[OE-core] [meta-oe][RFC][PATCH] Remove openssl10

Mark Hatle mark.hatle at windriver.com
Fri Apr 26 17:56:00 UTC 2019 

On 4/26/19 10:50 AM, Adrian Bunk wrote:
> On Fri, Apr 26, 2019 at 10:31:03AM -0500, Mark Hatle wrote:
>> On 4/26/19 12:12 AM, Adrian Bunk wrote:
>>> On Thu, Apr 25, 2019 at 03:18:47PM -0500, Mark Hatle wrote:
>>>> On 4/25/19 2:28 PM, Adrian Bunk wrote:
>>>>> Would you consider this patch appropriate now that warrior has branched?
>>>>
>>>> The use of OpenSSL10 as a 'second library' is likely no longer needed.  But
>>>> OpenSSL 1.0 (as an alternative version) to OpenSSL 1.1 is still needed in some
>>>> cases.. (FIPS-140-2)
>>>
>>> Is anyone actually security-maintaining OpenSSL in OE?
>>
>> -In- OE?  I have no idea.
>>
>> Outside of OE to meet the OpenSSL-FIPS 'you must not modify the sources and
>> follow these exact steps', yes people are.
>> ...
> 
> Why does this need OpenSSL 1.0 in Yocto?

I think you are misunderstanding what I am saying.

For the recipes that -use- OpenSSL, we still need support for the legacy API
through at least the end of the year.

In the past we had added pkgconfigs for a few things to switch them between the
old and new OpenSSL API.

The OpenSSL10 recipe I don't care about, I have no use for it.

> How does this look as OE recipe?
> 
> I would say that an OpenSSL-FIPS recipe might now perhaps need an 
> openssl_1.1.1%.bbappend re-adding the three openssl-conf lines my
> patch removes.

You can't.. There is no such thing as OpenSSL-FIPS for 1.1.x.  Doesn't exist,
never will.

OpenSSL 1.0.2* has an OpenSSL-FIPS module.. They have to be compiled -exactly-
as stated in the documentation or they are not functionally equivalent..
(reality doesn't matter here -- it's the rules that matter.)

So after it's built (usually via an SDK), then it's packaged in a recipe that
uses the precompiled binary.

OpenSSL 3 (there won't be a 2 from my understanding) is supposed to be
compatible with the 1.1.x API (for the most part), but will include FIPS-140-2
support.   However, OpenSSL 3 doesn't exist yet.  The last blog from the OpenSSL
developers indicated end of 2019... but as we all know release dates change.

So for users who have an OpenSSL FIPS requirement, the ONLY answer is that their
applications (including system) HAVE to use the OpenSSL 1.0.2* + FIPS module.

--Mark

> Do I miss anything more complicated here?
> 
>> --Mark
> 
> cu
> Adrian
>

More information about the Openembedded-core mailing list