Discussion:
Status of OpenSSL 1.1.1
Eric McCorkle
2018-08-01 10:45:46 UTC
Permalink
Hi folks,

I'm wondering what's the status of OpenSSL 1.1.1 integration into base?
More specifically, is there a repo or a branch that's started the
integration? I'm aware of the wiki page and the list of port build
issues, but that seems to be based on replacing the base OpenSSL with a
port build (similar to the way one replaces it with LibreSSL).

I have some work I'd like to do that's gating on sorting out the
kernel/loader crypto situation, and I'd very much like to see OpenSSL
1.1.1 get merged, so I can start to look into doing that.

Incidentally, if there's something I can do to help out with integrating
1.1.1 into base, I'd potentially be interested.
Warner Losh
2018-08-01 13:02:46 UTC
Permalink
Post by Eric McCorkle
Hi folks,
I'm wondering what's the status of OpenSSL 1.1.1 integration into base?
More specifically, is there a repo or a branch that's started the
integration? I'm aware of the wiki page and the list of port build
issues, but that seems to be based on replacing the base OpenSSL with a
port build (similar to the way one replaces it with LibreSSL).
I have some work I'd like to do that's gating on sorting out the
kernel/loader crypto situation, and I'd very much like to see OpenSSL
1.1.1 get merged, so I can start to look into doing that.
There are patches to use bear SSL for the loader. OpenSSL is simply too
large to use due to limits the loader operates under.

Warner

Incidentally, if there's something I can do to help out with integrating
Post by Eric McCorkle
1.1.1 into base, I'd potentially be interested.
Eric McCorkle
2018-08-01 14:05:28 UTC
Permalink
Post by Eric McCorkle
Hi folks,
I'm wondering what's the status of OpenSSL 1.1.1 integration into base?
More specifically, is there a repo or a branch that's started the
integration?  I'm aware of the wiki page and the list of port build
issues, but that seems to be based on replacing the base OpenSSL with a
port build (similar to the way one replaces it with LibreSSL).
I have some work I'd like to do that's gating on sorting out the
kernel/loader crypto situation, and I'd very much like to see OpenSSL
1.1.1 get merged, so I can start to look into doing that.
There are patches to use bear SSL for the loader. OpenSSL is simply too
large to use due to limits the loader operates under.
I was going to look into the feasibility of doing something like what
LibreSSL does with portable, where they extract a subset of the full
library designed to be embedded in the kernel, loader, etc.

I think it ought to be possible to do something like that, but it really
ought to be done in a tree with 1.1.1 integrated.
Benjamin Kaduk
2018-08-02 23:45:19 UTC
Permalink
Post by Eric McCorkle
Post by Eric McCorkle
Hi folks,
I'm wondering what's the status of OpenSSL 1.1.1 integration into base?
More specifically, is there a repo or a branch that's started the
integration?  I'm aware of the wiki page and the list of port build
issues, but that seems to be based on replacing the base OpenSSL with a
port build (similar to the way one replaces it with LibreSSL).
I have some work I'd like to do that's gating on sorting out the
kernel/loader crypto situation, and I'd very much like to see OpenSSL
1.1.1 get merged, so I can start to look into doing that.
There are patches to use bear SSL for the loader. OpenSSL is simply too
large to use due to limits the loader operates under.
I was going to look into the feasibility of doing something like what
LibreSSL does with portable, where they extract a subset of the full
library designed to be embedded in the kernel, loader, etc.
I think it ought to be possible to do something like that, but it really
ought to be done in a tree with 1.1.1 integrated.
It wouldn't be terribly easy or effective, IMO. OpenSSL wasn't designed
with such modularity in mind.

-Ben
Warner Losh
2018-08-03 08:44:09 UTC
Permalink
Post by Eric McCorkle
Post by Eric McCorkle
Post by Eric McCorkle
Hi folks,
I'm wondering what's the status of OpenSSL 1.1.1 integration into
base?
Post by Eric McCorkle
Post by Eric McCorkle
More specifically, is there a repo or a branch that's started the
integration? I'm aware of the wiki page and the list of port build
issues, but that seems to be based on replacing the base OpenSSL
with a
Post by Eric McCorkle
Post by Eric McCorkle
port build (similar to the way one replaces it with LibreSSL).
I have some work I'd like to do that's gating on sorting out the
kernel/loader crypto situation, and I'd very much like to see
OpenSSL
Post by Eric McCorkle
Post by Eric McCorkle
1.1.1 get merged, so I can start to look into doing that.
There are patches to use bear SSL for the loader. OpenSSL is simply too
large to use due to limits the loader operates under.
I was going to look into the feasibility of doing something like what
LibreSSL does with portable, where they extract a subset of the full
library designed to be embedded in the kernel, loader, etc.
I think it ought to be possible to do something like that, but it really
ought to be done in a tree with 1.1.1 integrated.
It wouldn't be terribly easy or effective, IMO. OpenSSL wasn't designed
with such modularity in mind.
Others that have tried have found OpenSSL to be way too large for the boot
loader and a completely impossible to subset enough to get things small
enough due to the intertwingled nature of things.

Warner
Eric McCorkle
2018-08-03 11:02:18 UTC
Permalink
Post by Eric McCorkle
Post by Eric McCorkle
On Wed, Aug 1, 2018, 12:31 PM Eric McCorkle
     Hi folks,
     I'm wondering what's the status of OpenSSL 1.1.1 integration
into base?
Post by Eric McCorkle
     More specifically, is there a repo or a branch that's
started the
Post by Eric McCorkle
     integration?  I'm aware of the wiki page and the list of
port build
Post by Eric McCorkle
     issues, but that seems to be based on replacing the base
OpenSSL with a
Post by Eric McCorkle
     port build (similar to the way one replaces it with LibreSSL).
     I have some work I'd like to do that's gating on sorting out the
     kernel/loader crypto situation, and I'd very much like to
see OpenSSL
Post by Eric McCorkle
     1.1.1 get merged, so I can start to look into doing that.
There are patches to use bear SSL for the loader. OpenSSL is
simply too
Post by Eric McCorkle
large to use due to limits the loader operates under.
I was going to look into the feasibility of doing something like what
LibreSSL does with portable, where they extract a subset of the full
library designed to be embedded in the kernel, loader, etc.
I think it ought to be possible to do something like that, but it
really
Post by Eric McCorkle
ought to be done in a tree with 1.1.1 integrated.
It wouldn't be terribly easy or effective, IMO.  OpenSSL wasn't designed
with such modularity in mind.
Others that have tried have found OpenSSL to be way too large for the
boot loader and a completely impossible to subset enough to get things
small enough due to the intertwingled nature of things.
To what extent, if any, does this change in 1.1.1, though?
Benjamin Kaduk
2018-08-04 22:03:49 UTC
Permalink
Post by Eric McCorkle
Post by Eric McCorkle
Post by Eric McCorkle
On Wed, Aug 1, 2018, 12:31 PM Eric McCorkle
     Hi folks,
     I'm wondering what's the status of OpenSSL 1.1.1 integration
into base?
Post by Eric McCorkle
     More specifically, is there a repo or a branch that's
started the
Post by Eric McCorkle
     integration?  I'm aware of the wiki page and the list of
port build
Post by Eric McCorkle
     issues, but that seems to be based on replacing the base
OpenSSL with a
Post by Eric McCorkle
     port build (similar to the way one replaces it with LibreSSL).
     I have some work I'd like to do that's gating on sorting out the
     kernel/loader crypto situation, and I'd very much like to
see OpenSSL
Post by Eric McCorkle
     1.1.1 get merged, so I can start to look into doing that.
There are patches to use bear SSL for the loader. OpenSSL is
simply too
Post by Eric McCorkle
large to use due to limits the loader operates under.
I was going to look into the feasibility of doing something like what
LibreSSL does with portable, where they extract a subset of the full
library designed to be embedded in the kernel, loader, etc.
I think it ought to be possible to do something like that, but it
really
Post by Eric McCorkle
ought to be done in a tree with 1.1.1 integrated.
It wouldn't be terribly easy or effective, IMO.  OpenSSL wasn't designed
with such modularity in mind.
Others that have tried have found OpenSSL to be way too large for the
boot loader and a completely impossible to subset enough to get things
small enough due to the intertwingled nature of things.
To what extent, if any, does this change in 1.1.1, though?
Probably not enough -- while libssl got a bit reorganized, libcrypto hasn't
changed much.

-Ben

Continue reading on narkive:
Loading...