On Wed, Nov 20, 2019 at 11:09 AM Mark Hatle <mark.ha...@kernel.crashing.org> wrote: > On 11/20/19 1:06 PM, Ryan Harkin wrote: > > On Wed, 20 Nov 2019 at 18:36, Mark Hatle <mark.ha...@kernel.crashing.org > > <mailto:mark.ha...@kernel.crashing.org>> wrote: > > > > You know that 1.0.2 and 1.1 APIs are not compatible? So you will need > > to update > > everything that needs OpenSSL to understand the new API. > > > > > > So far, we're only using it in a shell script to sign an image and later > > verify > > the image, so I've assumed, perhaps naively, that the API changes won't > > matter... > > Correct, but there may be other components of the system that could be using > the > API that you are unaware of. On a system as old as Sumo, you will need to > take > precautions to ensure that ONLY the 1.1x version is being used. (There may be > an openssl10 for compatibility that will need to be blacklisted.) > > > For CVE fixes, typically you would patch 1.0.2p, or update to the latest > > (1.0.2t) as you go. (If you have an OSV, this should be part of the > > services > > that they offer you.) > > > > > > In my opinion, 1.0.2 will be around for at least another 4-5 years due > > to the > > number of people actively using it in the world. Until 1.1/3.0 (won't > > be a 2.0 > > from what I read) exists and has a FIPS-140-2 support available -- > > people will > > continue to use 1.0.2 and maintain it as necessary for security. > > > > As an FYI: http://git.yoctoproject.org/cgit/cgit.cgi/meta-openssl102/ > > > > This version is for thud, warrior, zeus and master. It is intended to > > be > > maintained until either 1.0.2 is no longer maintainable -- or the > > FIPS-140-2 > > needs have been met by OpenSSL. > > > > > > Great, that looks like a better option anyway, assuming it has the latest > > fixes > > I need, and doesn't give me the same build problem. Thanks for pointing it > > out. > > I'll give it a go. > > It's better to work with the Sumo version for your needs. I just posted that > as > an example of openssl 1.0.2 being needed still by others, even as > oe-core/Yocto > Project have changed their defaults.
If you want an up to date openssl 1.0.2 recipe which is compatible with Sumo, you can find one here: https://github.com/armcc/meta-plumewifi I'm only actively testing it with OE 1.6 (Daisy) and OE 2.7 (Warrior) but it should work for all versions in between (and if it doesn't I'll accept patches or try to fix it). -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
