In OpenSSL 1.1, all structures in public header files were made opaque. For C libraries, this change was breaking, but not too bad. For Swift libraries that interface directly with OpenSSL however, this change was huge.
Vapor 3's crypto package (vapor/crypto) currently supports OpenSSL pre-1.1 and post-1.1 APIs. In order to achieve this without completely duplicating the code base, a number of awful hacks had to be put in place. NIO had to employ similar hacks.
Potential solution: Require OpenSSL 1.1+ for Vapor 4
The maintenance and testing burden caused by supporting pre-1.1 APIs is quite high. Because of this, it would be a huge win for Vapor 4 to drop support for OpenSSL pre-1.1. This however comes with some downsides. I'd like to present the pros and cons in this post and get feedback on what Vapor users would think of this change.
- Greatly simplify vapor/crypto testing and maintenance.
- Vapor 4 will require Ubuntu 18.04 (16.04 comes with OpenSSL 1.0)
- Vapor 4 will use OpenSSL@1.1 instead of LibreSSL on macOS.
Compile OpenSSL 1.1 for Ubuntu 16.04
Users that need to support Ubuntu 16.04 could build and install OpenSSL 1.1 from source. This would admittedly suck.
Swift NIO is moving to BoringSSL for version 2. Vapor crypto could do something similar and embed BoringSSL for its crypto needs.
If Ubuntu 16.04 support is deemed absolutely necessary, we can continue maintaining the current state of hacks.