Wiki - https://fedoraproject.org/wiki/Changes/OpensslNoEngine This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == We disable support of engines in OpenSSL == Owner == * Name: [[User:Dbelyavs| Dmitry Belyavskiy]] * Email: dbelyavs@xxxxxxxxxx == Detailed Description == We are going to build OpenSSL without engine support. Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0. The engine functionality we are aware of (PKCS#11, TPM) is either covered by providers or will be covered soon. == Feedback == == Benefit to Fedora == We get rid of deprecated functionality and enforce using up-to-date API. Engine support is deprecated in OpenSSL upstream, and after provider migration caused some deficiencies with engine support. No new features will be added to the engine. So we reduce the maintenance burden and potentially attack surface. It follows the approach planned for CentOS 10. == Scope == * Proposal owners: maintainers of packages enumerated here: https://clang.fedorapeople.org/c10s-engine-users/ plus probably owners of some Fedora-only packages For most of the packages the maintainers will just have to rebuild their packages after the OpenSSL change lands in compose. For several packages some patches should be implemented to prevent compilation errors. * Other developers: - * Release engineering: [https://pagure.io/releng/issues #Releng issue number] This change probably requires mass-rebuild. * Policies and guidelines: We need reject/modify packages providing OpenSSL engines * Trademark approval: N/A (not needed for this Change) * Alignment with Community Initiatives: == Upgrade/compatibility impact == OpenSSL engines will no longer be supported. Engines will not be supported in openssl configuration files (presumably silently ignored). Users will have to reconfigure systems to providers if they use engines. == How To Test == OpenSSL libcrypto.so doesn't export any ENGINE_* symbols (~120 lines). Application is normally built. == User Experience == Users will have to reconfigure systems to providers if they use engines. No other changes are expected. == Dependencies == In theory, all OpenSSL-dependent packages. In practice, only those that explicitly use ENGINE api. == Contingency Plan == Reenable engine support but remove engine header file to allow old applications work preventing appearing new ones. * Contingency mechanism: (What to do? Who will do it?) rebuild OpenSSL and dependent packages * Contingency deadline: beta freeze? * Blocks release? Yes == Documentation == TBD == Release Notes == TBD -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
