On Sun, Sep 18, 2022 at 07:09:05PM +0200, Sebastian Andrzej Siewior wrote: > On 2020-07-16 08:46:43 [+0200], Kurt Roeckx wrote: > > On Thu, Jul 16, 2020 at 03:57:17AM +0100, Dimitri John Ledkov wrote: > > > > > > openssl package could ship `.include /etc/ssl/providers.d/` in ssl.conf. > > > > That would actually make sense. > > > > We could use the include thing to ship a config file for the > > fips module with the correct hash in it. > > Kurt, what do we do here? > Split /usr/lib/*/ossl-modules/legacy.so into its own package which is > part of src:openssl and adds a config snippet.
I'm not sure that having the legacy provider automatically enabled by default when it's installed is a good idea. That means once it's installed, all applications have it by default. I think it needs to be enabled per application. I think the same goes for fips. Only applications that need it, and probably support a library context should enable it. I don't know enough details currently about fips, but I think applications need to provider an approved RNG, and /dev/random is no longer acceptable. But upgrading the fips provider should be as easy as possible, just installing a new version. So I think we need to provider at least some config file should have the hash in it. Kurt

