So I've looked into this a bit:

* A somewhat working ebuild for openssl-1.1.0a is uploaded here: https://chromium-review.googlesource.com/389211
* The SHA-1 cert blacklisting patch we carry locally needs to be ported, which I haven't done yet.
* Note that the above ebuild requests 1.0.0 api compatibility
* Even with the compatibility flags enabled, a lot of stuff depending on openssl fails to build due to them cleaning up their API surface.
* Note that gentoo bugzilla is tracking this issue here (listing failing packages): https://bugs.gentoo.org/show_bug.cgi?id=592438
* Ditto for debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827061

I'll see whether I can get a list of problematic packages we're using.

I'm afraid the conclusion for now is that we can't do much unless we're willing to start tackling package breakages ourselves. Given that openssl 1.0.2 is still supported, I feel inclined to give this some more time.

Here's a quick list of results from an attempt to rebuild reverse dependencies for openssl for the cyan board.

The following packages succeeded (I didn't test whether they actually work!):

chromeos-base/chaps-0.0.1-r1578
chromeos-base/libchrome-395517-r3
chromeos-base/libscrypt-1.1.6-r12
chromeos-base/memento_softwareupdate-0.0.1-r72
chromeos-base/pepper-flash-23.0.0.179-r1
chromeos-base/root-certificates-0.0.1-r3
chromeos-base/update_engine-0.0.3-r2055
dev-libs/libevent-2.0.22
dev-util/imgdiff-0.0.1-r2
net-dialup/ppp-2.4.6-r7
net-misc/curl-7.49.1
net-misc/dhcp-4.2.2-r3
net-misc/iputils-20121221-r2
net-misc/wget-1.18-r1   <- I applied a patch from upstream to get this building
net-print/hplip-3.16.3

The following packages failed to build:

app-crypt/tpm-tools-1.3.8-r2
app-crypt/trousers-0.3.3-r60
chromeos-base/cryptohome-0.0.1-r1363
chromeos-base/easy-unlock-crypto-0.0.1-r13
chromeos-base/libbrillo-0.0.1-r177
chromeos-base/vboot_reference-1.0-r1261
dev-lang/python-2.7.10
dev-libs/engine_pkcs11-0.1.8-r1
dev-libs/libp11-0.2.8-r3
dev-libs/opencryptoki-2.2.8-r24
dev-libs/opensc-0.12.2-r1
dev-libs/pkcs11-helper-1.07
dev-python/m2crypto-0.22.3-r4
dev-util/android-tools-5.1.1_p13
dev-vcs/git-2.6.6
net-analyzer/tcpdump-4.5.1-r1
net-misc/openssh-7.3_p1-r1
net-misc/openvpn-2.3.2-r2
net-misc/socat-1.7.3.1
net-misc/strongswan-5.0.2-r19
net-misc/tlsdate-0.0.5-r44
net-wireless/hostapd-2.5-r34
net-wireless/wpa_supplicant-2.5-r34

Note the 4 failing chromeos-base packages, which are definitely on our plate to fix up.

Make that 1.1.0b: https://www.openssl.org/news/secadv/20160926.txt

We would like to have support for x25519 for hammerd, which I believe is only supported on openssl >=1.1.0.

Maybe now is a good time to revisit this? I don't expect this work to be much easier, sadly...

Boringssl has x25519 support, so maybe that's an alternative? In the long run, we'd like to migrate the Chrome OS platform code to boringssl anyways.

I was finally able to get a set of local patches such that all sdk packages build and I can successfully ./setup_board and start ./build_packages.  This results in the following failures (on an amd64 board, soraka):

$ ./build_packages --board=soraka

Packages failed:
	app-crypt/mit-krb5-1.14.4
	chromeos-base/chromeos-ec-0.0.1-r3949
	chromeos-base/dev-install-0.0.1-r923
	chromeos-base/factory-0.2.0-r361
	chromeos-base/factory-mini-0.0.1-r433
	chromeos-base/libbrillo-0.0.1-r660
	chromeos-base/vboot_reference-1.0-r1364
	dev-python/btsocket-0.0.1-r12
	net-wireless/crda-1.1.1-r6

Small milestone today - I was able to build and boot an openssl-1.1 system for samus!  I'll clean up the patch sets and upload them shortly.

But...  cryptohomed has a crash loop and ssh doesn't work ;).  Debugging...

I'm not actively working on this, nor planning to any time soon, so un-assigning myself.

Do we need any security fixes in this version?

OpenSSL is still maintaining security fixes in the 1.0 series, so we don't need to upgrade to the 1.1 series for that