[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OpenSSL 1.1.0


Just random thoughts…

Kurt Roeckx <kurt@roeckx.be> (2016-11-01):
> I just uploaded OpenSSL 1.1.0 to unstable. There are still many
> packages that fail to build using OpenSSL 1.1.0. For most packages
> it should be easy to migrate 1.1.0. The most common problems when
> going to OpenSSL 1.1.0 are:
> - configure trying to detect a function that's now a macro.
> - Accessing members of structures that have now become opaque. You
>   now need to use function to get or set them.
> The changes required are ussually very easy and do not take a long
> time to implement.
> Many upstream projects have already done the work or are working
> on it. Fedora is also doing the OpenSSL 1.1.0 migration. So both
> places are a good place to look at to see if they have already
> done the work.
> There might also be packages for which the changes are more
> involved and that can't be fixed in time for the release. If you
> want to stay with OpenSSL 1.0.2 you need to change your Build-Depends
> from libssl-dev to libssl1.0-dev.
> I would like to encourage that at least the packages that are
> making use of libssl and not just libcrypto move to OpenSSL 1.1.0
> because it contains important new features. It adds support for
> among other things of:
> - Extended master secret: This fixes the triple handshake problem
>   in TLS.
> - Chacha20-poly1305
> - X25519

Things that work fine for this kind of transitions (hello, new gcc
upstream releases) include:
 - pointers to upstream release notes;
 - pointers to porting guides;
 - pointers to existing patches for common fixes if the former don't
   exist just yet (but then that would be a rather unprepared move).

(Mentioning “many upstream projects” and “Fedora” is better than nothing
but isn't as helpful as what I've listed above.)

> If you have any problems feel free to contact us.

 - are “you” <pkg-openssl-devel@lists.alioth.debian.org>?


Attachment: signature.asc
Description: Digital signature

Reply to: