Mail archive

Re: [alpine-devel] Proposed change: openssl 1.1 as default system openssl implementation

From: Consus <>
Date: Thu, 15 Feb 2018 13:39:14 +0300

On 11:23 Thu 08 Feb, William Pitcock wrote:
> Hello,
> To start off, I would like to say that when we first switched to
> libressl, it was largely as a reaction to what we perceived as bad
> maintenance being done in openssl. At the time, it was a perfectly
> reasonable and valid reaction.
> There were other reasons to care, too: the libressl guys were working
> to relicense as much of libressl as possible under ISC license.
> But openssl 1.1 has a different situation: Akamai and the Core
> Infrastructure Initiative have come together to sponsor development
> and maintenance of openssl since we switched, which means that there's
> higher quality maintenance occuring now. They are also working on a
> relicensing process, much like the libressl guys are doing, which has
> a larger scope[1]. Meanwhile, the libressl guys have been removing
> functionality we depend on, such as support for hardware accelerators
> (ENGINE apis), switching from 64-bit TAIN date calculations to time_t
> (because time_t is good enough on OpenBSD) and dropping openssl 1.0.1
> APIs they see as unsuitable.
> libressl promised to retain compatibility with 1.0.1g APIs, but has
> failed to do so. As such, there is an increasing workload to keep
> packages compatible with libressl as it evolves. Therefore, it is
> obviously not truly a suitable provider for the openssl package, and
> we should switch back to proper openssl as the default. We will
> however retain libressl for packages which require it (for example,
> ones using the new libtls APIs).
> If there is no objection to this proposed change, I intend to do the
> swap next week.

Seems like LibreSSL team is starting to support OpenSSL 1.1 API:

commit 3a94b192e7c26a9092dae24d992de50398beaa1a
Author: jsing <>
Date: Wed Feb 14 16:32:06 2018 +0000

    Start providing parts of the OpenSSL 1.1 API.
    This will ease the burden on ports and others trying to make software
    work with LibreSSL, while avoiding #ifdef mazes. Note that we are not
    removing 1.0.1 API or making things opaque, hence software written to
    use the older APIs will continue to work, as will software written to
    use the 1.1 API (as more functionality become available).
    Discussed at length with deraadt_at_ and others.

Received on Thu Feb 15 2018 - 13:39:14 UTC