Hi Andre, On Wed, 20 Nov 2019 at 19:27, Andre McCurdy <[email protected]> wrote:
> On Wed, Nov 20, 2019 at 11:09 AM Mark Hatle > <[email protected]> wrote: > > On 11/20/19 1:06 PM, Ryan Harkin wrote: > > > On Wed, 20 Nov 2019 at 18:36, Mark Hatle < > [email protected] > > > <mailto:[email protected]>> wrote: > > > > > > You know that 1.0.2 and 1.1 APIs are not compatible? So you will > need to update > > > everything that needs OpenSSL to understand the new API. > > > > > > > > > So far, we're only using it in a shell script to sign an image and > later verify > > > the image, so I've assumed, perhaps naively, that the API changes > won't matter... > > > > Correct, but there may be other components of the system that could be > using the > > API that you are unaware of. On a system as old as Sumo, you will need > to take > > precautions to ensure that ONLY the 1.1x version is being used. (There > may be > > an openssl10 for compatibility that will need to be blacklisted.) > > > > > For CVE fixes, typically you would patch 1.0.2p, or update to the > latest > > > (1.0.2t) as you go. (If you have an OSV, this should be part of > the services > > > that they offer you.) > > > > > > > > > In my opinion, 1.0.2 will be around for at least another 4-5 years > due to the > > > number of people actively using it in the world. Until 1.1/3.0 > (won't be a 2.0 > > > from what I read) exists and has a FIPS-140-2 support available -- > people will > > > continue to use 1.0.2 and maintain it as necessary for security. > > > > > > As an FYI: > http://git.yoctoproject.org/cgit/cgit.cgi/meta-openssl102/ > > > > > > This version is for thud, warrior, zeus and master. It is > intended to be > > > maintained until either 1.0.2 is no longer maintainable -- or the > FIPS-140-2 > > > needs have been met by OpenSSL. > > > > > > > > > Great, that looks like a better option anyway, assuming it has the > latest fixes > > > I need, and doesn't give me the same build problem. Thanks for > pointing it out. > > > I'll give it a go. > > > > It's better to work with the Sumo version for your needs. I just posted > that as > > an example of openssl 1.0.2 being needed still by others, even as > oe-core/Yocto > > Project have changed their defaults. > > If you want an up to date openssl 1.0.2 recipe which is compatible > with Sumo, you can find one here: > > https://github.com/armcc/meta-plumewifi > > I'm only actively testing it with OE 1.6 (Daisy) and OE 2.7 (Warrior) > but it should work for all versions in between (and if it doesn't I'll > accept patches or try to fix it). > Thanks! It looks similar to the tree Mark Hatle pointed out to me. Two diffs jump out: - Your repo adds the RPROVIDES for openssl-bin to "Be compatible with the openssl 1.1.x recipe". - Mark's repo has two extra patches: file://0001-Fix-BN_LLONG-breakage.patch \ file://0001-Fix-DES_LONG-breakage.patch \ Regards, Ryan.
-- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
