lordgamez commented on code in PR #1925:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1925#discussion_r1981862390
##########
cmake/BundledOpenSSL.cmake:
##########
@@ -59,7 +65,8 @@ function(use_openssl SOURCE_DIR BINARY_DIR)
no-module # disable dynamically loadable engines
no-pinshared # don't pin shared libraries in the process
memory
enable-tfo # Enable TCP Fast Open
- no-ssl) # disable SSLv3
+ no-ssl # disable SSLv3
+ no-engine)
Review Comment:
I'm not that familiar with it, but there is an Engine API in OpenSSL that is
controlled by this option. An engine that is loaded in OpenSSL is a hardware or
software implementation used for performing cryptographic operations. Engines
are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0,
so for FIPS compliancy we should remove the engine support as well. (According
to the documention it is also a good guidline for FIPS compliancy to remove
anything that is deprecated in OpenSSL 3.0 as that is probably not FIPS
compatible.)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
