On Thu, Mar 21, 2024 at 12:16 PM Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> wrote: > > Dear Jun, > > > > On Thu, Mar 21, 2024 at 11:04 AM Jun Aruga (he / him) <jaruga@xxxxxxxxxx> wrote: >> >> On Wed, Mar 20, 2024 at 2:36 PM Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> wrote: >> > >> ... >> >> > == Detailed Description == >> >> > We are going to build OpenSSL without engine support. Engines are not >> >> > FIPS compatible and corresponding API is deprecated since OpenSSL 3.0. >> >> > The engine functionality we are aware of (PKCS#11, TPM) is either >> >> > covered by providers or will be covered soon. >> >> >> >> "will be covered soon" >> >> >> >> ... so lets wait until that work is actually complete before >> >> removing this from openssl, otherwise there's a window of >> >> brokenness in Fedora where the old feature is removed and >> >> the new feature is not ready. >> > >> > >> > I am not going to land this change until the tpm2 provider is landed in Fedora. >> > But the affected packages must start prepare to this change as early as possible. >> >> Hi Dmitry, >> Could you provide the upstream OpenSSL project's issue ticket(s) or >> pull-request(s) about the feature adding or updating the providers to >> cover all the functionalities that engines have? >> I would like to track the progress of the work. > > > I'm quite surprised. > I'm pretty sure that providers cover all the functionalities that engines have. > (It doesn't mean that for each an every engine exists a 1:1 replacing provider, but it's a question to the authors of these engines) > > If you are aware of any deficiencies, could you please let upstream or me know? Hi Dmitry, Sorry. Maybe I used the terminology "functionality" incorrectly. I am talking about some features that engines provided are missing in providers. I see the following issue tickets. * https://github.com/ruby/openssl/issues/722 > The Engine API was deprecated in OpenSSL 3 and there seems to be no alternatives for it at the moment using Provider API. The providers can only be loaded, but there seems to be no way to load keys using an uri (for ex. pkcs11 uri scheme) * https://github.com/ruby/openssl/issues/723 > GOST engine -- Jun | He - Him | Timezone: UTC+1 or 2, Czech Republic See <https://www.worldtimebuddy.com/czech-republic-prague-to-utc> for the timezone. -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue