On Пан, 24 лют 2025, Aoife Moloney via devel-announce wrote:
Wiki - https://fedoraproject.org/wiki/Changes/OpensslNoBuildEngine Discussion thread - https://discussion.fedoraproject.org/t/f43-change-proposal-disabling-support-of-building-openssl-engines-system-wide/145922 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == We disable support of building engines in OpenSSL and remove the deprecated openssl-devel-engine subpackage. == Owner == * Name: [[User:Dbelyavs| Dmitry Belyavskiy]] * Email: dbelyavs@xxxxxxxxxx == Detailed Description == We are going to build OpenSSL without engine support. Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0. The engine functionality we are aware of (PKCS#11, TPM) is covered by providers. The package necessary to build engines (openssl-devel-engine) is already declared as deprecated and will be removed. For the applications that still unconditionally refer to openssl/engine.h we will provide a dummy engine.h file
The side effect is that FreeIPA will lose support for DNSSEC until we are able to migrate to bind 9.19+ for bind-dyndb-ldap. Only bind 9.19+ supports OpenSSL provider API. bind 9.19+ did change internal APIs in such way that bind-dydnb-ldap is now cannot be built and has to be rewritten. This work is in progress but far from being finished. FreeIPA exposes DNSSEC keys to bind through PKCS#11 token (SoftHSM currently) because it needs to maintain multi-replica access to DNSSEC material across FreeIPA topology. The code in bind9 that handles PKCS#11 is built with OpenSSL Engine API in bind < 9.19. Backport of OpenSSL Provider API support from bind 9.19+ was attempted and is not complete yet, due to major code changes in bind. As a result, if OpenSSL Engine API is removed, FreeIPA in Fedora 43+ will lose support for DNSSEC. The actual support will be there but bind will not be able to access DNSSEC material and sign zones. This is the current state in CentOS Stream 10 / RHEL 10.0 upcoming release already where RHEL IdM (FreeIPA). For RHEL this is not a large issue because DNSSEC support in RHEL IdM is in tech preview state and many customers don't use it due for that reason. In Fedora, however, this means we'd have to disable DNSSEC completely, even for existing deployments.
== Feedback == == Benefit to Fedora == We get rid of deprecated functionality and enforce using up-to-date API. Engine support is deprecated in OpenSSL upstream, and after provider migration caused some deficiencies with engine support. No new features will be added to the engine. So we reduce the maintenance burden and potentially attack surface. == Scope == * Proposal owners: maintainers of packages relying to openssl engine functionality * Other developers: * Release engineering: [https://pagure.io/releng/issues #Releng issue number] This change probably requires mass-rebuild. * Policies and guidelines: N/A * Trademark approval: N/A * Alignment with the Fedora Strategy: == Upgrade/compatibility impact == == Early Testing (Optional) == == How To Test == Applications using OpenSSL ENGINE API can't be built. ENGINE API is still exported by libcrypto. == User Experience == Users will have to reconfigure systems to providers if they use engines. No other changes are expected. == Dependencies == In theory, all OpenSSL-dependent packages. In practice, only those that explicitly use ENGINE api. == Contingency Plan == Reenable openssl-devel-engine package keeping it deprecated * Contingency mechanism: N/A * Contingency deadline: N/A (not a System Wide Change) * Blocks release? N/A (not a System Wide Change) == Documentation == TBD == Release Notes == TBD -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
