Re: [exim] Future OpenSSL configuration: sketch 1

Top Page
Delete this message
Reply to this message
Author: The Doctor
Date:  
To: exim-users
Subject: Re: [exim] Future OpenSSL configuration: sketch 1
On Mon, Apr 09, 2018 at 04:46:57PM -0400, Phil Pennock via Exim-users wrote:
> On 2018-04-09 at 08:14 +0200, Kirill Miazine via Exim-users wrote:
> > Hi, Phil
> > * Phil Pennock via Exim-users [2018-04-08 17:24]:
> > [...]
> > > We've said "we only support versions of OpenSSL supported by the
> > > upstream project", so now it's time to take advantage of that.
> >
> > So LibreSSL is not supported officially, is it? If it breaks, it breaks,
> > and Exim should be built with OpenSSL?
>
> Exim is a volunteer project, we live on patches. Our history is full of
> features and support provided by drive-by patches, which were massaged
> to be somewhat maintainable. Jeremy, Todd and Heiko have done a lot of
> work rounding out our test suite to remediate some of the negative
> consequences of that.
>
> When working across multiple choices of provider for a given interface,
> the usual approach is a bridge pattern, where we stick to one simpler
> subset of functionality and plugging in other providers can satisfy that
> bridge.
>
> If LibreSSL is going to continue to diverge, and if anyone cares enough
> to provide patches, then we could easily have a `tls-libressl.c` file
> which _implements_ the `SSL_CONF_cmd()` API, dispatching relevant
> text-based calls to the correct feature-specific SSL_CTX manipulating
> functions.
>


I know FreeBSD Porters are compensating for LibreSSL.
Maybe the porters can add the code for you.

> As someone maintaining an application built on SSL libraries, and
> needing to provide tuning to multiple end-sites, while doing too much
> already in terms of propagating SSL options and such like, I think that
> the SSL_CONF_cmd() API is a great idea. That it would let us change our
> configuration to be more extensible, more flexible, easier to maintain
> and generally more _useful_, for _less_ ongoing maintenance, is A Good
> Thing. I encourage folks to look carefully at what I proposed and how
> easy it is to implement with this API and consider if their library
> should support it too.
>
> At present, we "support" GnuTLS and OpenSSL. If anything else happens
> to work, that's great for you. If it break, you can either keep the
> pieces or provide patches to make it work again, in a way which is
> maintainable going forward.
>
> We've been saying, including on the -announce list, for the past few
> _years_ that we'll only support versions of OpenSSL which are supported
> upstream and that "some release Real Soon Now" would break compatibility
> with older versions.
>


Like OpenSSL 1.1.1 ?

I have yet to try.

> -Phil




> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/



--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism
It is through creating, not possessing, that life is revealed. -Vida D. Scudder