On Mon, 2026-02-23 at 18:29 +0000, Paul Barker wrote: > On Mon, 2026-02-16 at 16:02 +0100, Jan Luebbe wrote: > > This allows configuration (such as enabling providers) to be done by > > adding snippet files to /etc/ssl/openssl.cnf.d instead of modifying a > > copy of the full configuration file. As new snippets can be added from > > separate recipes, targeted changes can be done in multiple layers. > > > > For example, the pkcs11-provider can be enabled by adding a pkcs11.cnf > > containing something like: > > [default_sect] > > activate = 1 > > > > [provider_sect] > > pkcs11 = pkcs11_sect > > > > [pkcs11_sect] > > pkcs11-module-path = /usr/lib/libckteec.so.0 > > pkcs11-module-quirks = no-operation-state no-deinit > > pkcs11-module-encode-provider-uri-to-pem = true > > activate = 1 > > > > Signed-off-by: Jan Luebbe <[email protected]> > > --- > > meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 7 +++++++ > > 1 file changed, 7 insertions(+) > > > > diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb > > b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb > > index c0d02b617ba5..94fda03ea206 100644 > > --- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb > > +++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb > > @@ -186,6 +186,13 @@ do_install () { > > fi > > } > > > > +do_install:append:class-target () { > > + # Add support for config snippet includes > > + echo "" >> ${D}${sysconfdir}/ssl/openssl.cnf > > + echo ".include ${sysconfdir}/ssl/openssl.cnf.d" >> > > ${D}${sysconfdir}/ssl/openssl.cnf > > + install -d ${D}${sysconfdir}/ssl/openssl.cnf.d > > +} > > + > > Has there been any discussion with upstream about adding this to > openssl.cnf by default?
It's a built-in feature in OpenSSL since 1.1.1 https://github.com/openssl/openssl/pull/5351 and was introduced specifically for simplifying configurations when shipping OpenSSL as part of an OS https://github.com/openssl/openssl/issues/4962 Adding configuration necessary for engines (now also providers) was also mentioned in the issue. https://docs.openssl.org/3.6/man5/config/ says "As a general rule, the pathname should be an absolute path", which is the case here. > I see that CentOS Stream 10 has a similar include directive in > openssl.cnf, but Debian does not. I wonder if upstream considers this to > be "safe". The approach of snippets in .d directories is used by may other packages as well (systemd, openssh, iproute2, sudo, udev, chrony). In some cases the search paths are hard-coded, in others they are explicitly configured in the "top level" configuration. Configuration in /etc needs to be protected against unauthorized modification, but that applies to /ssl/openssl.cnf.d/foo.cnf in the same way as for /ssl/openssl.cnf. Best regards Jan
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231746): https://lists.openembedded.org/g/openembedded-core/message/231746 Mute This Topic: https://lists.openembedded.org/mt/117839913/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
