* [PATCH v2] openssl: add support for config snippet includes @ 2026-02-16 15:02 Jan Luebbe 2026-02-23 18:29 ` [OE-core] " Paul Barker 0 siblings, 1 reply; 3+ messages in thread From: Jan Luebbe @ 2026-02-16 15:02 UTC (permalink / raw) To: openembedded-core; +Cc: Jan Luebbe This allows configuration (such as enabling providers) to be done by adding snippet files to /etc/ssl/openssl.cnf.d instead of modifying a copy of the full configuration file. As new snippets can be added from separate recipes, targeted changes can be done in multiple layers. For example, the pkcs11-provider can be enabled by adding a pkcs11.cnf containing something like: [default_sect] activate = 1 [provider_sect] pkcs11 = pkcs11_sect [pkcs11_sect] pkcs11-module-path = /usr/lib/libckteec.so.0 pkcs11-module-quirks = no-operation-state no-deinit pkcs11-module-encode-provider-uri-to-pem = true activate = 1 Signed-off-by: Jan Luebbe <jlu@pengutronix.de> --- meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb index c0d02b617ba5..94fda03ea206 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb @@ -186,6 +186,13 @@ do_install () { fi } +do_install:append:class-target () { + # Add support for config snippet includes + echo "" >> ${D}${sysconfdir}/ssl/openssl.cnf + echo ".include ${sysconfdir}/ssl/openssl.cnf.d" >> ${D}${sysconfdir}/ssl/openssl.cnf + install -d ${D}${sysconfdir}/ssl/openssl.cnf.d +} + do_install:append:class-native () { create_wrapper ${D}${bindir}/openssl \ OPENSSL_CONF=\${OPENSSL_CONF:-${libdir}/ssl-3/openssl.cnf} \ -- 2.47.3 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH v2] openssl: add support for config snippet includes 2026-02-16 15:02 [PATCH v2] openssl: add support for config snippet includes Jan Luebbe @ 2026-02-23 18:29 ` Paul Barker 2026-02-24 8:26 ` Jan Lübbe 0 siblings, 1 reply; 3+ messages in thread From: Paul Barker @ 2026-02-23 18:29 UTC (permalink / raw) To: Jan Luebbe, openembedded-core [-- Attachment #1: Type: text/plain, Size: 1853 bytes --] On Mon, 2026-02-16 at 16:02 +0100, Jan Luebbe wrote: > This allows configuration (such as enabling providers) to be done by > adding snippet files to /etc/ssl/openssl.cnf.d instead of modifying a > copy of the full configuration file. As new snippets can be added from > separate recipes, targeted changes can be done in multiple layers. > > For example, the pkcs11-provider can be enabled by adding a pkcs11.cnf > containing something like: > [default_sect] > activate = 1 > > [provider_sect] > pkcs11 = pkcs11_sect > > [pkcs11_sect] > pkcs11-module-path = /usr/lib/libckteec.so.0 > pkcs11-module-quirks = no-operation-state no-deinit > pkcs11-module-encode-provider-uri-to-pem = true > activate = 1 > > Signed-off-by: Jan Luebbe <jlu@pengutronix.de> > --- > meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb > index c0d02b617ba5..94fda03ea206 100644 > --- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb > +++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb > @@ -186,6 +186,13 @@ do_install () { > fi > } > > +do_install:append:class-target () { > + # Add support for config snippet includes > + echo "" >> ${D}${sysconfdir}/ssl/openssl.cnf > + echo ".include ${sysconfdir}/ssl/openssl.cnf.d" >> ${D}${sysconfdir}/ssl/openssl.cnf > + install -d ${D}${sysconfdir}/ssl/openssl.cnf.d > +} > + Has there been any discussion with upstream about adding this to openssl.cnf by default? I see that CentOS Stream 10 has a similar include directive in openssl.cnf, but Debian does not. I wonder if upstream considers this to be "safe". Best regards, -- Paul Barker [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 252 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH v2] openssl: add support for config snippet includes 2026-02-23 18:29 ` [OE-core] " Paul Barker @ 2026-02-24 8:26 ` Jan Lübbe 0 siblings, 0 replies; 3+ messages in thread From: Jan Lübbe @ 2026-02-24 8:26 UTC (permalink / raw) To: Paul Barker, openembedded-core On Mon, 2026-02-23 at 18:29 +0000, Paul Barker wrote: > On Mon, 2026-02-16 at 16:02 +0100, Jan Luebbe wrote: > > This allows configuration (such as enabling providers) to be done by > > adding snippet files to /etc/ssl/openssl.cnf.d instead of modifying a > > copy of the full configuration file. As new snippets can be added from > > separate recipes, targeted changes can be done in multiple layers. > > > > For example, the pkcs11-provider can be enabled by adding a pkcs11.cnf > > containing something like: > > [default_sect] > > activate = 1 > > > > [provider_sect] > > pkcs11 = pkcs11_sect > > > > [pkcs11_sect] > > pkcs11-module-path = /usr/lib/libckteec.so.0 > > pkcs11-module-quirks = no-operation-state no-deinit > > pkcs11-module-encode-provider-uri-to-pem = true > > activate = 1 > > > > Signed-off-by: Jan Luebbe <jlu@pengutronix.de> > > --- > > meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 7 +++++++ > > 1 file changed, 7 insertions(+) > > > > diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb > > b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb > > index c0d02b617ba5..94fda03ea206 100644 > > --- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb > > +++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb > > @@ -186,6 +186,13 @@ do_install () { > > fi > > } > > > > +do_install:append:class-target () { > > + # Add support for config snippet includes > > + echo "" >> ${D}${sysconfdir}/ssl/openssl.cnf > > + echo ".include ${sysconfdir}/ssl/openssl.cnf.d" >> > > ${D}${sysconfdir}/ssl/openssl.cnf > > + install -d ${D}${sysconfdir}/ssl/openssl.cnf.d > > +} > > + > > Has there been any discussion with upstream about adding this to > openssl.cnf by default? It's a built-in feature in OpenSSL since 1.1.1 https://github.com/openssl/openssl/pull/5351 and was introduced specifically for simplifying configurations when shipping OpenSSL as part of an OS https://github.com/openssl/openssl/issues/4962 Adding configuration necessary for engines (now also providers) was also mentioned in the issue. https://docs.openssl.org/3.6/man5/config/ says "As a general rule, the pathname should be an absolute path", which is the case here. > I see that CentOS Stream 10 has a similar include directive in > openssl.cnf, but Debian does not. I wonder if upstream considers this to > be "safe". The approach of snippets in .d directories is used by may other packages as well (systemd, openssh, iproute2, sudo, udev, chrony). In some cases the search paths are hard-coded, in others they are explicitly configured in the "top level" configuration. Configuration in /etc needs to be protected against unauthorized modification, but that applies to /ssl/openssl.cnf.d/foo.cnf in the same way as for /ssl/openssl.cnf. Best regards Jan ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-02-24 8:26 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-02-16 15:02 [PATCH v2] openssl: add support for config snippet includes Jan Luebbe 2026-02-23 18:29 ` [OE-core] " Paul Barker 2026-02-24 8:26 ` Jan Lübbe
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox