[OE-core] [meta-oe][RFC][PATCH] Remove openssl10

Alexander Kanavin alex.kanavin at gmail.com
Mon Apr 29 11:39:27 UTC 2019 

For what it's worth, I don't have a strong opinion on this. Anyone who
still needs 1.0 as the primary openssl version can add the openssl10
recipe as 'openssl' to their private layers, and set PREFERRED_VERSION
accordingly.

Alex


On Fri, 26 Apr 2019 at 19:56, Mark Hatle <mark.hatle at windriver.com> wrote:
>
> On 4/26/19 10:50 AM, Adrian Bunk wrote:
> > On Fri, Apr 26, 2019 at 10:31:03AM -0500, Mark Hatle wrote:
> >> On 4/26/19 12:12 AM, Adrian Bunk wrote:
> >>> On Thu, Apr 25, 2019 at 03:18:47PM -0500, Mark Hatle wrote:
> >>>> On 4/25/19 2:28 PM, Adrian Bunk wrote:
> >>>>> Would you consider this patch appropriate now that warrior has branched?
> >>>>
> >>>> The use of OpenSSL10 as a 'second library' is likely no longer needed.  But
> >>>> OpenSSL 1.0 (as an alternative version) to OpenSSL 1.1 is still needed in some
> >>>> cases.. (FIPS-140-2)
> >>>
> >>> Is anyone actually security-maintaining OpenSSL in OE?
> >>
> >> -In- OE?  I have no idea.
> >>
> >> Outside of OE to meet the OpenSSL-FIPS 'you must not modify the sources and
> >> follow these exact steps', yes people are.
> >> ...
> >
> > Why does this need OpenSSL 1.0 in Yocto?
>
> I think you are misunderstanding what I am saying.
>
> For the recipes that -use- OpenSSL, we still need support for the legacy API
> through at least the end of the year.
>
> In the past we had added pkgconfigs for a few things to switch them between the
> old and new OpenSSL API.
>
> The OpenSSL10 recipe I don't care about, I have no use for it.
>
> > How does this look as OE recipe?
> >
> > I would say that an OpenSSL-FIPS recipe might now perhaps need an
> > openssl_1.1.1%.bbappend re-adding the three openssl-conf lines my
> > patch removes.
>
> You can't.. There is no such thing as OpenSSL-FIPS for 1.1.x.  Doesn't exist,
> never will.
>
> OpenSSL 1.0.2* has an OpenSSL-FIPS module.. They have to be compiled -exactly-
> as stated in the documentation or they are not functionally equivalent..
> (reality doesn't matter here -- it's the rules that matter.)
>
> So after it's built (usually via an SDK), then it's packaged in a recipe that
> uses the precompiled binary.
>
> OpenSSL 3 (there won't be a 2 from my understanding) is supposed to be
> compatible with the 1.1.x API (for the most part), but will include FIPS-140-2
> support.   However, OpenSSL 3 doesn't exist yet.  The last blog from the OpenSSL
> developers indicated end of 2019... but as we all know release dates change.
>
> So for users who have an OpenSSL FIPS requirement, the ONLY answer is that their
> applications (including system) HAVE to use the OpenSSL 1.0.2* + FIPS module.
>
> --Mark
>
> > Do I miss anything more complicated here?
> >
> >> --Mark
> >
> > cu
> > Adrian
> >
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

More information about the Openembedded-core mailing list