Shibboleth and OpenSSL 1.1

Ferenc Wágner wferi at
Sun Oct 30 12:04:48 UTC 2016

"Cantor, Scott" <cantor.2 at> writes:

>> Well, xmltooling has grown an openssl1.1 branch upstream and
>> is active (though
>> not optimistic).
> It's making progress. There are no plans to release anything before
> late 2017 and even that depends on the funding situation and the
> Board's decision about priorities.  [technicalities elided]

Many thanks for the overview, Scott.  If I understand you right,
Santuario is only the tip of the iceberg: XMLTooling, OpenSAML and the
SP use the structure fields exposed by OpenSSL 1.0 to do their job, and
it isn't yet clear whether 1.1 provides the necessary interface at all.
Which means switching to 1.1 for Debian stretch (which is expected to
freeze in January) is practically impossible.

softened up significantly: now it looks like OpenSSL 1.0 will be
included in stretch (maybe even as the default version), which makes it
possible to keep the Shibboleth SP stack in the distribution.

>> mentions OpenSSL 1.1 as a non-issue, I'm somewhat baffled by #828607,
>> but it certainly looks genuine.
> Santuario does not yet support 1.1

That agrees with reality, but then what does the last sentence of that
page mean?  "Note that for OpenSSL 1.1 the
<AdditionalLibraryDirectories>  stanzas should be changed as
appropriate" (also missing a full stop).

> the patches are probably checked in somewhere or possibly in our Jira,
> I know Rod sent them to me for review.

I'd be interested to have a look, but I failed to find them in Jira or
the Santuario SVN repo.  Could you please provide some pointer?

More information about the Pkg-shibboleth-devel mailing list