For what it's worth, I don't have a strong opinion on this. Anyone who still needs 1.0 as the primary openssl version can add the openssl10 recipe as 'openssl' to their private layers, and set PREFERRED_VERSION accordingly.
Alex On Fri, 26 Apr 2019 at 19:56, Mark Hatle <mark.ha...@windriver.com> wrote: > > On 4/26/19 10:50 AM, Adrian Bunk wrote: > > On Fri, Apr 26, 2019 at 10:31:03AM -0500, Mark Hatle wrote: > >> On 4/26/19 12:12 AM, Adrian Bunk wrote: > >>> On Thu, Apr 25, 2019 at 03:18:47PM -0500, Mark Hatle wrote: > >>>> On 4/25/19 2:28 PM, Adrian Bunk wrote: > >>>>> Would you consider this patch appropriate now that warrior has branched? > >>>> > >>>> The use of OpenSSL10 as a 'second library' is likely no longer needed. > >>>> But > >>>> OpenSSL 1.0 (as an alternative version) to OpenSSL 1.1 is still needed > >>>> in some > >>>> cases.. (FIPS-140-2) > >>> > >>> Is anyone actually security-maintaining OpenSSL in OE? > >> > >> -In- OE? I have no idea. > >> > >> Outside of OE to meet the OpenSSL-FIPS 'you must not modify the sources and > >> follow these exact steps', yes people are. > >> ... > > > > Why does this need OpenSSL 1.0 in Yocto? > > I think you are misunderstanding what I am saying. > > For the recipes that -use- OpenSSL, we still need support for the legacy API > through at least the end of the year. > > In the past we had added pkgconfigs for a few things to switch them between > the > old and new OpenSSL API. > > The OpenSSL10 recipe I don't care about, I have no use for it. > > > How does this look as OE recipe? > > > > I would say that an OpenSSL-FIPS recipe might now perhaps need an > > openssl_1.1.1%.bbappend re-adding the three openssl-conf lines my > > patch removes. > > You can't.. There is no such thing as OpenSSL-FIPS for 1.1.x. Doesn't exist, > never will. > > OpenSSL 1.0.2* has an OpenSSL-FIPS module.. They have to be compiled -exactly- > as stated in the documentation or they are not functionally equivalent.. > (reality doesn't matter here -- it's the rules that matter.) > > So after it's built (usually via an SDK), then it's packaged in a recipe that > uses the precompiled binary. > > OpenSSL 3 (there won't be a 2 from my understanding) is supposed to be > compatible with the 1.1.x API (for the most part), but will include FIPS-140-2 > support. However, OpenSSL 3 doesn't exist yet. The last blog from the > OpenSSL > developers indicated end of 2019... but as we all know release dates change. > > So for users who have an OpenSSL FIPS requirement, the ONLY answer is that > their > applications (including system) HAVE to use the OpenSSL 1.0.2* + FIPS module. > > --Mark > > > Do I miss anything more complicated here? > > > >> --Mark > > > > cu > > Adrian > > > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
