From: Paul Barker <paul@pbarker.dev>
To: Jan Luebbe <jlu@pengutronix.de>,
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH v2] openssl: add support for config snippet includes
Date: Mon, 23 Feb 2026 18:29:15 +0000 [thread overview]
Message-ID: <871c180e00e0331a472604442f86d0eb51fc7364.camel@pbarker.dev> (raw)
In-Reply-To: <20260216150201.2100724-1-jlu@pengutronix.de>
[-- Attachment #1: Type: text/plain, Size: 1853 bytes --]
On Mon, 2026-02-16 at 16:02 +0100, Jan Luebbe wrote:
> This allows configuration (such as enabling providers) to be done by
> adding snippet files to /etc/ssl/openssl.cnf.d instead of modifying a
> copy of the full configuration file. As new snippets can be added from
> separate recipes, targeted changes can be done in multiple layers.
>
> For example, the pkcs11-provider can be enabled by adding a pkcs11.cnf
> containing something like:
> [default_sect]
> activate = 1
>
> [provider_sect]
> pkcs11 = pkcs11_sect
>
> [pkcs11_sect]
> pkcs11-module-path = /usr/lib/libckteec.so.0
> pkcs11-module-quirks = no-operation-state no-deinit
> pkcs11-module-encode-provider-uri-to-pem = true
> activate = 1
>
> Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
> ---
> meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> index c0d02b617ba5..94fda03ea206 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> @@ -186,6 +186,13 @@ do_install () {
> fi
> }
>
> +do_install:append:class-target () {
> + # Add support for config snippet includes
> + echo "" >> ${D}${sysconfdir}/ssl/openssl.cnf
> + echo ".include ${sysconfdir}/ssl/openssl.cnf.d" >> ${D}${sysconfdir}/ssl/openssl.cnf
> + install -d ${D}${sysconfdir}/ssl/openssl.cnf.d
> +}
> +
Has there been any discussion with upstream about adding this to
openssl.cnf by default?
I see that CentOS Stream 10 has a similar include directive in
openssl.cnf, but Debian does not. I wonder if upstream considers this to
be "safe".
Best regards,
--
Paul Barker
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
next prev parent reply other threads:[~2026-02-23 18:29 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-16 15:02 [PATCH v2] openssl: add support for config snippet includes Jan Luebbe
2026-02-23 18:29 ` Paul Barker [this message]
2026-02-24 8:26 ` [OE-core] " Jan Lübbe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871c180e00e0331a472604442f86d0eb51fc7364.camel@pbarker.dev \
--to=paul@pbarker.dev \
--cc=jlu@pengutronix.de \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox