* [PATCH] openssl: make ${PN}-bin rdepend on ${PN}
@ 2020-07-06 15:23 Hannu Lounento
2020-07-06 21:32 ` [OE-core] " Richard Purdie
0 siblings, 1 reply; 3+ messages in thread
From: Hannu Lounento @ 2020-07-06 15:23 UTC (permalink / raw)
To: openembedded-core; +Cc: Hannu Lounento
Some openssl command line operations like creating an X.509 CSR require
the file /usr/lib/ssl-1.1/openssl.cnf to exist and fail if it doesn't
root@qemux86-64:~# openssl req -out my.csr -new -newkey rsa:2048 -nodes -keyout my.key
Can't open /usr/lib/ssl-1.1/openssl.cnf for reading, No such file or directory
140289168594176:error:02001002:system library:fopen:No such file or directory:../openssl-1.1.1g/crypto/bio/bss_file.c:69:fopen('/usr/lib/ssl-1.1/openssl.cnf','r')
140289168594176:error:2006D080:BIO routines:BIO_new_file:no such file:../openssl-1.1.1g/crypto/bio/bss_file.c:76:
which is the case e.g. in core-image-minimal with just the
package openssl-bin added to the image by declaring
IMAGE_INSTALL_append = " openssl-bin"
e.g. in local.conf.
The file does not exist in the aforementioned image / configuration
because it is packaged to the main openssl package
FILES_${PN} =+ "${libdir}/ssl-1.1/*"
(there is no other FILES specification that would match the file either)
and
path/to/poky/build$ rpm --query --package --list tmp/deploy/rpm/core2_64/openssl-1.1.1g-r0.core2_64.rpm
[...]
/usr/lib/ssl-1.1/openssl.cnf
[...]
Hence make the ${PN}-bin package rdepend on the main package to have the
required file /usr/lib/ssl-1.1/openssl.cnf installed.
Note that the openssl recipe has the comment
Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
package RRECOMMENDS on this package. This will enable the configuration
file to be installed for both the openssl-bin package and the libcrypto
package since the openssl-bin package depends on the libcrypto package.
but openssl-conf only contains /etc/ssl/openssl.cnf
path/to/poky/build$ rpm --query --package --list tmp/deploy/rpm/core2_64/openssl-conf-1.1.1g-r0.core2_64.rpm
/etc
/etc/ssl
/etc/ssl/openssl.cnf
/usr/lib/ssl-1.1/openssl.cnf is actually only a symlink that points to
../../../etc/ssl/openssl.cnf.
Signed-off-by: Hannu Lounento <hannu.lounento@vaisala.com>
---
meta/recipes-connectivity/openssl/openssl_1.1.1g.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
index 66fa8f7d0a..0ac40091fd 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
@@ -201,6 +201,7 @@ CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
RRECOMMENDS_libcrypto += "openssl-conf"
RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash"
+RDEPENDS_${PN}-bin += "${PN}"
BBCLASSEXTEND = "native nativesdk"
--
2.26.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH] openssl: make ${PN}-bin rdepend on ${PN}
2020-07-06 15:23 [PATCH] openssl: make ${PN}-bin rdepend on ${PN} Hannu Lounento
@ 2020-07-06 21:32 ` Richard Purdie
2020-07-07 11:06 ` Hannu Lounento
0 siblings, 1 reply; 3+ messages in thread
From: Richard Purdie @ 2020-07-06 21:32 UTC (permalink / raw)
To: Hannu Lounento, openembedded-core
On Mon, 2020-07-06 at 18:23 +0300, Hannu Lounento wrote:
> Some openssl command line operations like creating an X.509 CSR require
> the file /usr/lib/ssl-1.1/openssl.cnf to exist and fail if it doesn't
>
> root@qemux86-64:~# openssl req -out my.csr -new -newkey rsa:2048 -nodes -keyout my.key
> Can't open /usr/lib/ssl-1.1/openssl.cnf for reading, No such file or directory
> 140289168594176:error:02001002:system library:fopen:No such file or directory:../openssl-1.1.1g/crypto/bio/bss_file.c:69:fopen('/usr/lib/ssl-1.1/openssl.cnf','r')
> 140289168594176:error:2006D080:BIO routines:BIO_new_file:no such file:../openssl-1.1.1g/crypto/bio/bss_file.c:76:
>
> which is the case e.g. in core-image-minimal with just the
> package openssl-bin added to the image by declaring
>
> IMAGE_INSTALL_append = " openssl-bin"
>
> e.g. in local.conf.
>
> The file does not exist in the aforementioned image / configuration
> because it is packaged to the main openssl package
>
> FILES_${PN} =+ "${libdir}/ssl-1.1/*"
>
> (there is no other FILES specification that would match the file either)
> and
>
> path/to/poky/build$ rpm --query --package --list tmp/deploy/rpm/core2_64/openssl-1.1.1g-r0.core2_64.rpm
> [...]
> /usr/lib/ssl-1.1/openssl.cnf
> [...]
>
> Hence make the ${PN}-bin package rdepend on the main package to have the
> required file /usr/lib/ssl-1.1/openssl.cnf installed.
>
> Note that the openssl recipe has the comment
>
> Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
> package RRECOMMENDS on this package. This will enable the configuration
> file to be installed for both the openssl-bin package and the libcrypto
> package since the openssl-bin package depends on the libcrypto package.
>
> but openssl-conf only contains /etc/ssl/openssl.cnf
>
> path/to/poky/build$ rpm --query --package --list tmp/deploy/rpm/core2_64/openssl-conf-1.1.1g-r0.core2_64.rpm
> /etc
> /etc/ssl
> /etc/ssl/openssl.cnf
>
> /usr/lib/ssl-1.1/openssl.cnf is actually only a symlink that points to
> ../../../etc/ssl/openssl.cnf.
>
> Signed-off-by: Hannu Lounento <hannu.lounento@vaisala.com>
> ---
> meta/recipes-connectivity/openssl/openssl_1.1.1g.bb | 1 +
> 1 file changed, 1 insertion(+)
Perhaps the correct fix here is to move the config file in /usr to the
-conf package?
Cheers,
Richard
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH] openssl: make ${PN}-bin rdepend on ${PN}
2020-07-06 21:32 ` [OE-core] " Richard Purdie
@ 2020-07-07 11:06 ` Hannu Lounento
0 siblings, 0 replies; 3+ messages in thread
From: Hannu Lounento @ 2020-07-07 11:06 UTC (permalink / raw)
To: Richard Purdie, openembedded-core
On 07/07/2020 00:32, Richard Purdie wrote:
> On Mon, 2020-07-06 at 18:23 +0300, Hannu Lounento wrote:
>> Some openssl command line operations like creating an X.509 CSR require
>> the file /usr/lib/ssl-1.1/openssl.cnf to exist and fail if it doesn't
>>
>> root@qemux86-64:~# openssl req -out my.csr -new -newkey rsa:2048 -nodes -keyout my.key
>> Can't open /usr/lib/ssl-1.1/openssl.cnf for reading, No such file or directory
>> 140289168594176:error:02001002:system library:fopen:No such file or directory:../openssl-1.1.1g/crypto/bio/bss_file.c:69:fopen('/usr/lib/ssl-1.1/openssl.cnf','r')
>> 140289168594176:error:2006D080:BIO routines:BIO_new_file:no such file:../openssl-1.1.1g/crypto/bio/bss_file.c:76:
>>
>> which is the case e.g. in core-image-minimal with just the
>> package openssl-bin added to the image by declaring
>>
>> IMAGE_INSTALL_append = " openssl-bin"
>>
>> e.g. in local.conf.
>>
>> The file does not exist in the aforementioned image / configuration
>> because it is packaged to the main openssl package
>>
>> FILES_${PN} =+ "${libdir}/ssl-1.1/*"
>>
>> (there is no other FILES specification that would match the file either)
>> and
>>
>> path/to/poky/build$ rpm --query --package --list tmp/deploy/rpm/core2_64/openssl-1.1.1g-r0.core2_64.rpm
>> [...]
>> /usr/lib/ssl-1.1/openssl.cnf
>> [...]
>>
>> Hence make the ${PN}-bin package rdepend on the main package to have the
>> required file /usr/lib/ssl-1.1/openssl.cnf installed.
>>
>> Note that the openssl recipe has the comment
>>
>> Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
>> package RRECOMMENDS on this package. This will enable the configuration
>> file to be installed for both the openssl-bin package and the libcrypto
>> package since the openssl-bin package depends on the libcrypto package.
>>
>> but openssl-conf only contains /etc/ssl/openssl.cnf
>>
>> path/to/poky/build$ rpm --query --package --list tmp/deploy/rpm/core2_64/openssl-conf-1.1.1g-r0.core2_64.rpm
>> /etc
>> /etc/ssl
>> /etc/ssl/openssl.cnf
>>
>> /usr/lib/ssl-1.1/openssl.cnf is actually only a symlink that points to
>> ../../../etc/ssl/openssl.cnf.
>>
>> Signed-off-by: Hannu Lounento <hannu.lounento@vaisala.com>
>> ---
>> meta/recipes-connectivity/openssl/openssl_1.1.1g.bb | 1 +
>> 1 file changed, 1 insertion(+)
>
> Perhaps the correct fix here is to move the config file in /usr to the
> -conf package?
Ok, I sent v2. I also moved /usr/lib/ssl-1.1/openssl.cnf.dist as it
seemed closely related.
Hopefully the v2 is good because based on some quick research there have
been fairly many changes related to the configuration file and its
location due to various issues.
What I found out was that the commit
4d3c79df13920b4f095ae12caf43e866318c3143 in 2013 moved the file from
${PN}-misc to ${PN}-conf package and made libcrypto RRECOMMEND
${PN}-conf. In 2018 the commit 13e0be4efc23fcc1a71adba1b6707ecf59fbae29
moved the file into the main openssl package referencing a discussion on
the mailing list:
openssl: move the libdir openssl.cnf symlink into the openssl package
The openssl 1.0 recipe puts the libdir symlink to /etc/ssl/openssl.cnf
in the base openssl package (along with the libdir symlinks to
/etc/ssl/certs and /etc/ssl/private). Keep the openssl 1.1 recipe
aligned with that approach until there's a clear reason to do
something else. For more background, see comments in the following
thread:
http://lists.openembedded.org/pipermail/openembedded-core/2017-April/135176.html
(From OE-Core rev: 480335803928c95e7948f8c949127ccb5cbc7dbe)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Additionally there were few other openssl.cnf related commits based on
grepping the history but those didn't seem that relevant:
bd6052d9d1 buildtools-tarball: export OPENSSL_CONF for openssl
a842b02a87 openssl: Handle -conf package file conflicts
f9ad66da9f openssl-nativesdk: Fix "can't open config file" warning
c1ce0d9a9e lib/oe/rootfs: Fix DEBUGFS generation for opkg & openssl-cnf
A change related to the aforementioned mailing list discussion was done
and reverted in 2017 but didn't seem relevant either:
7fe30a5df4 Revert "openssl: Fix symlink creation"
070f3aa74f openssl: Fix symlink creation
>
> Cheers,
>
> Richard
>
Thanks,
--
Hannu Lounento
hannu.lounento@vaisala.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-07 11:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-06 15:23 [PATCH] openssl: make ${PN}-bin rdepend on ${PN} Hannu Lounento
2020-07-06 21:32 ` [OE-core] " Richard Purdie
2020-07-07 11:06 ` Hannu Lounento
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.