On 11/20/19 12:18 PM, Ryan Harkin wrote:
> Hi all,
>
> I'm struggling with backporting OpenSSL to my Sumo build [1], so wondered if
> anyone else had done something similar with success.
>
> I copied "meta/recipes-connectivity/openssl" from Poky master branch [2] into
> my
> own layer [3]. It didn't pick up, so I discovered I needed to add
> a PREFERRED_VERSION, eg:
>
> +PREFERRED_VERSION_openssl ?= "1.1.%"
> +PREFERRED_VERSION_openssl-native ?= "1.1.%"
> +PREFERRED_VERSION_nativesdk-openssl ?= "1.1.%"
>
> Now it builds fine. However, I no longer have /usr/bin/openssl in my disk
> image.
>
> It doesn't appear in FILES_${PN}, and adding it to the recipes doesn't seem to
> make any difference.
>
> What am I missing?
>
> Thanks,
> Ryan.
>
> [1] I'm looking for CVE fixes, 1.0.2p has a lot of CVEs.
You know that 1.0.2 and 1.1 APIs are not compatible? So you will need to update
everything that needs OpenSSL to understand the new API.
For CVE fixes, typically you would patch 1.0.2p, or update to the latest
(1.0.2t) as you go. (If you have an OSV, this should be part of the services
that they offer you.)
In my opinion, 1.0.2 will be around for at least another 4-5 years due to the
number of people actively using it in the world. Until 1.1/3.0 (won't be a 2.0
from what I read) exists and has a FIPS-140-2 support available -- people will
continue to use 1.0.2 and maintain it as necessary for security.
As an FYI: http://git.yoctoproject.org/cgit/cgit.cgi/meta-openssl102/
This version is for thud, warrior, zeus and master. It is intended to be
maintained until either 1.0.2 is no longer maintainable -- or the FIPS-140-2
needs have been met by OpenSSL.
--Mark
> [2] http://git.yoctoproject.org/git/poky
> I'm at SHA a616ffebdc, so I copied openssl_1.1.1d.bb
> <http://openssl_1.1.1d.bb>
> and all the other files in the directory.
>
> [3] I have a clone of Linaro's meta-backports. I'm trying to generate a patch
> to
> submit for review there.
> https://git.linaro.org/openembedded/meta-backports.git
>
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
