[Bro] Bro and OpenSSL 1.1

Hilko Bengen bengen--bro at hilluzination.de
Tue Nov 29 00:30:41 PST 2016

* Johanna Amann:

> Hello Hilko,
>> as Debian is transitioning to using OpenSSL 1.1 in the upcoming release
>> (9.x "stretch"), we are forced to deal with widespread API breakage
>> because many data structures that had previously been considered part of
>> the API have been made opaque. Many of these changes are fairly easy to
>> implement by using getter/setter functions instead. (The main time-sink
>> for me was locating those functions in the OpenSSL sources.)
> Thanks a lot for doing this; I was aware that we will have to do that at
> some point of time, but I have not really looked into this myself.

I initially though that Debian would ship its next release without
OpenSSL 1.0, but this is not the case, so I have disabled the patches
for the package for the time being.

> Just to make sure - the OpenSSL 1.1 API is incompatible to the older API?
> (If the answer is yes - as I assume - this will mean quite a few
> ifdefs...)

Yes. A bunch of structs have been made opaque and can now only be
accessed through getter/setter calls. Which in general is a Good Thing.

>> For the bro package, some work-in-progress patches can be found in our
>> bug tracking system[1].
> Thanks. Can we just use the patches as a starting point when we add
> support to Bro itself?

Of course. Should I open a PR on Github?


More information about the Bro mailing list