On Thu, 2 Apr 2015 16:49:20 -0700 "Paul B. Henson" <hen...@acm.org> wrote:
> What is the current status/thoughts regarding libressl? Reviewing the > bug and some past threads, it sounds like the initial plan was to make > openssl a virtual and let either classic openssl or libressl fulfull > it? I'm not sure if things have changed from that viewpoint, but it > really doesn't seem they're going to be plug and play compatible 8-/. > libressl offers functionality openssl doesn't and vice versa, and > playing nicely with each other doesn't seem to be on the agenda of > either. The latest state is that there is an overlay, but making the portage tree compatible with libressl is not that trivial. A large number of core packages are upstream-incompatible with libressl. Most of them are actually programming languages (python, php, ruby) that contain bindings to functions libressl has removed. This could be fixed by the upstreams with some ifdefs, but right now you can't just switch out libressl. > It seems it might make more sense to treat them more like > openssl and gnutls, where they both provide similar ssl functionality > but a given package might use one, the other, or either? Tricky thing here, because then you'd need to rename the libs. E.g. libssl to liblibressl or something. But then every program with a build environment to link to libssl would first have to be patched to link to our specialized libressl variant. > The specific reason for my current inquiry is that the latest openntpd > release includes the new support from openbsd for "constraints", where > basically you can verify ntp time sources by checking their time > relative to a trusted TLS server (which provides the time in HTTP > headers). This functionality requires libtls, part of libressl. > openssl provides no compatible functionality, so this is a case where > they're not plug-and-play, openntpd requires libressl specifically. I'm eager to use that, too, and was disappointed to read it requires libressl :-) Is there a way to split libtls off libressl? Because that might be at least for this case an option: Continue to use openssl, but have libtls laying around. Not sure if it is possible to have libtls using libcrypt/libssl functions from openssl. -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
