[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OpenSSL 1.1.0

Marco d'Itri:
> On Nov 14, Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com> wrote:
> 
>> And yes, I would step back and switch libssl-dev to provide libssl1.0-dev and 
>> have libssl1.1-dev around for anyone who can really do the switch.
> I would not: OpenSSL 1.0 does not support ChaCha20 so it would be a very 
> bad default for next year's release.
> Bad enough that I would have to use a different distribution for some 
> web servers.
> 

At the moment, the maintainers of apache2 are picking the openssl 1.0
route.  So at this rate, you would not get ChaCha20 for apache2 in
stretch anyway even if ssl1.1 says the "default"... :-/

The alternative for ChaCha20 would be to adopt Cloudflare's patches[1],
but that sort of assumes that you are only interested in openssl 1.1 for
ChaCha20 (and not the other changes).

Thanks,
~Niels

[1] https://github.com/cloudflare/sslconfig/tree/master/patches
Reply to: