On 08/03/2024 22:37, Aoife Moloney wrote:
Wiki - https://fedoraproject.org/wiki/Changes/OpensslNoEngine This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == We disable support of engines in OpenSSL == Owner == * Name: [[User:Dbelyavs| Dmitry Belyavskiy]] * Email: dbelyavs@xxxxxxxxxx == Detailed Description == We are going to build OpenSSL without engine support. Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0. The engine functionality we are aware of (PKCS#11, TPM) is either covered by providers or will be covered soon. == Feedback == == Benefit to Fedora == We get rid of deprecated functionality and enforce using up-to-date API. Engine support is deprecated in OpenSSL upstream, and after provider migration caused some deficiencies with engine support. No new features will be added to the engine. So we reduce the maintenance burden and potentially attack surface. It follows the approach planned for CentOS 10.
Hi, We're providing the Intel QuickAssist Technology OpenSSL Engine (QAT_Engine)* in Fedora and RHEL. I think we shouldn't rush things to have no-engine environment. * : https://www.redhat.com/en/blog/accelerated-encryption-4th-gen-intelr-xeonr-scalable-processors -- Ali Erdinc Koroglu Intel, SSE | Linux OS Systems Engineering -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
