Re: [exim] [matt@openssl.org: Re: [openssl-users] openssl 1.…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] [matt@openssl.org: Re: [openssl-users] openssl 1.0.2 and TLS 1.3]


> On Sep 11, 2018, at 5:35 PM, Phil Pennock <pdp@???> wrote:
>
> My proposal to change the OpenSSL API we use ran into the need to
> basically recreate the framework, because of LibreSSL declining to
> implement that new API.


LibreSSL is basically OpenSSL 1.0.2, you don't have to wait for
LibreSSL to implement the new API. Rather, just treat OpenSSL 1.0.2
and LibreSSL interchangeably, and define the accessor macros to
in either case.

> It will be interesting to watch to see what LibreSSL does about TLS 1.3
> and that is likely to influence the course of action for Exim.


I don't think that waiting makes sense, just move on. The port should
be trivial. If you continue to support both OpenSSL and LibreSSL (I
would drop the latter...), then the main downside is that you need
to retain the legacy DANE code, and just drop it if favour of the
DANE support in OpenSSL 1.1.x. Between GnuTLS and OpenSSL you
probably have enough supported TLS versions, and OpenBSD have
their own MTA they're working on...

-- 
    Viktor.