From: "Mathieu Dubois-Briand" <mathieu.dubois-briand@bootlin.com>
To: <colinmca242@gmail.com>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH v2 0/4] Disable OpenSSL and Python3-cryptography legacy features by default
Date: Sun, 15 Feb 2026 19:03:09 +0100 [thread overview]
Message-ID: <DGFQER9GYWDA.3RGOGX1RCZDP8@bootlin.com> (raw)
In-Reply-To: <DGFOPZGGFAZ6.ARG5LGAT1PG1@bootlin.com>
On Sun Feb 15, 2026 at 5:43 PM CET, Mathieu Dubois-Briand wrote:
> On Sat Feb 14, 2026 at 12:01 AM CET, Colin McAllister via lists.openembedded.org wrote:
>> TLS 1.0 and 1.1 have been deprecated by the IETF since 2021, and
>> OpenSSL's legacy module contains deprecated and unmaintained components.
>> This series disables legacy support by default in both OpenSSL and
>> python3-cryptography, requiring users to explicitly opt-in if needed.
>>
>> The first two patches add packageconfig options to control legacy TLS
>> protocol support and the legacy OpenSSL module. The final patch aligns
>> python3-cryptography with the new OpenSSL defaults.
>>
>> Note that the TLS 1.0/1.1 changes replace the existing "no-tls1" and
>> "no-tls1_1" packageconfig options with affirmative "tls1" and "tls1_1"
>> options that are disabled by default. While less disruptive to enable
>> the "no-*" options by default, using affirmative options provides
>> consistency with the new "legacy" option and is clearer than having
>> default-enabled "no-*" options.
>>
>
> Hi Colin,
>
> Thanks for the new version.
>
> I believe we have a new error:
>
> ERROR: core-image-sato-1.0-r0 do_rootfs: Could not invoke dnf. Command '/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/recipe-sysroot-native/usr/bin/dnf -v --rpmverbosity=info -y -c /srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/rootfs/etc/dnf/dnf.conf --setopt=reposdir=/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/rootfs/etc/yum.repos.d --installroot=/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/rootfs --setopt=logdir=/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/temp --repofrompath=oe-repo,/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/oe-rootfs-repo --nogpgcheck install dnf packagegroup-base-extended packagegroup-core-boot packagegroup-core-ssh-dropbear packagegroup-core-x11-base packagegroup-core-x11-sato pango-module-basic-fc psplash rpm run-postinsts lib32-connman-gnome lib32-pango-module-basic-fc locale-base-c locale-base-en-us locale-base-en-gb' returned 1:
> ...
> Error: Transaction test error:
> file /etc/ssl/openssl.cnf conflicts between attempted installs of lib32-openssl-conf-3.5.5-r0.x86 and openssl-conf-3.5.5-r0.x86_64_v3
>
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/92/builds/3170
>
> Can you have a look at the issue?
>
> Thanks,
> Mathieu
My bad, the issue probably comes from another patch. This series is
probably good.
Thanks,
Mathieu
--
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
prev parent reply other threads:[~2026-02-15 18:03 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-11 18:49 [PATCH 0/3] Disable OpenSSL and Python3-cryptography legacy features by default Colin Pinnell McAllister
2026-02-11 18:49 ` [PATCH 1/3] openssl: Disable TLS 1.x " Colin Pinnell McAllister
2026-02-11 18:49 ` [PATCH 2/3] openssl: Add legacy packageconfig option Colin Pinnell McAllister
2026-02-13 18:23 ` [OE-core] " Peter Kjellerstedt
2026-02-11 18:49 ` [PATCH 3/3] python3-cryptography: Disable legacy-openssl by default Colin Pinnell McAllister
2026-02-12 16:38 ` [OE-core] [PATCH 0/3] Disable OpenSSL and Python3-cryptography legacy features " Mathieu Dubois-Briand
2026-02-13 15:36 ` Colin
2026-02-13 23:01 ` [PATCH v2 0/4] " Colin Pinnell McAllister
2026-02-13 23:01 ` [PATCH v2 1/4] python3: Backport TLS test fix Colin Pinnell McAllister
2026-02-13 23:01 ` [PATCH v2 2/4] openssl: Disable TLS 1.0/1.1 by default Colin Pinnell McAllister
2026-02-13 23:01 ` [PATCH v2 3/4] openssl: Add legacy packageconfig option Colin Pinnell McAllister
2026-02-13 23:01 ` [PATCH v2 4/4] python3-cryptography: Disable legacy-openssl by default Colin Pinnell McAllister
2026-02-15 16:43 ` [OE-core] [PATCH v2 0/4] Disable OpenSSL and Python3-cryptography legacy features " Mathieu Dubois-Briand
2026-02-15 18:03 ` Mathieu Dubois-Briand [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DGFQER9GYWDA.3RGOGX1RCZDP8@bootlin.com \
--to=mathieu.dubois-briand@bootlin.com \
--cc=colinmca242@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.