From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
To: Quentin Schulz <quentin.schulz@cherry.de>
Cc: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>,
Tom Rini <trini@konsulko.com>, Tobias Olausson <tobias@eub.se>,
u-boot@lists.denx.de
Subject: Re: [PATCH 1/1] tools: fix building with OpenSSL 4.0
Date: Tue, 16 Jun 2026 20:48:05 +0200 [thread overview]
Message-ID: <20260616184805.OM9ccIkV@breakpoint.cc> (raw)
In-Reply-To: <b25761d2-594a-429e-a3cf-3f0cca996f1d@cherry.de>
On 2026-06-16 10:35:19 [+0200], Quentin Schulz wrote:
> Hi Sebastian,
Hi Quentin,
> > removing it since the "provider interface" is available since the 3.0
>
> We could migrate for OpenSSL 3+ to the provider interface while maintaining
> support for OpenSSL engines (via the org.openssl.engine: prefix). OpenSSL
> engines are supported in OpenSSL 3.x. As a matter of fact, **I** am using an
> OpenSSL engine on OpenSSL 3.
Sure. And this is gone with OpenSSL 4.0. Debian Forky wise I am aiming
at OpenSSL 4.0 so the engine variant becomes less of an option. Should
you aim at keeping the functionality provided by the engine you should
poke its upstream to migrate/ provide an provider alternative.
> OpenSSL 1.x can still receive updates provided you pay support for it.
> Bullseye still ships OpenSSL 1 (and is in its LTS phase for a few more
> months). According to pkgs.org, RockyLinux/AlmaLinux 8 and Slackware 15 are
> also on that ancient OpenSSL. The former are supported for three more years
> according to endoflife.date. So I think it may be a bit premature to remove
> support for OpenSSL engines via the engine API.
Sure. If there are people using stone age OpenSSL and brand new u-boot,
sure why not.
> > series. And since 1.1 receives no FOSS support it might not hurt anyone
> > to drop it and keep only the provider interface around.
> > If the engine support was introduced due to $HW then there should be
> > matching provider support.
> >
>
> Not necessarily. You can have custom engines and not have migrated to custom
> providers. The interface is entirely different and the migration is not
> straightforward as far as I've been told (a colleague of mine did the
> migration for our custom engine).
Sure, you have the option to not migrate. But if you end up with OpenSSL
4.0 you have no engine support.
> Cheers,
> Quentin
Sebastian
next prev parent reply other threads:[~2026-06-16 18:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-15 16:07 [PATCH 1/1] tools: fix building with OpenSSL 4.0 Heinrich Schuchardt
2026-06-15 16:50 ` Quentin Schulz
2026-06-16 6:40 ` Enric Balletbo Serra
2026-06-16 20:20 ` Peter Robinson
2026-06-15 19:46 ` Sebastian Andrzej Siewior
2026-06-16 8:35 ` Quentin Schulz
2026-06-16 18:48 ` Sebastian Andrzej Siewior [this message]
2026-06-16 21:52 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616184805.OM9ccIkV@breakpoint.cc \
--to=sebastian@breakpoint.cc \
--cc=heinrich.schuchardt@canonical.com \
--cc=quentin.schulz@cherry.de \
--cc=tobias@eub.se \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.