Re: [exim-dev] DANE library for Exim + OpenSSL and upcoming …

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MViktor Dukhovni at <-
MViktor Dukhovni at ->
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-dev
Subject: Re: [exim-dev] DANE library for Exim + OpenSSL and upcoming OpenSSL 3.0.0 release.
On 12/08/2021 05:06, Viktor Dukhovni via Exim-dev wrote:
> The upcoming OpenSSL 3.0.0 release is now in beta and should ship some time in the next few months.
> This brings some low level changes to the library, that don't affect most applications, but may require
> changes in the legacy standalone DANE library I wrote for OpenSSL 1.0.0+.
>
> While the changes look largely manageable, I'd rather not continue to maintain the legacy
> DANE library in perpetuity, given that OpenSSL 1.1.0 and later have built-in DANE support.
>
> With OpenSSL 1.0.2 long EOL, is there any chance that newer versions of Exim could set the
> floor OpenSSL version to 1.1.1 and migrate to use the built-in DANE support? I'd can offer
> some help to get you there, and then retire the standalone library for good...

I tried (rather briefly) to reactivate my openssl build environmentm so as to see
what works and doesn't under the current nearly-3.0.0 OpenSSL. But it seems to
be bust, and it's one of those things that is far too convoluted to work on.

I'm quite expecting Exim to start breaking horribly, when 3.0.0 appears on real
systems.


I've occasionally considered working on a move to the native DANE support, under
both OpenSSL and GnuTLS (which we officially support). But I expect it to be a whole
bunch of work, and invasive to the point of horribly complexifying the Exim
codebase.
(Likewise, so will fixing whatever 3.0.0 breaks for us, since we cannot drop support
for earlier versions.)

You might guess that my enthusiasm is rather low, here.

The there's the LibreSSL question. I've never found any decent docs for it; we
only discover issue where it differs from OpenSSL one-at-a-time. Currently we
manage this with a raft of feature-macros just like we have to for OpenSSL versions.
Do you know if LibreSSL has the same DANE APIs as OpenSSL?


As far as dropping support for earlier OpenSSL versions goes: there is at least
one system in the buildfarm not operated by me and running with OpenSSL 1.0.1s
- a Solaris 10. I assume that means there is at least one person out there still
interested in operating Exim on systems of that vintage, even though the OpenSSL
project calls it End Of Life.
--
Cheers,
Jeremy

This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-[exim-dev] DANE library for Exim + OpenSSL and upcoming OpenSSL 3.0.0 release.Re: [exim-dev] DANE library for Exim + OpenSSL and upcoming OpenSSL 3.0.0 release.->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)