Hi, Fredrik.

Well, it's still a dependency. But in general I agree with you; adding
a dependency on OpenSSL when it's probably already part of the base OS
is not much of a burden.
Keep in mind that these aren't necessarily my reasons; I was just trying
to give some reasons that I thought might be there for some people. It
could be that no one thinks this, in which case I'm wasting everyone's
time, and for that I would be truly sorry.

I thought the OpenSSL code was considered overly complex and difficult
to read, and it has the custom memory allocator which can make some
analysis tools unable to catch certain classes of problems. I haven't
looked at the source code, so I'm not saying this; I'm just saying what
I've heard. I was unaware of major security holes in OpenSSH. If
there have been such holes, then it certainly weakens the argument for
avoiding linking against OpenSSL.

I was not suggesting "no encryption" over "encryption with increased
risk of a security vulnerability" (e.g. going back to Telnet instead
of SSH because OpenSSH has had lots of security vulnerabilities).
Certainly, if the encryption is needed, then include it.

For the case where the encryption is needed, I thought there could be
a benefit to avoiding linking against OpenSSL. I thought the idea was
that using something like stunnel could be safer since, if the stunnel
process was compromised through an OpenSSL security vulnerability, the
program tunneling through it would still be uncompromised. But I just
did a quick Web search and didn't find anything supporting this, so
maybe I'm totally wrong. If I am wrong, I'm sorry for suggesting this.
If anyone has insight into this, I'd be very interested in hearing. But
please be nice to me. :-)

Regards,

Lewis