TLS 1.0 and 1.1 have been deprecated by the IETF since 2021, and OpenSSL's legacy module contains deprecated and unmaintained components. This series disables legacy support by default in both OpenSSL and python3-cryptography, requiring users to explicitly opt-in if needed.
The first two patches add packageconfig options to control legacy TLS protocol support and the legacy OpenSSL module. The final patch aligns python3-cryptography with the new OpenSSL defaults. Note that the TLS 1.0/1.1 changes replace the existing "no-tls1" and "no-tls1_1" packageconfig options with affirmative "tls1" and "tls1_1" options that are disabled by default. While less disruptive to enable the "no-*" options by default, using affirmative options provides consistency with the new "legacy" option and is clearer than having default-enabled "no-*" options. Testing performed: * Verified both recipes build successfully with and without the new options * Ran OpenSSL ptests with legacy enabled/disabled and TLS 1.0/1.1 disabled * Ran python3-cryptography ptests with legacy-openssl disabled * Confirmed ptests correctly skip tests for disabled legacy features Colin Pinnell McAllister (3): openssl: Disable TLS 1.x by default openssl: Add legacy packageconfig option python3-cryptography: Disable legacy-openssl by default meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 14 +++++++++----- .../python/python3-cryptography.bb | 2 +- 2 files changed, 10 insertions(+), 6 deletions(-) -- 2.53.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#230997): https://lists.openembedded.org/g/openembedded-core/message/230997 Mute This Topic: https://lists.openembedded.org/mt/117761903/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
