* [PATCH v2] openssl: add support for config snippet includes
@ 2026-02-16 15:02 Jan Luebbe
2026-02-23 18:29 ` [OE-core] " Paul Barker
0 siblings, 1 reply; 3+ messages in thread
From: Jan Luebbe @ 2026-02-16 15:02 UTC (permalink / raw)
To: openembedded-core; +Cc: Jan Luebbe
This allows configuration (such as enabling providers) to be done by
adding snippet files to /etc/ssl/openssl.cnf.d instead of modifying a
copy of the full configuration file. As new snippets can be added from
separate recipes, targeted changes can be done in multiple layers.
For example, the pkcs11-provider can be enabled by adding a pkcs11.cnf
containing something like:
[default_sect]
activate = 1
[provider_sect]
pkcs11 = pkcs11_sect
[pkcs11_sect]
pkcs11-module-path = /usr/lib/libckteec.so.0
pkcs11-module-quirks = no-operation-state no-deinit
pkcs11-module-encode-provider-uri-to-pem = true
activate = 1
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
---
meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
index c0d02b617ba5..94fda03ea206 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
@@ -186,6 +186,13 @@ do_install () {
fi
}
+do_install:append:class-target () {
+ # Add support for config snippet includes
+ echo "" >> ${D}${sysconfdir}/ssl/openssl.cnf
+ echo ".include ${sysconfdir}/ssl/openssl.cnf.d" >> ${D}${sysconfdir}/ssl/openssl.cnf
+ install -d ${D}${sysconfdir}/ssl/openssl.cnf.d
+}
+
do_install:append:class-native () {
create_wrapper ${D}${bindir}/openssl \
OPENSSL_CONF=\${OPENSSL_CONF:-${libdir}/ssl-3/openssl.cnf} \
--
2.47.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH v2] openssl: add support for config snippet includes
2026-02-16 15:02 [PATCH v2] openssl: add support for config snippet includes Jan Luebbe
@ 2026-02-23 18:29 ` Paul Barker
2026-02-24 8:26 ` Jan Lübbe
0 siblings, 1 reply; 3+ messages in thread
From: Paul Barker @ 2026-02-23 18:29 UTC (permalink / raw)
To: Jan Luebbe, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 1853 bytes --]
On Mon, 2026-02-16 at 16:02 +0100, Jan Luebbe wrote:
> This allows configuration (such as enabling providers) to be done by
> adding snippet files to /etc/ssl/openssl.cnf.d instead of modifying a
> copy of the full configuration file. As new snippets can be added from
> separate recipes, targeted changes can be done in multiple layers.
>
> For example, the pkcs11-provider can be enabled by adding a pkcs11.cnf
> containing something like:
> [default_sect]
> activate = 1
>
> [provider_sect]
> pkcs11 = pkcs11_sect
>
> [pkcs11_sect]
> pkcs11-module-path = /usr/lib/libckteec.so.0
> pkcs11-module-quirks = no-operation-state no-deinit
> pkcs11-module-encode-provider-uri-to-pem = true
> activate = 1
>
> Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
> ---
> meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> index c0d02b617ba5..94fda03ea206 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> @@ -186,6 +186,13 @@ do_install () {
> fi
> }
>
> +do_install:append:class-target () {
> + # Add support for config snippet includes
> + echo "" >> ${D}${sysconfdir}/ssl/openssl.cnf
> + echo ".include ${sysconfdir}/ssl/openssl.cnf.d" >> ${D}${sysconfdir}/ssl/openssl.cnf
> + install -d ${D}${sysconfdir}/ssl/openssl.cnf.d
> +}
> +
Has there been any discussion with upstream about adding this to
openssl.cnf by default?
I see that CentOS Stream 10 has a similar include directive in
openssl.cnf, but Debian does not. I wonder if upstream considers this to
be "safe".
Best regards,
--
Paul Barker
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH v2] openssl: add support for config snippet includes
2026-02-23 18:29 ` [OE-core] " Paul Barker
@ 2026-02-24 8:26 ` Jan Lübbe
0 siblings, 0 replies; 3+ messages in thread
From: Jan Lübbe @ 2026-02-24 8:26 UTC (permalink / raw)
To: Paul Barker, openembedded-core
On Mon, 2026-02-23 at 18:29 +0000, Paul Barker wrote:
> On Mon, 2026-02-16 at 16:02 +0100, Jan Luebbe wrote:
> > This allows configuration (such as enabling providers) to be done by
> > adding snippet files to /etc/ssl/openssl.cnf.d instead of modifying a
> > copy of the full configuration file. As new snippets can be added from
> > separate recipes, targeted changes can be done in multiple layers.
> >
> > For example, the pkcs11-provider can be enabled by adding a pkcs11.cnf
> > containing something like:
> > [default_sect]
> > activate = 1
> >
> > [provider_sect]
> > pkcs11 = pkcs11_sect
> >
> > [pkcs11_sect]
> > pkcs11-module-path = /usr/lib/libckteec.so.0
> > pkcs11-module-quirks = no-operation-state no-deinit
> > pkcs11-module-encode-provider-uri-to-pem = true
> > activate = 1
> >
> > Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
> > ---
> > meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 7 +++++++
> > 1 file changed, 7 insertions(+)
> >
> > diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> > b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> > index c0d02b617ba5..94fda03ea206 100644
> > --- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> > +++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> > @@ -186,6 +186,13 @@ do_install () {
> > fi
> > }
> >
> > +do_install:append:class-target () {
> > + # Add support for config snippet includes
> > + echo "" >> ${D}${sysconfdir}/ssl/openssl.cnf
> > + echo ".include ${sysconfdir}/ssl/openssl.cnf.d" >>
> > ${D}${sysconfdir}/ssl/openssl.cnf
> > + install -d ${D}${sysconfdir}/ssl/openssl.cnf.d
> > +}
> > +
>
> Has there been any discussion with upstream about adding this to
> openssl.cnf by default?
It's a built-in feature in OpenSSL since 1.1.1
https://github.com/openssl/openssl/pull/5351
and was introduced specifically for simplifying configurations when shipping
OpenSSL as part of an OS
https://github.com/openssl/openssl/issues/4962
Adding configuration necessary for engines (now also providers) was also
mentioned in the issue.
https://docs.openssl.org/3.6/man5/config/ says "As a general rule, the pathname
should be an absolute path", which is the case here.
> I see that CentOS Stream 10 has a similar include directive in
> openssl.cnf, but Debian does not. I wonder if upstream considers this to
> be "safe".
The approach of snippets in .d directories is used by may other packages as well
(systemd, openssh, iproute2, sudo, udev, chrony). In some cases the search paths
are hard-coded, in others they are explicitly configured in the "top level"
configuration.
Configuration in /etc needs to be protected against unauthorized modification,
but that applies to /ssl/openssl.cnf.d/foo.cnf in the same way as for
/ssl/openssl.cnf.
Best regards
Jan
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-02-24 8:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-16 15:02 [PATCH v2] openssl: add support for config snippet includes Jan Luebbe
2026-02-23 18:29 ` [OE-core] " Paul Barker
2026-02-24 8:26 ` Jan Lübbe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox