| Message ID | mailman.34659.1555445566.2376.openwrt-devel@lists.openwrt.org |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [OpenWrt-Devel,v2] openssl: change defaults: ENGINE:on, NPN:off, misc | expand |
On Tue, Apr 16, 2019 at 10:12 PM Eneas U de Queiroz via openwrt-devel <openwrt-devel@lists.openwrt.org> wrote: > > The sender domain has a DMARC Reject/Quarantine policy which disallows > sending mailing list messages using the original "From" header. > > To mitigate this problem, the original message has been wrapped > automatically by the mailing list software. > > > ---------- Forwarded message ---------- > From: Eneas U de Queiroz <cote2004-github@yahoo.com> > To: openwrt-devel@lists.openwrt.org > Cc: Eneas U de Queiroz <cote2004-github@yahoo.com> > Bcc: > Date: Tue, 16 Apr 2019 17:12:15 -0300 > Subject: [PATCH v2] openssl: change defaults: ENGINE:on, NPN:off, misc > Enable engine support by default. Right now, some packages require > this, so it is always enabled by the bots. Many packages will compile > differently when engine support is detected, needing engine symbols from > the libraries. > > However, being off by default, a user compiling its own image will fail > to run some popular packages from the official repo. > Note that disabling engines did not work in 1.0.2, so this problem never > showed up before. > > NPN support has been removed in major browsers & servers, and has become > a small bloat, so it does not make sense to leave it on by default. > > Remove deprecated CONFIG_ENGINE_CRYPTO symbol that is no longer needed. > > Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> Patch pushed to master (https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=450d44a8ead2217f8acf541a4eaa4ad560b3e5ac); thx Hans > --- > ChangeLog: > v2: increase PKG_RELEASE > > diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in > index ecb9eea389..49f136e845 100644 > --- a/package/libs/openssl/Config.in > +++ b/package/libs/openssl/Config.in > @@ -96,7 +96,6 @@ config OPENSSL_WITH_DTLS > > config OPENSSL_WITH_NPN > bool > - default y > prompt "Enable NPN support" > help > NPN is a TLS extension, obsoleted and replaced with ALPN, > @@ -246,10 +245,15 @@ comment "Engine/Hardware Support" > > config OPENSSL_ENGINE > bool "Enable engine support" > + default y > help > This enables alternative cryptography implementations, > most commonly for interfacing with external crypto devices, > or supporting new/alternative ciphers and digests. > + If you compile the library with this option disabled, packages built > + using an engine-enabled library (i.e. from the official repo) may > + fail to run. Compile and install the packages with engine support > + disabled, and you should be fine. > Note that you need to enable KERNEL_AIO to be able to build the > afalg engine package. > > @@ -271,12 +275,6 @@ config OPENSSL_ENGINE_BUILTIN_AFALG > This enables use of hardware acceleration through the > AF_ALG kernel interface. > > -config OPENSSL_ENGINE_CRYPTO > - # This symbol is deprecated. Currently it is used by the openssh package. > - # Once openwrt/packages#8272 is merged, this can be safely removed. > - bool > - default OPENSSL_ENGINE_BUILTIN_DEVCRYPTO || PACKAGE_libopenssl-devcrypto > - > config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO > bool > prompt "Acceleration support through /dev/crypto" > diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile > index cb25c5557c..49cea8e45a 100644 > --- a/package/libs/openssl/Makefile > +++ b/package/libs/openssl/Makefile > @@ -11,7 +11,7 @@ PKG_NAME:=openssl > PKG_BASE:=1.1.1 > PKG_BUGFIX:=b > PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) > -PKG_RELEASE:=3 > +PKG_RELEASE:=4 > PKG_USE_MIPS16:=0 > ENGINES_DIR=engines-1.1 > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index ecb9eea389..49f136e845 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -96,7 +96,6 @@ config OPENSSL_WITH_DTLS config OPENSSL_WITH_NPN bool - default y prompt "Enable NPN support" help NPN is a TLS extension, obsoleted and replaced with ALPN, @@ -246,10 +245,15 @@ comment "Engine/Hardware Support" config OPENSSL_ENGINE bool "Enable engine support" + default y help This enables alternative cryptography implementations, most commonly for interfacing with external crypto devices, or supporting new/alternative ciphers and digests. + If you compile the library with this option disabled, packages built + using an engine-enabled library (i.e. from the official repo) may + fail to run. Compile and install the packages with engine support + disabled, and you should be fine. Note that you need to enable KERNEL_AIO to be able to build the afalg engine package. @@ -271,12 +275,6 @@ config OPENSSL_ENGINE_BUILTIN_AFALG This enables use of hardware acceleration through the AF_ALG kernel interface. -config OPENSSL_ENGINE_CRYPTO - # This symbol is deprecated. Currently it is used by the openssh package. - # Once openwrt/packages#8272 is merged, this can be safely removed. - bool - default OPENSSL_ENGINE_BUILTIN_DEVCRYPTO || PACKAGE_libopenssl-devcrypto - config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO bool prompt "Acceleration support through /dev/crypto" diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index cb25c5557c..49cea8e45a 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=b PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1
The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Enable engine support by default. Right now, some packages require this, so it is always enabled by the bots. Many packages will compile differently when engine support is detected, needing engine symbols from the libraries. However, being off by default, a user compiling its own image will fail to run some popular packages from the official repo. Note that disabling engines did not work in 1.0.2, so this problem never showed up before. NPN support has been removed in major browsers & servers, and has become a small bloat, so it does not make sense to leave it on by default. Remove deprecated CONFIG_ENGINE_CRYPTO symbol that is no longer needed. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> --- ChangeLog: v2: increase PKG_RELEASE