= SSL<br> > v2.4.1. The patch currently checks if LIBRESSL_VERSION_NUMBER is defin= ed<br> > and if so uses the fallback code for versions of OpenSSL < 1.1.<br> ><br> > The maintainers would like to cap the version on the LibreSSL check if= <br> > implementation of the OpenSSL v1.1 API is planned.<br> ><br> > Specifically (to this case) OpenSSL added the SSL_CTX_up_ref function = in<br> > commit c5ebfcab713a82a1d46a51c8c2668c419425b387 in March of this year,= and<br> > added X509_NAME_get0_der in commit 7ab507495b86371756575d606af556b4fd7= 4e27a<br> > in January of this year.<br> ><br> > ---------- Forwarded message ---------<br> > From: Howard Chu <<a href=3D"mailto:hyc@symas.com" target=3D"_blank= ">hyc@symas.com</a>><br> > Date: Mon, Jun 20, 2016 at 1:38 AM<br> > Subject: Re: (ITS#8445) LibreSSL v2.4 compile<br> > To: Connor Taffe <<a href=3D"mailto:cpaynetaffe@gmail.com" target= =3D"_blank">cpaynetaffe@gmail.com</a>>, <<a href=3D"mailto:openldap-i= ts@openldap.org" target=3D"_blank">openldap-its@openldap.org</a>><br> ><br> ><br> > Connor Taffe wrote:<br> > > Fixed, attached is a patch.<br> ><br> > I'm a bit concerned that you're only checking for the existenc= e of LIBRESSL<br> > instead of actually comparing the version number. Since the OpenSSL ch= ange<br> > is<br> > based on their v1.1 API, do you know if/when LibreSSL plans to adopt t= he<br> > new API?<br> ><br> > > On Sun, Jun 19, 2016 at 8:02 PM Howard Chu <<a href=3D"mailto:= hyc@symas.com" target=3D"_blank">hyc@symas.com</a><br> > > <mailto:<a href=3D"mailto:hyc@symas.com" target=3D"_blank">hyc= @symas.com</a>>> wrote:<br> > ><br> > >=C2=A0 =C2=A0 =C2=A0<a href=3D"mailto:cpaynetaffe@gmail.com" targe= t=3D"_blank">cpaynetaffe@gmail.com</a> <mailto:<a href=3D"mailto:cpaynet= affe@gmail.com" target=3D"_blank">cpaynetaffe@gmail.com</a>> wrote:<br> > >=C2=A0 =C2=A0 =C2=A0 > Full_Name: Connor Taffe<br> > >=C2=A0 =C2=A0 =C2=A0 > Version: master<br> > >=C2=A0 =C2=A0 =C2=A0 > OS: Ubuntu devel<br> > >=C2=A0 =C2=A0 =C2=A0 > URL: <a href=3D"ftp://ftp.openldap.org/i= ncoming/" rel=3D"noreferrer" target=3D"_blank">ftp://ftp.openldap.org/incom= ing/</a><br> > >=C2=A0 =C2=A0 =C2=A0 > Submission from: (NULL) (50.25.160.41)<b= r> > >=C2=A0 =C2=A0 =C2=A0 ><br> > >=C2=A0 =C2=A0 =C2=A0 ><br> > >=C2=A0 =C2=A0 =C2=A0 > Compiling against LibreSSL v2.4.1 failed= linking with<br> > SSL_CTX_up_ref and<br> > >=C2=A0 =C2=A0 =C2=A0 > X509_NAME_get0_der undefined. I added ch= ecking if<br> > >=C2=A0 =C2=A0 =C2=A0LIBRESSL_VERSION_NUMBER to the<br> > >=C2=A0 =C2=A0 =C2=A0 > same conditional compilation ifs that ar= e defined for old versions<br> > of<br> > >=C2=A0 =C2=A0 =C2=A0OpenSSL.<br> > >=C2=A0 =C2=A0 =C2=A0 ><br> > >=C2=A0 =C2=A0 =C2=A0 > <a href=3D"https://github.com/cptaffe/op= enldap" rel=3D"noreferrer" target=3D"_blank">https://github.com/cptaffe/ope= nldap</a><br> > ><br> > >=C2=A0 =C2=A0 =C2=A0Please read the Developer Guidelines. I'm = not going to pull an<br> > arbitrary repo<br> > >=C2=A0 =C2=A0 =C2=A0to find someone's patch.<br> > ><br> > >=C2=A0 =C2=A0 =C2=A0<a href=3D"http://www.openldap.org/devel/contr= ibuting.html" rel=3D"noreferrer" target=3D"_blank">http://www.openldap.org/= devel/contributing.html</a><br> > ><br> > >=C2=A0 =C2=A0 =C2=A0--<br> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-- Howard Chu<br> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0CTO, Symas Corp. <a href=3D"http= ://www.symas.com" rel=3D"noreferrer" target=3D"_blank">http://www.symas.com= </a><br> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Director, Highland Sun <a href= =3D"http://highlandsun.com/hyc/" rel=3D"noreferrer" target=3D"_blank">http:= //highlandsun.com/hyc/</a><br> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Chief Architect, OpenLDAP <a hre= f=3D"http://www.openldap.org/project/" rel=3D"noreferrer" target=3D"_blank"=
http://www.openldap.org/project/</a><br>
> ><br> ><br> ><br> > --<br> >=C2=A0 =C2=A0 -- Howard Chu<br> >=C2=A0 =C2=A0 CTO, Symas Corp.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= <a href=3D"http://www.symas.com" rel=3D"noreferrer" target=3D"_blank">http:= //www.symas.com</a><br> >=C2=A0 =C2=A0 Director, Highland Sun=C2=A0 =C2=A0 =C2=A0<a href=3D"http= ://highlandsun.com/hyc/" rel=3D"noreferrer" target=3D"_blank">http://highla= ndsun.com/hyc/</a><br> >=C2=A0 =C2=A0 Chief Architect, OpenLDAP=C2=A0 <a href=3D"http://www.ope= nldap.org/project/" rel=3D"noreferrer" target=3D"_blank">http://www.openlda= p.org/project/</a><br> </div></div>
--001a113faca2cd5c170535ccd806--
-
cpaynetaffe@gmail.com