[OmniOS-discuss] OpenSSL futures
Lauri Tirkkonen
lotheac at iki.fi
Tue Apr 5 03:58:51 UTC 2016
On Mon, Apr 04 2016 22:15:12 +0100, Peter Tribble wrote:
> On Thu, Mar 31, 2016 at 3:40 PM, Dan McDonald <danmcd at omniti.com> wrote:
> > I'm starting this thread to hear what the community has to say about where
> > OmniOS should go w.r.t. its OpenSSL release. I have internal customers
> > too, of course, but I'll engage them separately. We need to have an
> > OpenSSL because illumos requires one. We *could* do the SmartOS thing and
> > keep our own SUNW/OMNI*...() api set, though.
> >
>
> They have to play those games because they ship 2 different openssl
> instances,
> though. (One with the platform, one via pkgsrc or whatever.) If you hide
> the internal
> copy, you still have to manage (or someone does, at any rate) compatibility
> and
> releases of the public copy. The problem doesn't go away, you just sweep it
> under
> someone else's carpet.
Here's another viewpoint though: I would like to choose the SSL
implementation used in my application stack, so I want this problem
under my carpet. Not just because I believe it has security benefits
(eg. getting ssl2 *actually* disabled; it couldn't be disabled in the
OmniOS shipped OpenSSL because that broke binary compatibility), but
also because my SSL library of choice ships a sane API (libtls [0]). If
OmniOS keeps shipping OpenSSL as a mandatory component *without*
changing its symbol names, I can't do what I want in my application
stack.
> Users will have binaries linked against the existing openssl libraries, and
> those
> need to continue to run.
OmniOS has removed (ie. stopped shipping) some other libraries in the
past [1], but I understand the OpenSSL story might be a little
different. Perhaps there's a middle ground here though: it seems like
you and I would both be happy if OmniOS kept shipping OpenSSL, but made
it optional (although then obviously it would have to have another copy
with mangled symbol names for the things illumos needs it for).
[0]: http://man.openbsd.org/OpenBSD-current/man3/tls_accept_fds.3
[1]: eg. 151006 removed several libraries, including libgnutls and
libgcrypt. http://omnios.omniti.com/wiki.php/ReleaseNotes/r151006
--
Lauri Tirkkonen | lotheac @ IRCnet
More information about the OmniOS-discuss
mailing list