Re: [OE-core] [PATCH v2] openssl: add support for config snippet includes

Mon, 23 Feb 2026 10:29:28 -0800 

On Mon, 2026-02-16 at 16:02 +0100, Jan Luebbe wrote:
> This allows configuration (such as enabling providers) to be done by
> adding snippet files to /etc/ssl/openssl.cnf.d instead of modifying a
> copy of the full configuration file. As new snippets can be added from
> separate recipes, targeted changes can be done in multiple layers.
> 
> For example, the pkcs11-provider can be enabled by adding a pkcs11.cnf
> containing something like:
>   [default_sect]
>   activate = 1
> 
>   [provider_sect]
>   pkcs11 = pkcs11_sect
> 
>   [pkcs11_sect]
>   pkcs11-module-path = /usr/lib/libckteec.so.0
>   pkcs11-module-quirks = no-operation-state no-deinit
>   pkcs11-module-encode-provider-uri-to-pem = true
>   activate = 1
> 
> Signed-off-by: Jan Luebbe <[email protected]>
> ---
>  meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb 
> b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> index c0d02b617ba5..94fda03ea206 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> @@ -186,6 +186,13 @@ do_install () {
>       fi
>  }
>  
> +do_install:append:class-target () {
> +        # Add support for config snippet includes
> +        echo "" >> ${D}${sysconfdir}/ssl/openssl.cnf
> +        echo ".include ${sysconfdir}/ssl/openssl.cnf.d" >> 
> ${D}${sysconfdir}/ssl/openssl.cnf
> +        install -d ${D}${sysconfdir}/ssl/openssl.cnf.d
> +}
> +

Has there been any discussion with upstream about adding this to
openssl.cnf by default?

I see that CentOS Stream 10 has a similar include directive in
openssl.cnf, but Debian does not. I wonder if upstream considers this to
be "safe".

Best regards,

-- 
Paul Barker

Attachment: signature.asc
Description: This is a digitally signed message part

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#231689): 
https://lists.openembedded.org/g/openembedded-core/message/231689
Mute This Topic: https://lists.openembedded.org/mt/117839913/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to