[PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists

[PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

Patches to add distro feature openssl-no-weak-ciphers have been sent to oe-core.

Jackie Huang (1):
  net-snmp: disable des for openssl-no-weak-ciphers

Kai Kang (9):
  Set packages conflict with distro feature openssl-no-weak-ciphers
  hostapd: disable configs depends on des if openssl not support
  krb5: toggle configure option pkinit
  libp11: fix compile error if OPENSSL_NO_EC defined
  opensc: add PACKAGECONFIG openssl
  uftp: set NO_EC if openssl not support ec
  stunnel: fix compile error when openssl disable des support
  poco: disable package configs NetSSL and Crypto
  postgresql: configure without openssl if openssl disable weak ciphers

 .../freeradius/freeradius_3.0.14.bb                |  5 +-
 .../recipes-daemons/openhpi/openhpi_3.6.1.bb       |  5 +-
 .../net-snmp/net-snmp-fix-for-disable-des.patch    | 32 +++++++++++++
 .../recipes-protocols/net-snmp/net-snmp_5.7.3.bb   |  5 +-
 .../recipes-support/dovecot/dovecot_2.2.29.bb      |  4 +-
 .../ipsec-tools/ipsec-tools_0.8.2.bb               |  4 +-
 .../recipes-support/openvpn/openvpn_2.4.2.bb       |  4 +-
 .../stunnel/stunnel/fix-openssl-no-des.patch       | 54 ++++++++++++++++++++++
 .../recipes-support/stunnel/stunnel_5.35.bb        |  4 +-
 meta-networking/recipes-support/uftp/uftp_4.9.3.bb |  2 +
 .../recipes-connectivity/hostapd/hostapd_2.6.bb    | 16 +++++++
 meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb   |  4 +-
 .../recipes-connectivity/wvdial/wvstreams_4.6.1.bb |  5 +-
 meta-oe/recipes-devtools/nodejs/nodejs_4.8.3.bb    |  5 ++
 .../recipes-extended/cfengine/cfengine_3.9.0.bb    |  4 +-
 meta-oe/recipes-extended/mailx/mailx_12.5-5.bb     |  5 +-
 meta-oe/recipes-graphics/gegl/gegl_0.3.4.bb        |  4 +-
 meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.13.bb   |  2 +
 meta-oe/recipes-support/freerdp/freerdp_git.bb     |  4 +-
 ...-src-p11_ec.c-check-OPENSSL_NO_EC-earlier.patch | 46 ++++++++++++++++++
 meta-oe/recipes-support/libp11/libp11_0.4.0.bb     |  4 +-
 meta-oe/recipes-support/opensc/opensc_0.16.0.bb    |  5 ++
 meta-oe/recipes-support/poco/poco_1.7.8.bb         |  1 +
 meta-oe/recipes-support/postgresql/postgresql.inc  |  2 +
 .../python/python-cryptography.inc                 |  4 +-
 25 files changed, 215 insertions(+), 15 deletions(-)
 create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-fix-for-disable-des.patch
 create mode 100644 meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch
 create mode 100644 meta-oe/recipes-support/libp11/libp11/0001-src-p11_ec.c-check-OPENSSL_NO_EC-earlier.patch

-- 
2.10.1

[PATCH 01/10] Set packages conflict with distro feature openssl-no-weak-ciphers

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

Distro feautre openssl-no-weak-ciphers is introduced to disable
openssl weak ciphers such as des, md2 etc. So set packages which could
not work if openssl disable weak ciphers conflict with distro feature
openssl-no-weak-ciphers.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 meta-networking/recipes-connectivity/freeradius/freeradius_3.0.14.bb | 5 ++++-
 meta-networking/recipes-daemons/openhpi/openhpi_3.6.1.bb             | 5 ++++-
 meta-networking/recipes-support/dovecot/dovecot_2.2.29.bb            | 4 +++-
 meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb     | 4 +++-
 meta-networking/recipes-support/openvpn/openvpn_2.4.2.bb             | 4 +++-
 meta-oe/recipes-connectivity/wvdial/wvstreams_4.6.1.bb               | 5 ++++-
 meta-oe/recipes-devtools/nodejs/nodejs_4.8.3.bb                      | 5 +++++
 meta-oe/recipes-extended/cfengine/cfengine_3.9.0.bb                  | 4 +++-
 meta-oe/recipes-extended/mailx/mailx_12.5-5.bb                       | 5 ++++-
 meta-oe/recipes-graphics/gegl/gegl_0.3.4.bb                          | 4 +++-
 meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.13.bb                     | 2 ++
 meta-oe/recipes-support/freerdp/freerdp_git.bb                       | 4 +++-
 meta-python/recipes-devtools/python/python-cryptography.inc          | 4 +++-
 13 files changed, 44 insertions(+), 11 deletions(-)

diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.14.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.14.bb
index 6971b03..18b12d9 100644
--- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.14.bb
+++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.14.bb
@@ -84,7 +84,10 @@ PACKAGECONFIG[python] = "--with-rlm_python --with-rlm-python-bin=${STAGING_BINDI
 PACKAGECONFIG[rest] = "--with-rlm_rest,--without-rlm_rest,curl json-c"
 PACKAGECONFIG[ruby] = "--with-rlm_ruby,--without-rlm_ruby,ruby"
 
-inherit useradd autotools-brokensep update-rc.d systemd
+inherit useradd autotools-brokensep update-rc.d systemd distro_features_check
+
+# requires openssl ec support
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
 
 # This is not a cpan or python based package, but it needs some definitions
 # from cpan-base and python-dir bbclasses for building rlm_perl and rlm_python
diff --git a/meta-networking/recipes-daemons/openhpi/openhpi_3.6.1.bb b/meta-networking/recipes-daemons/openhpi/openhpi_3.6.1.bb
index db2a24a..4d6c3fb 100644
--- a/meta-networking/recipes-daemons/openhpi/openhpi_3.6.1.bb
+++ b/meta-networking/recipes-daemons/openhpi/openhpi_3.6.1.bb
@@ -45,7 +45,10 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.gz \
 SRC_URI[md5sum] = "4718b16e0f749b5ad214a9b04f45dd23"
 SRC_URI[sha256sum] = "e0a810cb401c4bdcfc9551f2e6afd5a8ca4b411f5ee3bc60c19f82fd6e84a3dc"
 
-inherit autotools pkgconfig ptest update-rc.d systemd
+inherit autotools pkgconfig ptest update-rc.d systemd distro_features_check
+
+# requires net-snmp enable des and openssl md2 support
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
 
 PACKAGES =+ "${PN}-libs"
 
diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.2.29.bb b/meta-networking/recipes-support/dovecot/dovecot_2.2.29.bb
index b2a3de3..ff2598e 100644
--- a/meta-networking/recipes-support/dovecot/dovecot_2.2.29.bb
+++ b/meta-networking/recipes-support/dovecot/dovecot_2.2.29.bb
@@ -18,7 +18,9 @@ DEPENDS_append_libc-musl = " libtirpc"
 CFLAGS_append_libc-musl = " -I${STAGING_INCDIR}/tirpc"
 LDFLAGS_append_libc-musl = " -ltirpc"
 
-inherit autotools pkgconfig systemd useradd
+inherit autotools pkgconfig systemd useradd distro_features_check
+
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ldap pam', d)}"
 
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb b/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb
index d7e8b25..7f4bc4c 100644
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb
+++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb
@@ -28,7 +28,9 @@ SRC_URI = "http://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.8/ipsec-tools-${P
 SRC_URI[md5sum] = "d53ec14a0a3ece64e09e5e34b3350b41"
 SRC_URI[sha256sum] = "8eb6b38716e2f3a8a72f1f549c9444c2bc28d52c9536792690564c74fe722f2d"
 
-inherit autotools systemd
+inherit autotools systemd distro_features_check
+
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
 
 # Options:
 #  --enable-adminport      enable admin port
diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.4.2.bb b/meta-networking/recipes-support/openvpn/openvpn_2.4.2.bb
index ae72671..9f5b9f5 100644
--- a/meta-networking/recipes-support/openvpn/openvpn_2.4.2.bb
+++ b/meta-networking/recipes-support/openvpn/openvpn_2.4.2.bb
@@ -5,7 +5,7 @@ LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=e9b64491ec98eb6c6493ac5e4118f107"
 DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
-inherit autotools systemd
+inherit autotools systemd distro_features_check
 
 SRC_URI = "http://swupdate.openvpn.org/community/releases/openvpn-${PV}.tar.gz \
            file://openvpn \
@@ -15,6 +15,8 @@ SRC_URI = "http://swupdate.openvpn.org/community/releases/openvpn-${PV}.tar.gz \
 SRC_URI[md5sum] = "0714019e109a043e858278c9e2ca18e0"
 SRC_URI[sha256sum] = "b24740c9d44a81eaf2befc4846d51445a520104321e32aaf0c135ed2e098a624"
 
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
+
 SYSTEMD_SERVICE_${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service"
 SYSTEMD_AUTO_ENABLE = "disable"
 
diff --git a/meta-oe/recipes-connectivity/wvdial/wvstreams_4.6.1.bb b/meta-oe/recipes-connectivity/wvdial/wvstreams_4.6.1.bb
index 607a617..dcd86a2 100644
--- a/meta-oe/recipes-connectivity/wvdial/wvstreams_4.6.1.bb
+++ b/meta-oe/recipes-connectivity/wvdial/wvstreams_4.6.1.bb
@@ -17,7 +17,10 @@ SRC_URI = "http://${BPN}.googlecode.com/files/${BP}.tar.gz \
 SRC_URI[md5sum] = "2760dac31a43d452a19a3147bfde571c"
 SRC_URI[sha256sum] = "8403f5fbf83aa9ac0c6ce15d97fd85607488152aa84e007b7d0621b8ebc07633"
 
-inherit autotools-brokensep pkgconfig
+inherit autotools-brokensep pkgconfig distro_features_check
+
+# requires openssl des support
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
 
 PARALLEL_MAKE = ""
 
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_4.8.3.bb b/meta-oe/recipes-devtools/nodejs/nodejs_4.8.3.bb
index 7fde778..83c917a 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_4.8.3.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_4.8.3.bb
@@ -17,6 +17,11 @@ SRC_URI[sha256sum] = "d84e7544c2e31a2d0825b4f8b093d169bf8bdb1881ee8cf75ff937918e
 
 S = "${WORKDIR}/node-v${PV}"
 
+inherit distro_features_check
+
+# requires openssl des support
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
+
 # v8 errors out if you have set CCACHE
 CCACHE = ""
 
diff --git a/meta-oe/recipes-extended/cfengine/cfengine_3.9.0.bb b/meta-oe/recipes-extended/cfengine/cfengine_3.9.0.bb
index 4aa8ded..9d0c553 100644
--- a/meta-oe/recipes-extended/cfengine/cfengine_3.9.0.bb
+++ b/meta-oe/recipes-extended/cfengine/cfengine_3.9.0.bb
@@ -23,7 +23,7 @@ SRC_URI = "https://cfengine-package-repos.s3.amazonaws.com/tarballs/${BP}.tar.gz
 SRC_URI[md5sum] = "63da39655cfca30ca885fcc4a1bf8aa4"
 SRC_URI[sha256sum] = "32a38aedf1199c2361e1335e0d4a1d98f9efa7cd591bcb647f35c7395bb66f2d"
 
-inherit autotools systemd
+inherit autotools systemd distro_features_check
 
 export EXPLICIT_VERSION="${PV}"
 
@@ -68,3 +68,5 @@ EOF
 }
 
 RDEPENDS_${PN} += "${BPN}-masterfiles"
+
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
diff --git a/meta-oe/recipes-extended/mailx/mailx_12.5-5.bb b/meta-oe/recipes-extended/mailx/mailx_12.5-5.bb
index 9dd710a..b9eb607 100644
--- a/meta-oe/recipes-extended/mailx/mailx_12.5-5.bb
+++ b/meta-oe/recipes-extended/mailx/mailx_12.5-5.bb
@@ -33,7 +33,10 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>((\d+\.*)+)-((\d+\.*)+))\.(diff|debian\.tar)\.(
 
 S = "${WORKDIR}/heirloom-mailx-12.5"
 
-inherit autotools-brokensep
+inherit autotools-brokensep distro_features_check
+
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
+
 
 CFLAGS_append = " -D_BSD_SOURCE -DDEBIAN -I${S}/EXT"
 
diff --git a/meta-oe/recipes-graphics/gegl/gegl_0.3.4.bb b/meta-oe/recipes-graphics/gegl/gegl_0.3.4.bb
index 90f0216..b4d7d1e 100644
--- a/meta-oe/recipes-graphics/gegl/gegl_0.3.4.bb
+++ b/meta-oe/recipes-graphics/gegl/gegl_0.3.4.bb
@@ -5,7 +5,9 @@ DEPENDS = "babl librsvg glib-2.0 gtk+ pango cairo expat zlib libpng jpeg virtual
 
 EXTRA_OECONF = "--disable-docs"
 
-inherit gnomebase vala gobject-introspection
+inherit gnomebase vala gobject-introspection distro_features_check
+
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
 
 PACKAGECONFIG ??= ""
 PACKAGECONFIG[jasper] = "--with-jasper,--without-jasper,jasper"
diff --git a/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.13.bb b/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.13.bb
index b047bc4..f46855a 100644
--- a/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.13.bb
+++ b/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.13.bb
@@ -21,6 +21,8 @@ DEPENDS = "openssl virtual/libx11 libxext jpeg zlib libxfixes libxrandr libxdama
 inherit autotools-brokensep distro_features_check
 # depends on virtual/libx11
 REQUIRED_DISTRO_FEATURES = "x11"
+# requires opens des support
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
 
 PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'zeroconf', 'avahi', '', d)} libvncserver"
 PACKAGECONFIG[avahi] = "--with-avahi,--without-avahi,avahi"
diff --git a/meta-oe/recipes-support/freerdp/freerdp_git.bb b/meta-oe/recipes-support/freerdp/freerdp_git.bb
index f2d0a4d..8825790 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_git.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_git.bb
@@ -8,7 +8,9 @@ SECTION = "net"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 
-inherit pkgconfig cmake gitpkgv
+inherit pkgconfig cmake gitpkgv distro_features_check
+
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
 
 PV = "1.2.5+gitr${SRCPV}"
 PKGV = "${GITPKGVTAG}"
diff --git a/meta-python/recipes-devtools/python/python-cryptography.inc b/meta-python/recipes-devtools/python/python-cryptography.inc
index 9a74e8e..6f0c9ef 100644
--- a/meta-python/recipes-devtools/python/python-cryptography.inc
+++ b/meta-python/recipes-devtools/python/python-cryptography.inc
@@ -41,7 +41,9 @@ RDEPENDS_${PN}-ptest += " \
     ${PYTHON_PN}-pytest \
 "
 
-inherit ptest
+inherit ptest  distro_features_check
+
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
 
 do_install_ptest() {
     install -d ${D}${PTEST_PATH}/tests
-- 
2.10.1

[meta-networking][PATCH 02/10] net-snmp: disable des for openssl-no-weak-ciphers

[kai.kang]

From: Jackie Huang <jackie.huang@windriver.com>

net-snmp enables des support by default and fails to build with distro
feature openssl-no-weak-ciphers:

| ../../net-snmp-5.7.3/snmplib/scapi.c:82:25: fatal error: openssl/des.h: No such file or directory
|  #include <openssl/des.h>

To fix the issue:
* add a patch to include des.h only if it's found in openssl
* disable des when openssl-no-weak-ciphers is enabled

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
 .../net-snmp/net-snmp-fix-for-disable-des.patch    | 32 ++++++++++++++++++++++
 .../recipes-protocols/net-snmp/net-snmp_5.7.3.bb   |  5 +++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-fix-for-disable-des.patch

diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-fix-for-disable-des.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-fix-for-disable-des.patch
new file mode 100644
index 0000000..25eb9c9
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-fix-for-disable-des.patch
@@ -0,0 +1,32 @@
+From 270e952f58a7e5ddeabe5a15e3ddaaadf40017d0 Mon Sep 17 00:00:00 2001
+From: Jackie Huang <jackie.huang@windriver.com>
+Date: Thu, 22 Jun 2017 10:25:08 +0800
+Subject: [PATCH] net-snmp: fix for --disable-des
+
+Include des.h only if it's found in openssl so that
+the --disable-des works correctly.
+
+Upstream-Status: Submitted [net-snmp-coders@lists.sourceforge.net]
+
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+ snmplib/scapi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/snmplib/scapi.c b/snmplib/scapi.c
+index 16ac829..271684b 100644
+--- a/snmplib/scapi.c
++++ b/snmplib/scapi.c
+@@ -79,7 +79,9 @@ netsnmp_feature_child_of(usm_scapi, usm_support)
+ #include <openssl/hmac.h>
+ #include <openssl/evp.h>
+ #include <openssl/rand.h>
++#ifdef HAVE_OPENSSL_DES_H
+ #include <openssl/des.h>
++#endif
+ #ifdef HAVE_AES
+ #include <openssl/aes.h>
+ #endif
+-- 
+2.11.0
+
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
index 2d6887e..d3e72b2 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
@@ -30,6 +30,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.zip \
            file://0002-configure-fix-a-cc-check-issue.patch \
            file://0003-CHANGES-BUG-2712-Fix-Perl-module-compilation.patch \
            file://0004-configure-fix-incorrect-variable.patch \
+           file://net-snmp-fix-for-disable-des.patch \
            "
 SRC_URI[md5sum] = "9f682bd70c717efdd9f15b686d07baee"
 SRC_URI[sha256sum] = "e8dfc79b6539b71a6ff335746ce63d2da2239062ad41872fff4354cafed07a3e"
@@ -58,7 +59,9 @@ EXTRA_OECONF = "--enable-shared \
                 --with-defaults \
                 --with-install-prefix=${D} \
                 --with-persistent-directory=${localstatedir}/lib/net-snmp \
-                ${@base_conditional('SITEINFO_ENDIANNESS', 'le', '--with-endianness=little', '--with-endianness=big', d)}"
+                ${@base_conditional('SITEINFO_ENDIANNESS', 'le', '--with-endianness=little', '--with-endianness=big', d)} \
+                ${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', '--disable-des', '', d)} \
+"
 
 # net-snmp needs to have mib-modules=smux enabled to enable quagga to support snmp
 EXTRA_OECONF += "--with-mib-modules=smux"
-- 
2.10.1

[meta-oe][PATCH 03/10] hostapd: disable configs depends on des if openssl not support

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

Distro feature 'openssl-no-weak-ciphers' is introduced to disable
openssl weak ciphers support which include des. Check the distro feature
to disable hostapd configs which depend on des.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 meta-oe/recipes-connectivity/hostapd/hostapd_2.6.bb | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.6.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.6.bb
index 3b74f48..4a7275d 100644
--- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.6.bb
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.6.bb
@@ -26,6 +26,22 @@ do_configure() {
 }
 
 do_compile() {
+    COMMENT="# Disable configs depend on DES"
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', 'true', 'false', d)} \
+        && ! grep -q "$COMMENT" ${B}/.config; then
+        echo >> ${B}/.config
+        echo "$COMMENT" >> ${B}/.config
+        for config in CONFIG_EAP_MSCHAPV2 CONFIG_EAP_PEAP CONFIG_EAP_IKEV2 \
+                    CONFIG_EAP_TLS CONFIG_EAP_UNAUTH_TLS CONFIG_EAP_TTLS \
+                    CONFIG_EAP_FAST CONFIG_INTERNAL_LIBTOMMATH; do
+            sed -i -e "s/^$config=.*/#&/" ${B}/.config
+            echo "$config=n" >>${B}/.config
+        done
+
+        sed -i 's/^CONFIG_TLS=.*/#&/' ${B}/.config
+        echo 'CONFIG_TLS=internal' >>${B}/.config
+    fi
+
     export CFLAGS="-MMD -O2 -Wall -g -I${STAGING_INCDIR}/libnl3"
     make
 }
-- 
2.10.1

[meta-oe][PATCH 04/10] krb5: toggle configure option pkinit

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

Toggle configure option pkinit of krb5 according to distro feature
openssl-no-weak-ciphers. openssl-no-weak-ciphers is introduced to
disable openssl weak ciphers support which include des. It could not
build plugin pkinit without openssl des support.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
index 61cdd60..013a7e1 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.15.1.bb
@@ -43,7 +43,9 @@ PACKAGECONFIG[keyutils] = "--enable-keyutils,--disable-keyutils,keyutils"
 PACKAGECONFIG[ldap] = "--with-ldap,--without-ldap,openldap"
 PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline"
 
-EXTRA_OECONF += " --without-tcl --with-system-et --disable-rpath"
+EXTRA_OECONF += "--without-tcl --with-system-et --disable-rpath \
+                 ${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', '--disable-pkinit', '--enable-pkinit', d)} \
+                 "
 CACHED_CONFIGUREVARS += "krb5_cv_attr_constructor_destructor=yes ac_cv_func_regcomp=yes \
                   ac_cv_printf_positional=yes ac_cv_file__etc_environment=yes \
                   ac_cv_file__etc_TIMEZONE=no"
-- 
2.10.1

[meta-oe][PATCH 05/10] libp11: fix compile error if OPENSSL_NO_EC defined

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

Function compute_key_fn src/p11_ec.c uses types EC_POINT and EC_KEY which are
defined in ec.h. If OPENSSL_NO_EC is defined, no header file ec.h exists and
causes compile errors.

../../git/src/p11_ec.c:45:8: error: unknown type name 'EC_POINT'
const EC_POINT *, const EC_KEY *,
    ^~~~~~~~
../../git/src/p11_ec.c:45:26: error: unknown type name 'EC_KEY'
const EC_POINT *, const EC_KEY *,
                      ^~~~~~

So check OPENSSL_NO_EC earlier in src/p11_ec.c to fix the error.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 ...-src-p11_ec.c-check-OPENSSL_NO_EC-earlier.patch | 46 ++++++++++++++++++++++
 meta-oe/recipes-support/libp11/libp11_0.4.0.bb     |  4 +-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-support/libp11/libp11/0001-src-p11_ec.c-check-OPENSSL_NO_EC-earlier.patch

diff --git a/meta-oe/recipes-support/libp11/libp11/0001-src-p11_ec.c-check-OPENSSL_NO_EC-earlier.patch b/meta-oe/recipes-support/libp11/libp11/0001-src-p11_ec.c-check-OPENSSL_NO_EC-earlier.patch
new file mode 100644
index 0000000..180a91f
--- /dev/null
+++ b/meta-oe/recipes-support/libp11/libp11/0001-src-p11_ec.c-check-OPENSSL_NO_EC-earlier.patch
@@ -0,0 +1,46 @@
+Upstream-Status: Submitted [https://github.com/OpenSC/libp11]
+
+src/p11_ec.c: check OPENSSL_NO_EC earlier
+
+Function compute_key_fn uses types EC_POINT and EC_KEY which are defined
+in ec.h. If OPENSSL_NO_EC is defined, no header file ec.h exists and
+causes compile errors.
+
+../../git/src/p11_ec.c:45:8: error: unknown type name 'EC_POINT'
+const EC_POINT *, const EC_KEY *,
+    ^~~~~~~~
+../../git/src/p11_ec.c:45:26: error: unknown type name 'EC_KEY'
+const EC_POINT *, const EC_KEY *,
+		      ^~~~~~
+So check OPENSSL_NO_EC earlier in src/p11_ec.c.
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ src/p11_ec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/p11_ec.c b/src/p11_ec.c
+index 6b49775..fdf1f59 100644
+--- a/src/p11_ec.c
++++ b/src/p11_ec.c
+@@ -37,6 +37,8 @@
+ #include <openssl/ecdh.h>
+ #endif
+ 
++#ifndef OPENSSL_NO_EC
++
+ #if OPENSSL_VERSION_NUMBER >= 0x10100004L
+ typedef int (*compute_key_fn)(unsigned char **, size_t *,
+ 	const EC_POINT *, const EC_KEY *);
+@@ -49,8 +51,6 @@ static compute_key_fn ossl_ecdh_compute_key;
+ 
+ static int ec_ex_index = 0;
+ 
+-#ifndef OPENSSL_NO_EC
+-
+ /********** Manage EC ex_data */
+ 
+ /* NOTE: ECDH also uses ECDSA ex_data and *not* ECDH ex_data */
+-- 
+2.10.1
+
diff --git a/meta-oe/recipes-support/libp11/libp11_0.4.0.bb b/meta-oe/recipes-support/libp11/libp11_0.4.0.bb
index d88006c..2961e0a 100644
--- a/meta-oe/recipes-support/libp11/libp11_0.4.0.bb
+++ b/meta-oe/recipes-support/libp11/libp11_0.4.0.bb
@@ -8,7 +8,9 @@ LICENSE = "LGPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=fad9b3332be894bab9bc501572864b29"
 DEPENDS = "libtool openssl"
 
-SRC_URI = "git://github.com/OpenSC/libp11.git"
+SRC_URI = "git://github.com/OpenSC/libp11.git \
+           file://0001-src-p11_ec.c-check-OPENSSL_NO_EC-earlier.patch \
+           "
 SRCREV = "22de793340ab73cafc92f8238afb51a06d8411c3"
 
 S = "${WORKDIR}/git"
-- 
2.10.1

[meta-oe][PATCH 06/10] opensc: add PACKAGECONFIG openssl

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

Add PACKAGECONFIG openssl to enable or disable build with openssl for
opensc. Check DISTRO_FEATURE openssl-no-weak-ciphers. If it exists then
remove PACKAGECONFIG openssl for opensc.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 meta-oe/recipes-support/opensc/opensc_0.16.0.bb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta-oe/recipes-support/opensc/opensc_0.16.0.bb b/meta-oe/recipes-support/opensc/opensc_0.16.0.bb
index fd67181..fa7c81d 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.16.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.16.0.bb
@@ -21,6 +21,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
 
 inherit autotools pkgconfig
 
+PACKAGECONFIG ??= "openssl"
+PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl"
+
+PACKAGECONFIG_remove = "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', 'openssl', '', d)}"
+
 EXTRA_OECONF = " \
     --disable-static \
     --enable-openct \
-- 
2.10.1

[meta-networking][PATCH 07/10] uftp: set NO_EC if openssl not support ec

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

Distro feature openssl-no-weak-ciphers is introduced to make openssl
disable weak ciphers support which include ec algorithm. So set NO_EC
for uftp if openssl doesn't support ec.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 meta-networking/recipes-support/uftp/uftp_4.9.3.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-networking/recipes-support/uftp/uftp_4.9.3.bb b/meta-networking/recipes-support/uftp/uftp_4.9.3.bb
index 1166f9a..6272792 100644
--- a/meta-networking/recipes-support/uftp/uftp_4.9.3.bb
+++ b/meta-networking/recipes-support/uftp/uftp_4.9.3.bb
@@ -11,6 +11,8 @@ SRC_URI[sha256sum] = "9e9215af0315257c6cc4f40fbc6161057e861be1fff10a38a5564f699e
 
 DEPENDS = "openssl"
 
+EXTRA_OEMAKE = "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', 'NO_EC=1', '', d)}"
+
 do_install () {
 	oe_runmake install DESTDIR=${D}
 }
-- 
2.10.1

[meta-networking][PATCH 08/10] stunnel: fix compile error when openssl disable des support

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

When openssl disable des support with configure option 'no-des', it
doesn't provide des related header file and functions. That causes
stunnel compile failed. Fix it by checking macro OPENSSL_NO_DES to use
openssl des related library conditionaly.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 .../stunnel/stunnel/fix-openssl-no-des.patch       | 54 ++++++++++++++++++++++
 .../recipes-support/stunnel/stunnel_5.35.bb        |  4 +-
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch

diff --git a/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch b/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch
new file mode 100644
index 0000000..209b0dd
--- /dev/null
+++ b/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch
@@ -0,0 +1,54 @@
+Upstream-Status: Pending
+
+When openssl disable des support with configure option 'no-des', it doesn't
+provide des related header file and functions. That causes stunnel compile
+failed. Fix it by checking macro OPENSSL_NO_DES to use openssl des related
+library conditionaly.
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+diff --git a/src/common.h b/src/common.h
+index f7d38b0..bf485af 100644
+--- a/src/common.h
++++ b/src/common.h
+@@ -471,7 +471,9 @@ extern char *sys_errlist[];
+ #ifndef OPENSSL_NO_MD4
+ #include <openssl/md4.h>
+ #endif /* !defined(OPENSSL_NO_MD4) */
++#ifndef OPENSSL_NO_DES
+ #include <openssl/des.h>
++#endif
+ #ifndef OPENSSL_NO_DH
+ #include <openssl/dh.h>
+ #if OPENSSL_VERSION_NUMBER<0x10100000L
+diff --git a/src/protocol.c b/src/protocol.c
+index 587df09..8198eb6 100644
+--- a/src/protocol.c
++++ b/src/protocol.c
+@@ -66,7 +66,7 @@ NOEXPORT char *imap_server(CLI *, SERVICE_OPTIONS *, const PHASE);
+ NOEXPORT char *nntp_client(CLI *, SERVICE_OPTIONS *, const PHASE);
+ NOEXPORT char *connect_server(CLI *, SERVICE_OPTIONS *, const PHASE);
+ NOEXPORT char *connect_client(CLI *, SERVICE_OPTIONS *, const PHASE);
+-#ifndef OPENSSL_NO_MD4
++#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES)
+ NOEXPORT void ntlm(CLI *, SERVICE_OPTIONS *);
+ NOEXPORT char *ntlm1();
+ NOEXPORT char *ntlm3(char *, char *, char *, char *);
+@@ -1175,7 +1175,7 @@ NOEXPORT char *connect_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) {
+     fd_printf(c, c->remote_fd.fd, "Host: %s", opt->protocol_host);
+     if(opt->protocol_username && opt->protocol_password) {
+         if(!strcasecmp(opt->protocol_authentication, "ntlm")) {
+-#ifndef OPENSSL_NO_MD4
++#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES)
+             ntlm(c, opt);
+ #else
+             s_log(LOG_ERR, "NTLM authentication is not available");
+@@ -1216,7 +1216,7 @@ NOEXPORT char *connect_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) {
+     return NULL;
+ }
+ 
+-#ifndef OPENSSL_NO_MD4
++#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES)
+ 
+ /*
+  * NTLM code is based on the following documentation:
diff --git a/meta-networking/recipes-support/stunnel/stunnel_5.35.bb b/meta-networking/recipes-support/stunnel/stunnel_5.35.bb
index 3e2e2c2..33eedf1 100644
--- a/meta-networking/recipes-support/stunnel/stunnel_5.35.bb
+++ b/meta-networking/recipes-support/stunnel/stunnel_5.35.bb
@@ -7,7 +7,9 @@ DEPENDS = "openssl zlib tcp-wrappers"
 
 RDEPENDS_${PN} += "perl"
 
-SRC_URI = "ftp://ftp.stunnel.org/stunnel/archive/5.x/${BP}.tar.gz"
+SRC_URI = "ftp://ftp.stunnel.org/stunnel/archive/5.x/${BP}.tar.gz \
+           file://fix-openssl-no-des.patch \
+"
 
 SRC_URI[md5sum] = "9079f5fafbccaf88b7d92b227d78249a"
 SRC_URI[sha256sum] = "ffa386ae4c825f35f35157c285e7402a6d58779ad8c3822f74a9d355b54aba1d"
-- 
2.10.1

[meta-oe][PATCH 09/10] poco: disable package configs NetSSL and Crypto

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

Distro feature openssl-no-weak-ciphers will disable openssl des support
that causes poco compile failure. Disable package configs NetSSL and
Crypto for poco if distro feature openssl-no-weak-ciphers exists.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 meta-oe/recipes-support/poco/poco_1.7.8.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-oe/recipes-support/poco/poco_1.7.8.bb b/meta-oe/recipes-support/poco/poco_1.7.8.bb
index 1b83735..c48f967 100644
--- a/meta-oe/recipes-support/poco/poco_1.7.8.bb
+++ b/meta-oe/recipes-support/poco/poco_1.7.8.bb
@@ -34,6 +34,7 @@ EXTRA_OECMAKE_append = " -DCMAKE_SKIP_RPATH=ON"
 # Foundation is built anyway and doesn't need to be listed explicitly
 # these don't have dependencies outside oe-core
 PACKAGECONFIG ??= "XML JSON MongoDB PDF Util Net NetSSL Crypto Data DataSQLite Zip"
+PACKAGECONFIG_remove = "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', 'NetSSL Crypto', '', d)}"
 
 PACKAGECONFIG[XML] = "-DENABLE_XML=ON -DEXPAT_LIBRARY:STRING=expat,-DENABLE_XML=OFF,expat"
 PACKAGECONFIG[JSON] = "-DENABLE_JSON=ON,-DENABLE_JSON=OFF"
-- 
2.10.1

[meta-oe][PATCH 10/10] postgresql: configure without openssl if openssl disable weak ciphers

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

Distro feature 'openssl-no-weak-ciphers' is introduced to disable
openssl weak ciphers. If it exists, openssl des support is disabled that
causes postgresql build failed.

Remove PACKAGECONFIG 'openssl' if distro feature 'openssl-no-weak-ciphers'
exists.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 meta-oe/recipes-support/postgresql/postgresql.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-oe/recipes-support/postgresql/postgresql.inc b/meta-oe/recipes-support/postgresql/postgresql.inc
index 812c2ae..b2c4b2f 100644
--- a/meta-oe/recipes-support/postgresql/postgresql.inc
+++ b/meta-oe/recipes-support/postgresql/postgresql.inc
@@ -65,6 +65,8 @@ PACKAGECONFIG[nls] = "--enable-nls,--disable-nls,,"
 PACKAGECONFIG[libxml] = "--with-libxml,--without-libxml,libxml2,libxml2"
 PACKAGECONFIG[perl] = "--with-perl,--without-perl,perl,perl"
 
+PACKAGECONFIG_remove = "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', 'openssl', '', d)}"
+
 EXTRA_OECONF += "--enable-thread-safety --disable-rpath \
     --datadir=${datadir}/${BPN} \
     --sysconfdir=${sysconfdir}/${BPN} \
-- 
2.10.1

Re: [meta-oe][PATCH 06/10] opensc: add PACKAGECONFIG openssl

[Peter Kjellerstedt]

> -----Original Message-----
> From: openembedded-devel-bounces@lists.openembedded.org
> [mailto:openembedded-devel-bounces@lists.openembedded.org] On Behalf Of
> kai.kang@windriver.com
> Sent: den 5 juli 2017 10:11
> To: openembedded-devel@lists.openembedded.org
> Subject: [oe] [meta-oe][PATCH 06/10] opensc: add PACKAGECONFIG openssl
> 
> From: Kai Kang <kai.kang@windriver.com>
> 
> Add PACKAGECONFIG openssl to enable or disable build with openssl for
> opensc. Check DISTRO_FEATURE openssl-no-weak-ciphers. If it exists then
> remove PACKAGECONFIG openssl for opensc.
> 
> Signed-off-by: Kai Kang <kai.kang@windriver.com>
> ---
>  meta-oe/recipes-support/opensc/opensc_0.16.0.bb | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/meta-oe/recipes-support/opensc/opensc_0.16.0.bb b/meta-
> oe/recipes-support/opensc/opensc_0.16.0.bb
> index fd67181..fa7c81d 100644
> --- a/meta-oe/recipes-support/opensc/opensc_0.16.0.bb
> +++ b/meta-oe/recipes-support/opensc/opensc_0.16.0.bb
> @@ -21,6 +21,11 @@ LIC_FILES_CHKSUM =
> "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
> 
>  inherit autotools pkgconfig
> 
> +PACKAGECONFIG ??= "openssl"
> +PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl"
> +
> +PACKAGECONFIG_remove = "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', 'openssl', '', d)}"

It is a bad idea to use _remove like this, because it makes it impossible to 
enable openssl again in a bbappend or via local.conf. It is better to do it 
like this:

PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', '', 'openssl', d)}"
PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl"

You should do it similarly for poco and postgresql as well.

> +
>  EXTRA_OECONF = " \
>      --disable-static \
>      --enable-openct \
> --
> 2.10.1

//Peter

Re: [meta-oe][PATCH 06/10] opensc: add PACKAGECONFIG openssl

[Kang Kai]

On 2017年07月06日 00:59, Peter Kjellerstedt wrote:
>> -----Original Message-----
>> From: openembedded-devel-bounces@lists.openembedded.org
>> [mailto:openembedded-devel-bounces@lists.openembedded.org] On Behalf Of
>> kai.kang@windriver.com
>> Sent: den 5 juli 2017 10:11
>> To: openembedded-devel@lists.openembedded.org
>> Subject: [oe] [meta-oe][PATCH 06/10] opensc: add PACKAGECONFIG openssl
>>
>> From: Kai Kang <kai.kang@windriver.com>
>>
>> Add PACKAGECONFIG openssl to enable or disable build with openssl for
>> opensc. Check DISTRO_FEATURE openssl-no-weak-ciphers. If it exists then
>> remove PACKAGECONFIG openssl for opensc.
>>
>> Signed-off-by: Kai Kang <kai.kang@windriver.com>
>> ---
>>   meta-oe/recipes-support/opensc/opensc_0.16.0.bb | 5 +++++
>>   1 file changed, 5 insertions(+)
>>
>> diff --git a/meta-oe/recipes-support/opensc/opensc_0.16.0.bb b/meta-
>> oe/recipes-support/opensc/opensc_0.16.0.bb
>> index fd67181..fa7c81d 100644
>> --- a/meta-oe/recipes-support/opensc/opensc_0.16.0.bb
>> +++ b/meta-oe/recipes-support/opensc/opensc_0.16.0.bb
>> @@ -21,6 +21,11 @@ LIC_FILES_CHKSUM =
>> "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
>>
>>   inherit autotools pkgconfig
>>
>> +PACKAGECONFIG ??= "openssl"
>> +PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl"
>> +
>> +PACKAGECONFIG_remove = "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', 'openssl', '', d)}"
> It is a bad idea to use _remove like this, because it makes it impossible to
> enable openssl again in a bbappend or via local.conf.

I do this intendedly that if distro feature 'openssl-no-weak-ciphers' 
exists, package config openssl should be removed since opensc will 
compile failed.
If this is not a good solution, just set CONFLICT_DISTRO_FEATURES as for 
other packages.

Thanks,
Kai

> It is better to do it
> like this:
>
> PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'openssl-no-weak-ciphers', '', 'openssl', d)}"
> PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl"
>
> You should do it similarly for poco and postgresql as well.
>
>> +
>>   EXTRA_OECONF = " \
>>       --disable-static \
>>       --enable-openct \
>> --
>> 2.10.1
> //Peter
>
>

-- 
Regards,
Neil | Kai Kang

Re: [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists

[Burton, Ross]

On 5 July 2017 at 09:11, <kai.kang@windriver.com> wrote:

> Patches to add distro feature openssl-no-weak-ciphers have been sent to
> oe-core.
>

FWIW I'm still not very keen on a distro feature for this.

Ross

Re: [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists

[Kang Kai]

On 2017年07月06日 23:30, Burton, Ross wrote:
>
> On 5 July 2017 at 09:11, <kai.kang@windriver.com 
> <mailto:kai.kang@windriver.com>> wrote:
>
>     Patches to add distro feature openssl-no-weak-ciphers have been
>     sent to oe-core.
>
>
> FWIW I'm still not very keen on a distro feature for this.

How about use a global variable rather than a distro feature and check 
whether it has been set?

Thanks,
Kai

>
> Ross


-- 
Regards,
Neil | Kai Kang

Re: [PATCH 00/10] Fix compile errors if distro feature openssl-no-weak-ciphers exists

[Andre McCurdy]

On Thu, Jul 6, 2017 at 5:48 PM, Kang Kai <Kai.Kang@windriver.com> wrote:
> On 2017年07月06日 23:30, Burton, Ross wrote:
>>
>> On 5 July 2017 at 09:11, <kai.kang@windriver.com
>> <mailto:kai.kang@windriver.com>> wrote:
>>
>>     Patches to add distro feature openssl-no-weak-ciphers have been
>>     sent to oe-core.
>>
>> FWIW I'm still not very keen on a distro feature for this.
>
> How about use a global variable rather than a distro feature and check
> whether it has been set?

Does there need to be a bitbake variable at all? Can't other packages
detect which ciphers are supported by openssl by checking the openssl
headers etc in sysroot?

> Thanks,
> Kai
>
>> Ross
> --
> Regards,
> Neil | Kai Kang
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel