--001a113faca2cd5c170535ccd806 Content-Type: text/plain; charset=UTF-8
This is LibreSSL's response.
---------- Forwarded message --------- From: Bob Beck beck@obtuse.com Date: Tue, Jun 21, 2016 at 11:45 AM Subject: Re: OpenSSL v1.1 API To: Connor Taffe cpaynetaffe@gmail.com Cc: libressl@openbsd.org
I would say we would plan on it "when we need it" - We will support TLS 1.3 as it stabilizes, but at this stage I couldn't say when/if particular OpenSSL'isms might be supported.
BoringSSL hasn't pulled in X509_NAME_get0_der either yet - so I think we will be taking what I would describe as a cautious and selective approach to new features from OpenSSL - During the same time as we've moved from about 750,000 of code at the fork to about 350,000 - OpenSSL is now over 1,000,000 lines - So we're probably not going to be about wholesale code importing from OpenSSL - We will be taking things selectively and with a degree of caution.
Of note - we *do* support a newer API - libtls - which may be more than fine for most of OpenLDAP's needs:
See http://man.openbsd.org/OpenBSD-current/man3/tls_init.3 and/or http://www.openbsd.org/papers/libtls-fsec-2015/
On Mon, Jun 20, 2016 at 09:21:43AM +0000, Connor Taffe wrote:
7ab507495b86371756575d606af556b4fd74e27a
LIBRESSL
versions
--001a113faca2cd5c170535ccd806 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">This is LibreSSL's response.<br><br><div class=3D"gmai= l_quote"><div dir=3D"ltr">---------- Forwarded message ---------<br>From: B= ob Beck <<a href=3D"mailto:beck@obtuse.com">beck@obtuse.com</a>><br>D= ate: Tue, Jun 21, 2016 at 11:45 AM<br>Subject: Re: OpenSSL v1.1 API<br>To: = Connor Taffe <<a href=3D"mailto:cpaynetaffe@gmail.com">cpaynetaffe@gmail= .com</a>><br>Cc: <<a href=3D"mailto:libressl@openbsd.org">libressl@o= penbsd.org</a>><br></div><br><br><br> I would say we would plan on it=C2=A0 "when we need it" - We will= support TLS 1.3 as<br> it stabilizes, but at this stage I couldn't say when/if particular Open= SSL'isms<br> might be supported.<br> <br> BoringSSL hasn't pulled in X509_NAME_get0_der either yet - so I think w= e will<br> be taking what I would describe as a cautious and selective approach to<br> new features from OpenSSL - During the same time as we've moved from ab= out<br> 750,000 of code at the fork to about 350,000 - OpenSSL is now over 1,000,00= 0<br> lines - So we're probably not going to be about wholesale code importin= g<br> from OpenSSL - We will be taking things selectively and with a degree<br> of caution.<br> <br> Of note - we *do* support a newer API - libtls - which may be more<br> than fine for most of OpenLDAP's needs:<br> <br> See<br> <a href=3D"http://man.openbsd.org/OpenBSD-current/man3/tls_init.3" rel=3D"n= oreferrer" target=3D"_blank">http://man.openbsd.org/OpenBSD-current/man3/tl= s_init.3</a><br> and/or<br> <a href=3D"http://www.openbsd.org/papers/libtls-fsec-2015/" rel=3D"noreferr= er" target=3D"_blank">http://www.openbsd.org/papers/libtls-fsec-2015/</a><b= r> <br> <br> On Mon, Jun 20, 2016 at 09:21:43AM +0000, Connor Taffe wrote:<br> > Hey,<br> ><br> > Does LibreSSL plan to implement the OpenSSL v1.1 API?<br> ><br> > I've submitted a patch to OpenLDAP to allow compilation with Libre= SSL<br> > v2.4.1. The patch currently checks if LIBRESSL_VERSION_NUMBER is defin= ed<br> > and if so uses the fallback code for versions of OpenSSL < 1.1.<br> ><br> > The maintainers would like to cap the version on the LibreSSL check if= <br> > implementation of the OpenSSL v1.1 API is planned.<br> ><br> > Specifically (to this case) OpenSSL added the SSL_CTX_up_ref function = in<br> > commit c5ebfcab713a82a1d46a51c8c2668c419425b387 in March of this year,= and<br> > added X509_NAME_get0_der in commit 7ab507495b86371756575d606af556b4fd7= 4e27a<br> > in January of this year.<br> ><br> > ---------- Forwarded message ---------<br> > From: Howard Chu <<a href=3D"mailto:hyc@symas.com" target=3D"_blank= ">hyc@symas.com</a>><br> > Date: Mon, Jun 20, 2016 at 1:38 AM<br> > Subject: Re: (ITS#8445) LibreSSL v2.4 compile<br> > To: Connor Taffe <<a href=3D"mailto:cpaynetaffe@gmail.com" target= =3D"_blank">cpaynetaffe@gmail.com</a>>, <<a href=3D"mailto:openldap-i= ts@openldap.org" target=3D"_blank">openldap-its@openldap.org</a>><br> ><br> ><br> > Connor Taffe wrote:<br> > > Fixed, attached is a patch.<br> ><br> > I'm a bit concerned that you're only checking for the existenc= e of LIBRESSL<br> > instead of actually comparing the version number. Since the OpenSSL ch= ange<br> > is<br> > based on their v1.1 API, do you know if/when LibreSSL plans to adopt t= he<br> > new API?<br> ><br> > > On Sun, Jun 19, 2016 at 8:02 PM Howard Chu <<a href=3D"mailto:= hyc@symas.com" target=3D"_blank">hyc@symas.com</a><br> > > <mailto:<a href=3D"mailto:hyc@symas.com" target=3D"_blank">hyc= @symas.com</a>>> wrote:<br> > ><br> > >=C2=A0 =C2=A0 =C2=A0<a href=3D"mailto:cpaynetaffe@gmail.com" targe= t=3D"_blank">cpaynetaffe@gmail.com</a> <mailto:<a href=3D"mailto:cpaynet= affe@gmail.com" target=3D"_blank">cpaynetaffe@gmail.com</a>> wrote:<br> > >=C2=A0 =C2=A0 =C2=A0 > Full_Name: Connor Taffe<br> > >=C2=A0 =C2=A0 =C2=A0 > Version: master<br> > >=C2=A0 =C2=A0 =C2=A0 > OS: Ubuntu devel<br> > >=C2=A0 =C2=A0 =C2=A0 > URL: <a href=3D"ftp://ftp.openldap.org/i= ncoming/" rel=3D"noreferrer" target=3D"_blank">ftp://ftp.openldap.org/incom= ing/</a><br> > >=C2=A0 =C2=A0 =C2=A0 > Submission from: (NULL) (50.25.160.41)<b= r> > >=C2=A0 =C2=A0 =C2=A0 ><br> > >=C2=A0 =C2=A0 =C2=A0 ><br> > >=C2=A0 =C2=A0 =C2=A0 > Compiling against LibreSSL v2.4.1 failed= linking with<br> > SSL_CTX_up_ref and<br> > >=C2=A0 =C2=A0 =C2=A0 > X509_NAME_get0_der undefined. I added ch= ecking if<br> > >=C2=A0 =C2=A0 =C2=A0LIBRESSL_VERSION_NUMBER to the<br> > >=C2=A0 =C2=A0 =C2=A0 > same conditional compilation ifs that ar= e defined for old versions<br> > of<br> > >=C2=A0 =C2=A0 =C2=A0OpenSSL.<br> > >=C2=A0 =C2=A0 =C2=A0 ><br> > >=C2=A0 =C2=A0 =C2=A0 > <a href=3D"https://github.com/cptaffe/op= enldap" rel=3D"noreferrer" target=3D"_blank">https://github.com/cptaffe/ope= nldap</a><br> > ><br> > >=C2=A0 =C2=A0 =C2=A0Please read the Developer Guidelines. I'm = not going to pull an<br> > arbitrary repo<br> > >=C2=A0 =C2=A0 =C2=A0to find someone's patch.<br> > ><br> > >=C2=A0 =C2=A0 =C2=A0<a href=3D"http://www.openldap.org/devel/contr= ibuting.html" rel=3D"noreferrer" target=3D"_blank">http://www.openldap.org/= devel/contributing.html</a><br> > ><br> > >=C2=A0 =C2=A0 =C2=A0--<br> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-- Howard Chu<br> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0CTO, Symas Corp. <a href=3D"http= ://www.symas.com" rel=3D"noreferrer" target=3D"_blank">http://www.symas.com= </a><br> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Director, Highland Sun <a href= =3D"http://highlandsun.com/hyc/" rel=3D"noreferrer" target=3D"_blank">http:= //highlandsun.com/hyc/</a><br> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Chief Architect, OpenLDAP <a hre= f=3D"http://www.openldap.org/project/" rel=3D"noreferrer" target=3D"_blank"=
http://www.openldap.org/project/</a><br>
> ><br> ><br> ><br> > --<br> >=C2=A0 =C2=A0 -- Howard Chu<br> >=C2=A0 =C2=A0 CTO, Symas Corp.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= <a href=3D"http://www.symas.com" rel=3D"noreferrer" target=3D"_blank">http:= //www.symas.com</a><br> >=C2=A0 =C2=A0 Director, Highland Sun=C2=A0 =C2=A0 =C2=A0<a href=3D"http= ://highlandsun.com/hyc/" rel=3D"noreferrer" target=3D"_blank">http://highla= ndsun.com/hyc/</a><br> >=C2=A0 =C2=A0 Chief Architect, OpenLDAP=C2=A0 <a href=3D"http://www.ope= nldap.org/project/" rel=3D"noreferrer" target=3D"_blank">http://www.openlda= p.org/project/</a><br> </div></div>
--001a113faca2cd5c170535ccd806--
-
cpaynetaffe@gmail.com