[OE-core] [PATCH 2/2] bind: disable ecdsa if openssl doesn't support it

Kang Kai Kai.Kang at windriver.com
Thu Jul 6 01:44:46 UTC 2017 

On 2017年07月05日 22:28, Richard Purdie wrote:
> On Wed, 2017-07-05 at 15:58 +0800, kai.kang at windriver.com wrote:
>> From: Kai Kang <kai.kang at windriver.com>
>>
>> Distro feature 'openssl-no-weak-ciphers' is introduced to disable
>> openssl weak ciphers support which include ecdsa. So configure bind
>> without ecdsa if openssl doesn't support it.
>>
>> Signed-off-by: Kai Kang <kai.kang at windriver.com>
>> ---
>>   meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
>> b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
>> index 7eb79b0..e10cffc 100644
>> --- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
>> +++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
>> @@ -41,6 +41,7 @@ ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('
>> DISTRO_FEATURES', 'ipv6', 'ye
>>   EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \
>>                    --disable-devpoll --enable-epoll --with-gost=no \
>>                    --with-gssapi=no --with-ecdsa=yes \
>> +                 --with-ecdsa=${@bb.utils.contains('DISTRO_FEATURES'
>> , 'openssl-no-weak-ciphers', 'no', 'yes', d)} \
>>                    --sysconfdir=${sysconfdir}/bind \
>>                    --with-openssl=${STAGING_LIBDIR}/.. \
>>                  "
>>
> I think there are a few more questions that need answering about this,
> like why ecdsa is considered weak but this patch leaves --with-
> ecdsa=yes  in there which is confusing at best.
>
> I do think these are best controlled as individual PACKAGECONFIG
> options rather than a distro setting which is ambigous (what is
> 'weak').

Maybe I didn't express clearly. The original requirement is that disable 
weak ciphers(maybe we should discuss the scope of weak ciphers)
for openssl. And then other packages depends on openssl. For bind, if 
openssl configured with 'no-ecdsa', bind will compile failed. So add
a distro feature to sync openssl and other packages depends on it.


Thanks,
Kai
>
> Cheers,
>
> Richard
>

-- 
Regards,
Neil | Kai Kang

More information about the Openembedded-core mailing list