[PATCH v2 0/4] Disable OpenSSL and Python3-cryptography legacy features by default

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: Colin Pinnell McAllister <colinmca242@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: Colin Pinnell McAllister <colinmca242@gmail.com>
Subject: [PATCH v2 0/4] Disable OpenSSL and Python3-cryptography legacy features by default
Date: Fri, 13 Feb 2026 17:01:26 -0600	[thread overview]
Message-ID: <20260213230130.757732-1-colinmca242@gmail.com> (raw)
In-Reply-To: <20260211184917.1045939-1-colinmca242@gmail.com>

TLS 1.0 and 1.1 have been deprecated by the IETF since 2021, and
OpenSSL's legacy module contains deprecated and unmaintained components.
This series disables legacy support by default in both OpenSSL and
python3-cryptography, requiring users to explicitly opt-in if needed.

The first two patches add packageconfig options to control legacy TLS
protocol support and the legacy OpenSSL module. The final patch aligns
python3-cryptography with the new OpenSSL defaults.

Note that the TLS 1.0/1.1 changes replace the existing "no-tls1" and
"no-tls1_1" packageconfig options with affirmative "tls1" and "tls1_1"
options that are disabled by default. While less disruptive to enable
the "no-*" options by default, using affirmative options provides
consistency with the new "legacy" option and is clearer than having
default-enabled "no-*" options.

V2 changes:
* Added a backport of the TLS test fix from GH-144790 to fix test
  failures with TLS 1.2 as the minimum version when TLS 1.0 and 1.1 are disabled.
* Updated TLS patch commit message to be more clear as "1.x" could also
  apply to TLS 1.2/1.3
* Removed conditional logic to add the legacy package based on the
  packageconfig setting
* Moved OpenSSL legacy package to an rrecommends for libcrypto and
  ptests

Testing:
* For OpenSSL legacy package:
  ptests ran: openssl and python3-cryptography
  * legacy enabled, legacy-openssl disabled: Builds and ptests pass
  * legacy enabled, legacy-openssl enabled: Builds and ptests pass
  * legacy disabled, legacy-openssl enabled: Build fails as expected,
    with "Nothing provides openssl-ossl-module-legacy"
  * legacy disabled, legacy-openssl disabled: Builds and ptests pass
* For TLS 1.0/1.1 changes:
  ptests ran: openssl and python3
  * tls1 disabled, tls1_1 disabled: Builds and ptests pass
  * tls1 disabled, tls1_1 enabled: Builds and ptests pass
  * tls1 enabled, tls1_1 disabled: Builds and ptests pass
  * tls1 enabled, tls1_1 enabled: Builds and ptests pass

Colin Pinnell McAllister (4):
  python3: Backport TLS test fix
  openssl: Disable TLS 1.0/1.1 by default
  openssl: Add legacy packageconfig option
  python3-cryptography: Disable legacy-openssl by default

 .../openssl/openssl_3.5.5.bb                  |  8 ++--
 .../python/python3-cryptography.bb            |  2 +-
 ...Allow-TLS-v1.2-to-be-minimum-version.patch | 39 +++++++++++++++++++
 .../recipes-devtools/python/python3_3.14.2.bb |  1 +
 4 files changed, 46 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python3/0001-gh-144787-tests-Allow-TLS-v1.2-to-be-minimum-version.patch

-- 
2.53.0

next prev parent reply	other threads:[~2026-02-13 23:01 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-11 18:49 [PATCH 0/3] Disable OpenSSL and Python3-cryptography legacy features by default Colin Pinnell McAllister
2026-02-11 18:49 ` [PATCH 1/3] openssl: Disable TLS 1.x " Colin Pinnell McAllister
2026-02-11 18:49 ` [PATCH 2/3] openssl: Add legacy packageconfig option Colin Pinnell McAllister
2026-02-13 18:23   ` [OE-core] " Peter Kjellerstedt
2026-02-11 18:49 ` [PATCH 3/3] python3-cryptography: Disable legacy-openssl by default Colin Pinnell McAllister
2026-02-12 16:38 ` [OE-core] [PATCH 0/3] Disable OpenSSL and Python3-cryptography legacy features " Mathieu Dubois-Briand
2026-02-13 15:36   ` Colin
2026-02-13 23:01 ` Colin Pinnell McAllister [this message]
2026-02-13 23:01   ` [PATCH v2 1/4] python3: Backport TLS test fix Colin Pinnell McAllister
2026-02-13 23:01   ` [PATCH v2 2/4] openssl: Disable TLS 1.0/1.1 by default Colin Pinnell McAllister
2026-02-13 23:01   ` [PATCH v2 3/4] openssl: Add legacy packageconfig option Colin Pinnell McAllister
2026-02-13 23:01   ` [PATCH v2 4/4] python3-cryptography: Disable legacy-openssl by default Colin Pinnell McAllister
2026-02-15 16:43   ` [OE-core] [PATCH v2 0/4] Disable OpenSSL and Python3-cryptography legacy features " Mathieu Dubois-Briand
2026-02-15 18:03     ` Mathieu Dubois-Briand

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260213230130.757732-1-colinmca242@gmail.com \
    --to=colinmca242@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox