Dear Jun, On Thu, Mar 21, 2024 at 2:29 PM Jun Aruga (he / him) <jar...@redhat.com> wrote:
> On Thu, Mar 21, 2024 at 12:16 PM Dmitry Belyavskiy <dbely...@redhat.com> > wrote: > > > > Dear Jun, > > > > > > > > On Thu, Mar 21, 2024 at 11:04 AM Jun Aruga (he / him) <jar...@redhat.com> > wrote: > >> > >> On Wed, Mar 20, 2024 at 2:36 PM Dmitry Belyavskiy <dbely...@redhat.com> > wrote: > >> > > >> ... > >> >> > == Detailed Description == > >> >> > We are going to build OpenSSL without engine support. Engines are > not > >> >> > FIPS compatible and corresponding API is deprecated since OpenSSL > 3.0. > >> >> > The engine functionality we are aware of (PKCS#11, TPM) is either > >> >> > covered by providers or will be covered soon. > >> >> > >> >> "will be covered soon" > >> >> > >> >> ... so lets wait until that work is actually complete before > >> >> removing this from openssl, otherwise there's a window of > >> >> brokenness in Fedora where the old feature is removed and > >> >> the new feature is not ready. > >> > > >> > > >> > I am not going to land this change until the tpm2 provider is landed > in Fedora. > >> > But the affected packages must start prepare to this change as early > as possible. > >> > >> Hi Dmitry, > >> Could you provide the upstream OpenSSL project's issue ticket(s) or > >> pull-request(s) about the feature adding or updating the providers to > >> cover all the functionalities that engines have? > >> I would like to track the progress of the work. > > > > > > I'm quite surprised. > > I'm pretty sure that providers cover all the functionalities that > engines have. > > (It doesn't mean that for each an every engine exists a 1:1 replacing > provider, but it's a question to the authors of these engines) > > > > If you are aware of any deficiencies, could you please let upstream or > me know? > > Hi Dmitry, > Sorry. Maybe I used the terminology "functionality" incorrectly. > I am talking about some features that engines provided are missing in > providers. I see the following issue tickets. > > * https://github.com/ruby/openssl/issues/722 > > The Engine API was deprecated in OpenSSL 3 and there seems to be > no alternatives for it at the moment using Provider API. The providers > can only be loaded, but there seems to be no way to load keys using an > uri (for ex. pkcs11 uri scheme) > I believe the pkcs11-provider is already capable of it. > * https://github.com/ruby/openssl/issues/723 > > GOST engine > I can say a lot about it in private. TL;DR - it's almost abandoned for many reasons. -- Dmitry Belyavskiy
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
