[OE-core] [meta-oe][RFC][PATCH] Remove openssl10
Mark Hatle
mark.hatle at windriver.com
Fri Apr 26 15:31:03 UTC 2019
On 4/26/19 12:12 AM, Adrian Bunk wrote:
> On Thu, Apr 25, 2019 at 03:18:47PM -0500, Mark Hatle wrote:
>> On 4/25/19 2:28 PM, Adrian Bunk wrote:
>>> Would you consider this patch appropriate now that warrior has branched?
>>
>> The use of OpenSSL10 as a 'second library' is likely no longer needed. But
>> OpenSSL 1.0 (as an alternative version) to OpenSSL 1.1 is still needed in some
>> cases.. (FIPS-140-2)
>
> Is anyone actually security-maintaining OpenSSL in OE?
-In- OE? I have no idea.
Outside of OE to meet the OpenSSL-FIPS 'you must not modify the sources and
follow these exact steps', yes people are.
> The just released sumo has both versions of OpenSSL not touched since
> August, despite just upgrading to the latest versions would fix CVEs.
>
>> So removal of openssl10 is fine, but if there are patches for support of both
>> versions (old/new) of OpenSSL they will be needed at least through the end of
>> this year for many users.
>
> This is now for Yocto 2.8, which will be released October/November
> this year.
Yes, and thats the problem. OpenSSL 1.1 will not have FIPS support before the
end of the year (based on the last blog post..)
So unless the OpenSSL community is able to get it certified and released before
YP 2.8, I believe we still need OpenSSL 10 support through the end of this year.
We should evaluate where the community is after that.
Again, I'm not talking about the 'OpenSSL10' recipe, but support in the
applications for the older APIs. I don't care if the OpenSSL10 recipe goes
away. Anyone using FIPS-140-2 support is going to want to use a single OpenSSL
library on their system, not both 1.1 and 1.0.
--Mark
>> --Mark
>
> cu
> Adrian
>
More information about the Openembedded-core
mailing list