On Wed, 20 Nov 2019 at 19:09, Mark Hatle wrote: > > > On 11/20/19 1:06 PM, Ryan Harkin wrote: > > > > > > On Wed, 20 Nov 2019 at 18:36, Mark Hatle > > wrote: > > > > > > > > On 11/20/19 12:18 PM, Ryan Harkin wrote: > > > Hi all, > > > > > > I'm struggling with backporting OpenSSL to my Sumo build [1], so > wondered if > > > anyone else had done something similar with success. > > > > > > I copied "meta/recipes-connectivity/openssl" from Poky master > branch [2] > > into my > > > own layer [3]. It didn't pick up, so I discovered I needed to add > > > a PREFERRED_VERSION, eg: > > > > > > +PREFERRED_VERSION_openssl ?= "1.1.%" > > > +PREFERRED_VERSION_openssl-native ?= "1.1.%" > > > +PREFERRED_VERSION_nativesdk-openssl ?= "1.1.%" > > > > > > Now it builds fine. However, I no longer have /usr/bin/openssl in > my disk > > image. > > > > > > It doesn't appear in FILES_${PN}, and adding it to the recipes > doesn't seem to > > > make any difference. > > > > > > What am I missing? > > > > > > Thanks, > > > Ryan. > > > > > > [1] I'm looking for CVE fixes, 1.0.2p has a lot of CVEs. > > > > You know that 1.0.2 and 1.1 APIs are not compatible? So you will > need to update > > everything that needs OpenSSL to understand the new API. > > > > > > So far, we're only using it in a shell script to sign an image and later > verify > > the image, so I've assumed, perhaps naively, that the API changes won't > matter... > > Correct, but there may be other components of the system that could be > using the > API that you are unaware of. On a system as old as Sumo, you will need to > take > precautions to ensure that ONLY the 1.1x version is being used. (There > may be > an openssl10 for compatibility that will need to be blacklisted.) > Good point. I'll check on it once I get it to work. > > > > > For CVE fixes, typically you would patch 1.0.2p, or update to the > latest > > (1.0.2t) as you go. (If you have an OSV, this should be part of the > services > > that they offer you.) > > > > > > In my opinion, 1.0.2 will be around for at least another 4-5 years > due to the > > number of people actively using it in the world. Until 1.1/3.0 > (won't be a 2.0 > > from what I read) exists and has a FIPS-140-2 support available -- > people will > > continue to use 1.0.2 and maintain it as necessary for security. > > > > As an FYI: > http://git.yoctoproject.org/cgit/cgit.cgi/meta-openssl102/ > > > > This version is for thud, warrior, zeus and master. It is intended > to be > > maintained until either 1.0.2 is no longer maintainable -- or the > FIPS-140-2 > > needs have been met by OpenSSL. > > > > > > Great, that looks like a better option anyway, assuming it has the > latest fixes > > I need, and doesn't give me the same build problem. Thanks for pointing > it out. > > I'll give it a go. > > It's better to work with the Sumo version for your needs. I just posted > that as > an example of openssl 1.0.2 being needed still by others, even as > oe-core/Yocto > Project have changed their defaults. > I pulled the whole openssl dir from your repo, added the layer.conf changes to my layer.conf and rebuilt openssl and my image. Unfortunately, I still have no /usr/bin/openssl in my disk image. So I've added the RPROVIDES from Andre's in a vain attempt to get it to work: RPROVIDES_${PN} += "openssl-bin" ... although I'm not hopeful it'll do the trick... > --Mark > > > Thanks, > > Ryan. > > > > > > > > --Mark > > > > > [2] http://git.yoctoproject.org/git/poky > > > I'm at SHA a616ffebdc, so I copied openssl_1.1.1d.bb > > > > > and all the other files in the directory. > > > > > > [3] I have a clone of Linaro's meta-backports. I'm trying to > generate a > > patch to > > > submit for review there. > > > https://git.linaro.org/openembedded/meta-backports.git > > > > > >