On 4/26/19 10:50 AM, Adrian Bunk wrote: > On Fri, Apr 26, 2019 at 10:31:03AM -0500, Mark Hatle wrote: >> On 4/26/19 12:12 AM, Adrian Bunk wrote: >>> On Thu, Apr 25, 2019 at 03:18:47PM -0500, Mark Hatle wrote: >>>> On 4/25/19 2:28 PM, Adrian Bunk wrote: >>>>> Would you consider this patch appropriate now that warrior has branched? >>>> >>>> The use of OpenSSL10 as a 'second library' is likely no longer needed. But >>>> OpenSSL 1.0 (as an alternative version) to OpenSSL 1.1 is still needed in >>>> some >>>> cases.. (FIPS-140-2) >>> >>> Is anyone actually security-maintaining OpenSSL in OE? >> >> -In- OE? I have no idea. >> >> Outside of OE to meet the OpenSSL-FIPS 'you must not modify the sources and >> follow these exact steps', yes people are. >> ... > > Why does this need OpenSSL 1.0 in Yocto?
I think you are misunderstanding what I am saying. For the recipes that -use- OpenSSL, we still need support for the legacy API through at least the end of the year. In the past we had added pkgconfigs for a few things to switch them between the old and new OpenSSL API. The OpenSSL10 recipe I don't care about, I have no use for it. > How does this look as OE recipe? > > I would say that an OpenSSL-FIPS recipe might now perhaps need an > openssl_1.1.1%.bbappend re-adding the three openssl-conf lines my > patch removes. You can't.. There is no such thing as OpenSSL-FIPS for 1.1.x. Doesn't exist, never will. OpenSSL 1.0.2* has an OpenSSL-FIPS module.. They have to be compiled -exactly- as stated in the documentation or they are not functionally equivalent.. (reality doesn't matter here -- it's the rules that matter.) So after it's built (usually via an SDK), then it's packaged in a recipe that uses the precompiled binary. OpenSSL 3 (there won't be a 2 from my understanding) is supposed to be compatible with the 1.1.x API (for the most part), but will include FIPS-140-2 support. However, OpenSSL 3 doesn't exist yet. The last blog from the OpenSSL developers indicated end of 2019... but as we all know release dates change. So for users who have an OpenSSL FIPS requirement, the ONLY answer is that their applications (including system) HAVE to use the OpenSSL 1.0.2* + FIPS module. --Mark > Do I miss anything more complicated here? > >> --Mark > > cu > Adrian > -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
