Closed tiennou closed 6 years ago
tiennou
commented
6 years ago I'd like to propose switching libssh2's backend to mbedTLS, because I don't think #648 can be realistically made to work without any external dependencies.
@pietbrauer @phatblat Opinions ?
phatblat
commented
6 years ago I haven't heard of mbedTLS before, but I'm game as long as there's a decent community to support it and we can build it on Apple platforms. Would this replace the CommonCrypto used by macOS in libssh2?
As for the license, they say it is dual licensed as both Apache 2 or GPL 2. I would think we'd want to use Apache 2 so that it would be compatible with this repo's MIT license. I just want to make sure people can use this repo to build apps that they make money from, without having to give away the source code. It looks like they have the Apache 2 license in their github repo, so probably a non-issue.
phatblat
commented
6 years ago What version of OpenSSL does this PR bring us up to? Are we on 1.0.2p-dev now as the readme in the OpenSSL_1_0_2-stable branch says?
tiennou
commented
6 years ago It seems the world moved since I updated my submodule, so I've pointed it at 1.0.2o which was released 27/03 instead of tracking stable.
Would this replace the CommonCrypto used by macOS in libssh2?
We don't have that, and AFAICT we're not likely to have it (see #648). Arguably, I'm not even sure of my reasons for asking a change, since whatever we do we'd have to package ourselves, it just felt like mbedTLS might be easier but it's a hunch.
phatblat
commented
6 years ago Ah, that’s right. Well, it would be nice to get rid of openssl
phatblat
commented
6 years ago Can you rename the PR to reflect the version?
tiennou
commented
6 years ago :shipit:
@pks-t mentioned CVEs against the version we're using, so let's update.
Extracted from #645, because that fix will need more work.