Am 25.02.19 um 07:29 schrieb Stefan Strogin: > Hi Arne, > > Thanks for the reply. Please see my comments and a clarifying question below. > > On 24/02/2019 03:28, Arne Schwabe wrote: >> And I >> am getting quite fed up with way that LibreSSL does API compatiblity. It >> claims to support OpenSSL 2.0.0 API when it clearly doesn't. > > Sorry, but LibreSSL officially claims only compatibility with OpenSSL 1.0.1: > https://github.com/libressl-portable/portable > However, practically most of OpenSSL 1.1 API is supported by LibreSSL.
I am speaking about the value of OPENSSL_VERSION_NUMBER and iirc that one is set to something that equals OpenSSL 2.0.0. Which is the main cause of these problems that we run into. > AFAIK in theory OpenSSL >=1.1.1 can be built without TLS 1.3 support, unlikely > in practice though. > Which ifdef will you prefer? Hm, both have advantages. But if we can fix the rare corner case of OpenSSL 1.1.1 without TLS_13 then lets go for the TLS1_3_VERSION variant. > > Regarding SSL_get1_supported_ciphers. [Based upon current LibreSSL release > schedule > (2.9.x is a current development branch which will be part of OpenBSD 6.5) and > that > this method was added soon after 2.9.0 release], I think it will be correct: > #if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || \ > (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < > 0x2090100fL) Are there really Libressl versions that do not define LIBRESSL_VERSION_NUMBER that are worth supporting? Otherwise I would prefer to have only the LIBRESSL_VERSION_NUMBER < 0x2090100fL or inverted and >,. Need to double check what is true for undefined things. > > I also see other 'defined(LIBRESSL_VERSION_NUMBER)' ifdefs that don't specify > exact LibreSSL version number. I agree that it is not correct, and it is not > nice > to force deprecated functions on users of newer LibreSSL, when newer API is > available. So if you don't mind I'll try to fix them as well in a follow-up > patch. That would be good improvement indeed. Arne
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
