All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] ca-certificates: Fix openssl runtime cert dependencies
@ 2021-04-18 22:53 Khem Raj
  2021-04-19  6:40 ` [OE-core] " Mikko Rapeli
  2021-04-23 19:56 ` Andrei Gherzan
  0 siblings, 2 replies; 5+ messages in thread
From: Khem Raj @ 2021-04-18 22:53 UTC (permalink / raw)
  To: openembedded-core; +Cc: Khem Raj, Andrei Gherzan

With commit dc778c70449ee5401b5a24ad18b22b88338c47c5, dependency was
moved to openssl-bin which in itself was a fine change, but dropping
dependency on openssl too should have been kept along, dropping this
meant that openssl binary wont be able to validate secure connections as
the CApath files wont be installed, which infact are required for
openssl bins to work, following call e.g. fails

$ openssl s_client -connect google.com:443

....
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
....

The local issuer certs are not found in default location
/usr/lib/ssh-1.1/certs, this dir and its content is installed by openssl package
therefore re-add the dependency on openssl

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Andrei Gherzan <andrei@gherzan.ro>
---
 .../ca-certificates/ca-certificates_20210119.bb             | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb b/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
index 888a235c1a..7dcc86fdc1 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
@@ -83,8 +83,8 @@ do_install_append_class-native () {
     SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates
 }
 
-RDEPENDS_${PN}_class-target = "openssl-bin"
-RDEPENDS_${PN}_class-native = "openssl-native"
-RDEPENDS_${PN}_class-nativesdk = "nativesdk-openssl-bin"
+RDEPENDS_${PN}_append_class-target = " openssl-bin openssl"
+RDEPENDS_${PN}_append_class-native = " openssl-native"
+RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl"
 
 BBCLASSEXTEND = "native nativesdk"
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH] ca-certificates: Fix openssl runtime cert dependencies
  2021-04-18 22:53 [PATCH] ca-certificates: Fix openssl runtime cert dependencies Khem Raj
@ 2021-04-19  6:40 ` Mikko Rapeli
  2021-04-19 15:29   ` Khem Raj
  2021-04-23 19:56 ` Andrei Gherzan
  1 sibling, 1 reply; 5+ messages in thread
From: Mikko Rapeli @ 2021-04-19  6:40 UTC (permalink / raw)
  To: raj.khem; +Cc: openembedded-core, andrei

Hi,

On Sun, Apr 18, 2021 at 03:53:10PM -0700, Khem Raj wrote:
> With commit dc778c70449ee5401b5a24ad18b22b88338c47c5, dependency was
> moved to openssl-bin which in itself was a fine change, but dropping
> dependency on openssl too should have been kept along, dropping this
> meant that openssl binary wont be able to validate secure connections as
> the CApath files wont be installed, which infact are required for
> openssl bins to work, following call e.g. fails
> 
> $ openssl s_client -connect google.com:443

This sounds a lot like a ptest or selftest? Maybe using
some yocto server instead of google though.

Cheers,

-Mikko

> ....
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 256 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 20 (unable to get local issuer certificate)
> ....
> 
> The local issuer certs are not found in default location
> /usr/lib/ssh-1.1/certs, this dir and its content is installed by openssl package
> therefore re-add the dependency on openssl
> 
> Signed-off-by: Khem Raj <raj.khem@gmail.com>
> Cc: Andrei Gherzan <andrei@gherzan.ro>
> ---
>  .../ca-certificates/ca-certificates_20210119.bb             | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb b/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
> index 888a235c1a..7dcc86fdc1 100644
> --- a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
> +++ b/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
> @@ -83,8 +83,8 @@ do_install_append_class-native () {
>      SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates
>  }
>
> -RDEPENDS_${PN}_class-target = "openssl-bin"
> -RDEPENDS_${PN}_class-native = "openssl-native"
> -RDEPENDS_${PN}_class-nativesdk = "nativesdk-openssl-bin"
> +RDEPENDS_${PN}_append_class-target = " openssl-bin openssl"
> +RDEPENDS_${PN}_append_class-native = " openssl-native"
> +RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl"
>
>  BBCLASSEXTEND = "native nativesdk"
> -- 
> 2.31.1
> 

> 
> 
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH] ca-certificates: Fix openssl runtime cert dependencies
  2021-04-19  6:40 ` [OE-core] " Mikko Rapeli
@ 2021-04-19 15:29   ` Khem Raj
  0 siblings, 0 replies; 5+ messages in thread
From: Khem Raj @ 2021-04-19 15:29 UTC (permalink / raw)
  To: Mikko.Rapeli; +Cc: openembedded-core, andrei



On 4/18/21 11:40 PM, Mikko.Rapeli@bmw.de wrote:
> Hi,
> 
> On Sun, Apr 18, 2021 at 03:53:10PM -0700, Khem Raj wrote:
>> With commit dc778c70449ee5401b5a24ad18b22b88338c47c5, dependency was
>> moved to openssl-bin which in itself was a fine change, but dropping
>> dependency on openssl too should have been kept along, dropping this
>> meant that openssl binary wont be able to validate secure connections as
>> the CApath files wont be installed, which infact are required for
>> openssl bins to work, following call e.g. fails
>>
>> $ openssl s_client -connect google.com:443
> 
> This sounds a lot like a ptest or selftest? Maybe using
> some yocto server instead of google though.

Yeah certainly a good idea,

> 
> Cheers,
> 
> -Mikko
> 
>> ....
>> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
>> Server public key is 256 bit
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> Early data was not sent
>> Verify return code: 20 (unable to get local issuer certificate)
>> ....
>>
>> The local issuer certs are not found in default location
>> /usr/lib/ssh-1.1/certs, this dir and its content is installed by openssl package
>> therefore re-add the dependency on openssl
>>
>> Signed-off-by: Khem Raj <raj.khem@gmail.com>
>> Cc: Andrei Gherzan <andrei@gherzan.ro>
>> ---
>>   .../ca-certificates/ca-certificates_20210119.bb             | 6 +++---
>>   1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb b/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
>> index 888a235c1a..7dcc86fdc1 100644
>> --- a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
>> +++ b/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
>> @@ -83,8 +83,8 @@ do_install_append_class-native () {
>>       SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates
>>   }
>>   
>> -RDEPENDS_${PN}_class-target = "openssl-bin"
>> -RDEPENDS_${PN}_class-native = "openssl-native"
>> -RDEPENDS_${PN}_class-nativesdk = "nativesdk-openssl-bin"
>> +RDEPENDS_${PN}_append_class-target = " openssl-bin openssl"
>> +RDEPENDS_${PN}_append_class-native = " openssl-native"
>> +RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl"
>>   
>>   BBCLASSEXTEND = "native nativesdk"
>> -- 
>> 2.31.1
>>
> 
>>
>> 
>>

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH] ca-certificates: Fix openssl runtime cert dependencies
  2021-04-18 22:53 [PATCH] ca-certificates: Fix openssl runtime cert dependencies Khem Raj
  2021-04-19  6:40 ` [OE-core] " Mikko Rapeli
@ 2021-04-23 19:56 ` Andrei Gherzan
  2021-04-26 13:17   ` Richard Purdie
  1 sibling, 1 reply; 5+ messages in thread
From: Andrei Gherzan @ 2021-04-23 19:56 UTC (permalink / raw)
  To: openembedded

[-- Attachment #1: Type: text/plain, Size: 1068 bytes --]

On Sun, 18 Apr 2021, at 23:53, Khem Raj wrote:
> With commit dc778c70449ee5401b5a24ad18b22b88338c47c5, dependency was
> moved to openssl-bin which in itself was a fine change, but dropping
> dependency on openssl too should have been kept along, dropping this
> meant that openssl binary wont be able to validate secure connections as
> the CApath files wont be installed, which infact are required for
> openssl bins to work, following call e.g. fails
> 
> $ openssl s_client -connect google.com:443
> 
> ....
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 256 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 20 (unable to get local issuer certificate)
> ....
> 
> The local issuer certs are not found in default location
> /usr/lib/ssh-1.1/certs, this dir and its content is installed by openssl package
> therefore re-add the dependency on openssl

Good idea for a ptest. Change looks good to me.

--
Andrei

[-- Attachment #2: Type: text/html, Size: 1591 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH] ca-certificates: Fix openssl runtime cert dependencies
  2021-04-23 19:56 ` Andrei Gherzan
@ 2021-04-26 13:17   ` Richard Purdie
  0 siblings, 0 replies; 5+ messages in thread
From: Richard Purdie @ 2021-04-26 13:17 UTC (permalink / raw)
  To: Andrei Gherzan, openembedded

On Fri, 2021-04-23 at 20:56 +0100, Andrei Gherzan wrote:
> On Sun, 18 Apr 2021, at 23:53, Khem Raj wrote:
> > With commit dc778c70449ee5401b5a24ad18b22b88338c47c5, dependency was
> > moved to openssl-bin which in itself was a fine change, but dropping
> > dependency on openssl too should have been kept along, dropping this
> > meant that openssl binary wont be able to validate secure connections as
> > the CApath files wont be installed, which infact are required for
> > openssl bins to work, following call e.g. fails
> > 
> > $ openssl s_client -connect google.com:443
> > 
> > ....
> > New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> > Server public key is 256 bit
> > Secure Renegotiation IS NOT supported
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > Early data was not sent
> > Verify return code: 20 (unable to get local issuer certificate)
> > ....
> > 
> > The local issuer certs are not found in default location
> > /usr/lib/ssh-1.1/certs, this dir and its content is installed by openssl package
> > therefore re-add the dependency on openssl
> 
> Good idea for a ptest. Change looks good to me.

Might be worth a bug opening so we don't forget?

Cheers,

Richard


^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-04-26 13:17 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-18 22:53 [PATCH] ca-certificates: Fix openssl runtime cert dependencies Khem Raj
2021-04-19  6:40 ` [OE-core] " Mikko Rapeli
2021-04-19 15:29   ` Khem Raj
2021-04-23 19:56 ` Andrei Gherzan
2021-04-26 13:17   ` Richard Purdie

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.