[PATCH 0/3] Disable OpenSSL and Python3-cryptography legacy features by default

[PATCH 0/3] Disable OpenSSL and Python3-cryptography legacy features by default

[Colin Pinnell McAllister]

TLS 1.0 and 1.1 have been deprecated by the IETF since 2021, and
OpenSSL's legacy module contains deprecated and unmaintained components.
This series disables legacy support by default in both OpenSSL and
python3-cryptography, requiring users to explicitly opt-in if needed.

The first two patches add packageconfig options to control legacy TLS
protocol support and the legacy OpenSSL module. The final patch aligns
python3-cryptography with the new OpenSSL defaults.

Note that the TLS 1.0/1.1 changes replace the existing "no-tls1" and
"no-tls1_1" packageconfig options with affirmative "tls1" and "tls1_1"
options that are disabled by default. While less disruptive to enable
the "no-*" options by default, using affirmative options provides
consistency with the new "legacy" option and is clearer than having
default-enabled "no-*" options.

Testing performed:
* Verified both recipes build successfully with and without the new
  options
* Ran OpenSSL ptests with legacy enabled/disabled and TLS 1.0/1.1
  disabled
* Ran python3-cryptography ptests with legacy-openssl disabled
* Confirmed ptests correctly skip tests for disabled legacy features

Colin Pinnell McAllister (3):
  openssl: Disable TLS 1.x by default
  openssl: Add legacy packageconfig option
  python3-cryptography: Disable legacy-openssl by default

 meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 14 +++++++++-----
 .../python/python3-cryptography.bb                 |  2 +-
 2 files changed, 10 insertions(+), 6 deletions(-)

-- 
2.53.0

[PATCH 1/3] openssl: Disable TLS 1.x by default

[Colin Pinnell McAllister]

TLS 1 and TLS 1.1 have been deprecated by the IETF since 2021. Disables
support by default in packageconfig, requiring users to explicitly
opt-in for these deprecated protocols.

Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com>
---
 meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
index c0d02b617b..6b9ccef0b5 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
@@ -29,8 +29,8 @@ PACKAGECONFIG:class-native = ""
 PACKAGECONFIG:class-nativesdk = ""
 
 PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
-PACKAGECONFIG[no-tls1] = "no-tls1"
-PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
+PACKAGECONFIG[tls1] = ",no-tls1"
+PACKAGECONFIG[tls1_1] = ",no-tls1_1"
 PACKAGECONFIG[manpages] = ""
 PACKAGECONFIG[fips] = "enable-fips"
 
-- 
2.53.0

[PATCH 2/3] openssl: Add legacy packageconfig option

[Colin Pinnell McAllister]

Add packageconfig option to enable legacy support (disabled by default).
The legacy module includes deprecated and unmaintained OpenSSL
components. The openssl-ossl-module-legacy package that includes the
module is now conditional on the packageconfig option being enabled.
Packages that depend on this package are also now conditional on the
packageconfig option.

Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com>
---
 meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
index 6b9ccef0b5..c9d74002a7 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
@@ -29,6 +29,7 @@ PACKAGECONFIG:class-native = ""
 PACKAGECONFIG:class-nativesdk = ""
 
 PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
+PACKAGECONFIG[legacy] = ",no-legacy"
 PACKAGECONFIG[tls1] = ",no-tls1"
 PACKAGECONFIG[tls1_1] = ",no-tls1_1"
 PACKAGECONFIG[manpages] = ""
@@ -257,7 +258,8 @@ pkg_postinst_ontarget:${PN}-ossl-module-fips () {
 # file to be installed for both the openssl-bin package and the libcrypto
 # package since the openssl-bin package depends on the libcrypto package.
 
-PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy ${PN}-ossl-module-fips"
+PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-fips"
+PACKAGES =+ "${@bb.utils.contains("PAKCAGECONFIG", "legacy", "${PN}-ossl-module-legacy", "", d)}"
 
 FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
 FILES:libssl = "${libdir}/libssl${SOLIBS}"
@@ -275,9 +277,11 @@ FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/open
 
 CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
 
-RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy"
+RRECOMMENDS:libcrypto += "openssl-conf"
+RRECOMMENDS:libcrypto += "${@bb.utils.contains("PAKCAGECONFIG", "legacy", "${PN}-ossl-module-legacy", "", d)}"
 RDEPENDS:${PN}-misc = "perl"
-RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed openssl-engines openssl-ossl-module-legacy"
+RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed openssl-engines"
+RDEPENDS:${PN}-ptest += "${@bb.utils.contains("PAKCAGECONFIG", "legacy", "${PN}-ossl-module-legacy", "", d)}"
 
 RDEPENDS:${PN}-bin += "openssl-conf"
 
-- 
2.53.0

RE: [OE-core] [PATCH 2/3] openssl: Add legacy packageconfig option

[Peter Kjellerstedt]

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Colin McAllister via lists.openembedded.org
> Sent: den 11 februari 2026 19:49
> To: openembedded-core@lists.openembedded.org
> Cc: Colin Pinnell McAllister <colinmca242@gmail.com>
> Subject: [OE-core] [PATCH 2/3] openssl: Add legacy packageconfig option
> 
> Add packageconfig option to enable legacy support (disabled by default).
> The legacy module includes deprecated and unmaintained OpenSSL
> components. The openssl-ossl-module-legacy package that includes the
> module is now conditional on the packageconfig option being enabled.
> Packages that depend on this package are also now conditional on the
> packageconfig option.
> 
> Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com>
> ---
>  meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
> 
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> index 6b9ccef0b5..c9d74002a7 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> @@ -29,6 +29,7 @@ PACKAGECONFIG:class-native = ""
>  PACKAGECONFIG:class-nativesdk = ""
> 
>  PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
> +PACKAGECONFIG[legacy] = ",no-legacy"
>  PACKAGECONFIG[tls1] = ",no-tls1"
>  PACKAGECONFIG[tls1_1] = ",no-tls1_1"
>  PACKAGECONFIG[manpages] = ""
> @@ -257,7 +258,8 @@ pkg_postinst_ontarget:${PN}-ossl-module-fips () {
>  # file to be installed for both the openssl-bin package and the libcrypto
>  # package since the openssl-bin package depends on the libcrypto package.
> 
> -PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy ${PN}-ossl-module-fips"
> +PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-fips"
> +PACKAGES =+ "${@bb.utils.contains("PAKCAGECONFIG", "legacy", "${PN}-ossl-module-legacy", "", d)}"

There should be no reason to conditionally add the 
${PN}-ossl-module-legacy package here. If the legacy PACKAGECONFIG 
is not enabled, then I assume that no files that go in this package 
are created and thus the package will not be created even if it is 
listed in PACKAGES.

> 
>  FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
>  FILES:libssl = "${libdir}/libssl${SOLIBS}"
> @@ -275,9 +277,11 @@ FILES:${PN}:append:class-nativesdk = "
> ${SDKPATHNATIVE}/environment-setup.d/open
> 
>  CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
> 
> -RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy"
> +RRECOMMENDS:libcrypto += "openssl-conf"
> +RRECOMMENDS:libcrypto += "${@bb.utils.contains("PAKCAGECONFIG", "legacy", "${PN}-ossl-module-legacy", "", d)}"

Since this is a recommendation, there is no reason to make it 
conditional as long as the package is listed in PACKAGES. If there 
are no files in the package and it thus is not created, then the 
recommendation will just be ignored.

>  RDEPENDS:${PN}-misc = "perl"
> -RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed openssl-engines openssl-ossl-module-legacy"
> +RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed openssl-engines"
> +RDEPENDS:${PN}-ptest += "${@bb.utils.contains("PAKCAGECONFIG", "legacy", "${PN}-ossl-module-legacy", "", d)}"

Turn this into a recommendation instead and then there 
is no longer any need for it to be conditionally added.

> 
>  RDEPENDS:${PN}-bin += "openssl-conf"
> 
> --
> 2.53.0

//Peter

[PATCH 3/3] python3-cryptography: Disable legacy-openssl by default

[Colin Pinnell McAllister]

Disable legacy-openssl support by default to match the openssl recipe.

Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com>
---
 meta/recipes-devtools/python/python3-cryptography.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/python/python3-cryptography.bb b/meta/recipes-devtools/python/python3-cryptography.bb
index 366fda5e87..062b41807b 100644
--- a/meta/recipes-devtools/python/python3-cryptography.bb
+++ b/meta/recipes-devtools/python/python3-cryptography.bb
@@ -22,7 +22,7 @@ require ${BPN}-crates.inc
 
 inherit pypi python_maturin cargo-update-recipe-crates pkgconfig
 
-PACKAGECONFIG ??= "legacy-openssl"
+PACKAGECONFIG ??= ""
 PACKAGECONFIG[legacy-openssl] = ",,,openssl-ossl-module-legacy"
 
 export CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY = "${@bb.utils.contains('PACKAGECONFIG', 'legacy-openssl', '0', '1', d)}"
-- 
2.53.0

Re: [OE-core] [PATCH 0/3] Disable OpenSSL and Python3-cryptography legacy features by default

[Mathieu Dubois-Briand]

On Wed Feb 11, 2026 at 7:49 PM CET, Colin McAllister via lists.openembedded.org wrote:
> TLS 1.0 and 1.1 have been deprecated by the IETF since 2021, and
> OpenSSL's legacy module contains deprecated and unmaintained components.
> This series disables legacy support by default in both OpenSSL and
> python3-cryptography, requiring users to explicitly opt-in if needed.
>
> The first two patches add packageconfig options to control legacy TLS
> protocol support and the legacy OpenSSL module. The final patch aligns
> python3-cryptography with the new OpenSSL defaults.
>
> Note that the TLS 1.0/1.1 changes replace the existing "no-tls1" and
> "no-tls1_1" packageconfig options with affirmative "tls1" and "tls1_1"
> options that are disabled by default. While less disruptive to enable
> the "no-*" options by default, using affirmative options provides
> consistency with the new "legacy" option and is clearer than having
> default-enabled "no-*" options.
>
> Testing performed:
> * Verified both recipes build successfully with and without the new
>   options
> * Ran OpenSSL ptests with legacy enabled/disabled and TLS 1.0/1.1
>   disabled
> * Ran python3-cryptography ptests with legacy-openssl disabled
> * Confirmed ptests correctly skip tests for disabled legacy features
>
> Colin Pinnell McAllister (3):
>   openssl: Disable TLS 1.x by default
>   openssl: Add legacy packageconfig option
>   python3-cryptography: Disable legacy-openssl by default
>
>  meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 14 +++++++++-----
>  .../python/python3-cryptography.bb                 |  2 +-
>  2 files changed, 10 insertions(+), 6 deletions(-)

Hi Colin,

Thanks for your patch.

It looks like we are having some ptest failing on the autobuilder:

Failed ptests:
{'python3': ['test_min_max_version', 'python3']}

https://autobuilder.yoctoproject.org/valkyrie/#/builders/73/builds/3075
https://autobuilder.yoctoproject.org/valkyrie/#/builders/61/builds/3030

Test logs can be found here:

https://valkyrie.yocto.io/pub/non-release/20260212-56/testresults/qemux86-64-ptest/core-image-ptest-python3/
https://valkyrie.yocto.io/pub/non-release/20260212-56/testresults/qemuarm64-ptest/core-image-ptest-python3/

Can you have a look at this error?

Thanks,
Mathieu

-- 
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core] [PATCH 0/3] Disable OpenSSL and Python3-cryptography legacy features by default

[Colin]

[-- Attachment #1: Type: text/plain, Size: 3502 bytes --]

Hi Mathieu,

The test_min_max_version test in Python 3.14 test_ssl.py is failing because
of my patch that disables TLS 1 and 1.1 by default.

One of the assertions in the test_min_max_version checks if the minimum
supported TLS version is either TLS v1, TLS v1.1, or SSL v3. With TLS v1
and TLS v1.1 disabled, the minimum version is now TLS v1.2, which is not
included in that set. If I add TLS v1.2 to the set, test_min_max_version
passes.

This seems like something I can patch upstream in cpython so I will start
that process. I think it's ideal to disable all of these packageconfig
options by default together. So in my opinion it would be best to put my
patches on hold until this issue with cpython is fixed. I'm also open to
discussing short term solutions.

Thanks,

*_____________________*
*Colin Pinnell McAllister*


On Thu, Feb 12, 2026 at 10:39 AM Mathieu Dubois-Briand <
mathieu.dubois-briand@bootlin.com> wrote:

> On Wed Feb 11, 2026 at 7:49 PM CET, Colin McAllister via
> lists.openembedded.org wrote:
> > TLS 1.0 and 1.1 have been deprecated by the IETF since 2021, and
> > OpenSSL's legacy module contains deprecated and unmaintained components.
> > This series disables legacy support by default in both OpenSSL and
> > python3-cryptography, requiring users to explicitly opt-in if needed.
> >
> > The first two patches add packageconfig options to control legacy TLS
> > protocol support and the legacy OpenSSL module. The final patch aligns
> > python3-cryptography with the new OpenSSL defaults.
> >
> > Note that the TLS 1.0/1.1 changes replace the existing "no-tls1" and
> > "no-tls1_1" packageconfig options with affirmative "tls1" and "tls1_1"
> > options that are disabled by default. While less disruptive to enable
> > the "no-*" options by default, using affirmative options provides
> > consistency with the new "legacy" option and is clearer than having
> > default-enabled "no-*" options.
> >
> > Testing performed:
> > * Verified both recipes build successfully with and without the new
> >   options
> > * Ran OpenSSL ptests with legacy enabled/disabled and TLS 1.0/1.1
> >   disabled
> > * Ran python3-cryptography ptests with legacy-openssl disabled
> > * Confirmed ptests correctly skip tests for disabled legacy features
> >
> > Colin Pinnell McAllister (3):
> >   openssl: Disable TLS 1.x by default
> >   openssl: Add legacy packageconfig option
> >   python3-cryptography: Disable legacy-openssl by default
> >
> >  meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 14 +++++++++-----
> >  .../python/python3-cryptography.bb                 |  2 +-
> >  2 files changed, 10 insertions(+), 6 deletions(-)
>
> Hi Colin,
>
> Thanks for your patch.
>
> It looks like we are having some ptest failing on the autobuilder:
>
> Failed ptests:
> {'python3': ['test_min_max_version', 'python3']}
>
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/73/builds/3075
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/61/builds/3030
>
> Test logs can be found here:
>
>
> https://valkyrie.yocto.io/pub/non-release/20260212-56/testresults/qemux86-64-ptest/core-image-ptest-python3/
>
> https://valkyrie.yocto.io/pub/non-release/20260212-56/testresults/qemuarm64-ptest/core-image-ptest-python3/
>
> Can you have a look at this error?
>
> Thanks,
> Mathieu
>
> --
> Mathieu Dubois-Briand, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
>
>

[-- Attachment #2: Type: text/html, Size: 5345 bytes --]

[PATCH v2 0/4] Disable OpenSSL and Python3-cryptography legacy features by default

[Colin Pinnell McAllister]

TLS 1.0 and 1.1 have been deprecated by the IETF since 2021, and
OpenSSL's legacy module contains deprecated and unmaintained components.
This series disables legacy support by default in both OpenSSL and
python3-cryptography, requiring users to explicitly opt-in if needed.

The first two patches add packageconfig options to control legacy TLS
protocol support and the legacy OpenSSL module. The final patch aligns
python3-cryptography with the new OpenSSL defaults.

Note that the TLS 1.0/1.1 changes replace the existing "no-tls1" and
"no-tls1_1" packageconfig options with affirmative "tls1" and "tls1_1"
options that are disabled by default. While less disruptive to enable
the "no-*" options by default, using affirmative options provides
consistency with the new "legacy" option and is clearer than having
default-enabled "no-*" options.

V2 changes:
* Added a backport of the TLS test fix from GH-144790 to fix test
  failures with TLS 1.2 as the minimum version when TLS 1.0 and 1.1 are disabled.
* Updated TLS patch commit message to be more clear as "1.x" could also
  apply to TLS 1.2/1.3
* Removed conditional logic to add the legacy package based on the
  packageconfig setting
* Moved OpenSSL legacy package to an rrecommends for libcrypto and
  ptests

Testing:
* For OpenSSL legacy package:
  ptests ran: openssl and python3-cryptography
  * legacy enabled, legacy-openssl disabled: Builds and ptests pass
  * legacy enabled, legacy-openssl enabled: Builds and ptests pass
  * legacy disabled, legacy-openssl enabled: Build fails as expected,
    with "Nothing provides openssl-ossl-module-legacy"
  * legacy disabled, legacy-openssl disabled: Builds and ptests pass
* For TLS 1.0/1.1 changes:
  ptests ran: openssl and python3
  * tls1 disabled, tls1_1 disabled: Builds and ptests pass
  * tls1 disabled, tls1_1 enabled: Builds and ptests pass
  * tls1 enabled, tls1_1 disabled: Builds and ptests pass
  * tls1 enabled, tls1_1 enabled: Builds and ptests pass

Colin Pinnell McAllister (4):
  python3: Backport TLS test fix
  openssl: Disable TLS 1.0/1.1 by default
  openssl: Add legacy packageconfig option
  python3-cryptography: Disable legacy-openssl by default

 .../openssl/openssl_3.5.5.bb                  |  8 ++--
 .../python/python3-cryptography.bb            |  2 +-
 ...Allow-TLS-v1.2-to-be-minimum-version.patch | 39 +++++++++++++++++++
 .../recipes-devtools/python/python3_3.14.2.bb |  1 +
 4 files changed, 46 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python3/0001-gh-144787-tests-Allow-TLS-v1.2-to-be-minimum-version.patch

-- 
2.53.0

[PATCH v2 1/4] python3: Backport TLS test fix

[Colin Pinnell McAllister]

Backports fix for Python3 that allows TLS 1.2 to be the minimum version.

Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com>
---
v2 changes:
* Add this patch to fix python3 ptest build failures

 ...Allow-TLS-v1.2-to-be-minimum-version.patch | 39 +++++++++++++++++++
 .../recipes-devtools/python/python3_3.14.2.bb |  1 +
 2 files changed, 40 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3/0001-gh-144787-tests-Allow-TLS-v1.2-to-be-minimum-version.patch

diff --git a/meta/recipes-devtools/python/python3/0001-gh-144787-tests-Allow-TLS-v1.2-to-be-minimum-version.patch b/meta/recipes-devtools/python/python3/0001-gh-144787-tests-Allow-TLS-v1.2-to-be-minimum-version.patch
new file mode 100644
index 0000000000..3b0e98bf51
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/0001-gh-144787-tests-Allow-TLS-v1.2-to-be-minimum-version.patch
@@ -0,0 +1,39 @@
+From bcd6e2535cb0dbf72b677eb6bddb644cb035ed51 Mon Sep 17 00:00:00 2001
+From: Colin McAllister <colinmca242@gmail.com>
+Date: Fri, 13 Feb 2026 11:17:53 -0600
+Subject: [PATCH 1/1] gh-144787: [tests] Allow TLS v1.2 to be minimum version
+ (GH-144790)
+
+Allow TLS v1.2 to be minimum version
+
+Updates test_min_max_version to allow TLS v1.2 to be minimum version if
+TLS 1.0 and 1.1 are disabled in OpenSSL.
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/f24009feeb78f605a3ee177d9e7cfb63d5890ee1]
+
+Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com>
+---
+ Lib/test/test_ssl.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index 6023c89bca..7e9ba735b3 100644
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -1156,7 +1156,12 @@ def test_min_max_version(self):
+         ctx.maximum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
+         self.assertIn(
+             ctx.maximum_version,
+-            {ssl.TLSVersion.TLSv1, ssl.TLSVersion.TLSv1_1, ssl.TLSVersion.SSLv3}
++            {
++                ssl.TLSVersion.TLSv1,
++                ssl.TLSVersion.TLSv1_1,
++                ssl.TLSVersion.TLSv1_2,
++                ssl.TLSVersion.SSLv3,
++            }
+         )
+ 
+         ctx.minimum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
+-- 
+2.49.1
+
diff --git a/meta/recipes-devtools/python/python3_3.14.2.bb b/meta/recipes-devtools/python/python3_3.14.2.bb
index 7481e70e13..6324151f4e 100644
--- a/meta/recipes-devtools/python/python3_3.14.2.bb
+++ b/meta/recipes-devtools/python/python3_3.14.2.bb
@@ -33,6 +33,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
 	   file://0001-test_pyrepl-skip-test_unix_console.test_cursor_back_.patch \
 	   file://0001-test_sysconfig-skip-test_sysconfig.test_sysconfigdat.patch \
            file://0001-Skip-flaky-test_default_timeout-tests.patch \
+           file://0001-gh-144787-tests-Allow-TLS-v1.2-to-be-minimum-version.patch \
            "
 SRC_URI:append:class-native = " \
            file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
-- 
2.53.0

[PATCH v2 2/4] openssl: Disable TLS 1.0/1.1 by default

[Colin Pinnell McAllister]

TLS 1.0 and TLS 1.1 have been deprecated by the IETF since 2021.
Disables support by default in packageconfig, requiring users to
explicitly opt-in for these deprecated protocols.

Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com>
---
 meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
index c0d02b617b..6b9ccef0b5 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
@@ -29,8 +29,8 @@ PACKAGECONFIG:class-native = ""
 PACKAGECONFIG:class-nativesdk = ""
 
 PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
-PACKAGECONFIG[no-tls1] = "no-tls1"
-PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
+PACKAGECONFIG[tls1] = ",no-tls1"
+PACKAGECONFIG[tls1_1] = ",no-tls1_1"
 PACKAGECONFIG[manpages] = ""
 PACKAGECONFIG[fips] = "enable-fips"
 
-- 
2.53.0

[PATCH v2 3/4] openssl: Add legacy packageconfig option

[Colin Pinnell McAllister]

Add packageconfig option to enable legacy support (disabled by default).
The legacy module includes deprecated and unmaintained OpenSSL
components. Drops openssl-oss-module-legacy from a runtime depends to a
runtime recommends for ptest.

Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com>
---
v2 changes:
* Removed conditional logic to add the legacy package based on the
  packageconfig setting
* Moved ossl-module-legacy back to an rrecommends for libcrypto
* Moved ossl-module-legacy to an rrecommends for ptests instead of an
  rdepends

 meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
index 6b9ccef0b5..7f81b976ba 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
@@ -29,6 +29,7 @@ PACKAGECONFIG:class-native = ""
 PACKAGECONFIG:class-nativesdk = ""
 
 PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
+PACKAGECONFIG[legacy] = ",no-legacy"
 PACKAGECONFIG[tls1] = ",no-tls1"
 PACKAGECONFIG[tls1_1] = ",no-tls1_1"
 PACKAGECONFIG[manpages] = ""
@@ -277,7 +278,8 @@ CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
 
 RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy"
 RDEPENDS:${PN}-misc = "perl"
-RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed openssl-engines openssl-ossl-module-legacy"
+RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed openssl-engines"
+RRECOMMENDS:${PN}-ptest += "${PN}-ossl-module-legacy"
 
 RDEPENDS:${PN}-bin += "openssl-conf"
 
-- 
2.53.0

[PATCH v2 4/4] python3-cryptography: Disable legacy-openssl by default

[Colin Pinnell McAllister]

Disable legacy-openssl support by default to match the openssl recipe.

Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com>
---
 meta/recipes-devtools/python/python3-cryptography.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/python/python3-cryptography.bb b/meta/recipes-devtools/python/python3-cryptography.bb
index 366fda5e87..062b41807b 100644
--- a/meta/recipes-devtools/python/python3-cryptography.bb
+++ b/meta/recipes-devtools/python/python3-cryptography.bb
@@ -22,7 +22,7 @@ require ${BPN}-crates.inc
 
 inherit pypi python_maturin cargo-update-recipe-crates pkgconfig
 
-PACKAGECONFIG ??= "legacy-openssl"
+PACKAGECONFIG ??= ""
 PACKAGECONFIG[legacy-openssl] = ",,,openssl-ossl-module-legacy"
 
 export CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY = "${@bb.utils.contains('PACKAGECONFIG', 'legacy-openssl', '0', '1', d)}"
-- 
2.53.0

Re: [OE-core] [PATCH v2 0/4] Disable OpenSSL and Python3-cryptography legacy features by default

[Mathieu Dubois-Briand]

On Sat Feb 14, 2026 at 12:01 AM CET, Colin McAllister via lists.openembedded.org wrote:
> TLS 1.0 and 1.1 have been deprecated by the IETF since 2021, and
> OpenSSL's legacy module contains deprecated and unmaintained components.
> This series disables legacy support by default in both OpenSSL and
> python3-cryptography, requiring users to explicitly opt-in if needed.
>
> The first two patches add packageconfig options to control legacy TLS
> protocol support and the legacy OpenSSL module. The final patch aligns
> python3-cryptography with the new OpenSSL defaults.
>
> Note that the TLS 1.0/1.1 changes replace the existing "no-tls1" and
> "no-tls1_1" packageconfig options with affirmative "tls1" and "tls1_1"
> options that are disabled by default. While less disruptive to enable
> the "no-*" options by default, using affirmative options provides
> consistency with the new "legacy" option and is clearer than having
> default-enabled "no-*" options.
>

Hi Colin,

Thanks for the new version.

I believe we have a new error:

ERROR: core-image-sato-1.0-r0 do_rootfs: Could not invoke dnf. Command '/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/recipe-sysroot-native/usr/bin/dnf -v --rpmverbosity=info -y -c /srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/rootfs/etc/dnf/dnf.conf --setopt=reposdir=/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/rootfs/etc/yum.repos.d --installroot=/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/rootfs --setopt=logdir=/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/temp --repofrompath=oe-repo,/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/oe-rootfs-repo --nogpgcheck install dnf packagegroup-base-extended packagegroup-core-boot packagegroup-core-ssh-dropbear packagegroup-core-x11-base packagegroup-core-x11-sato pango-module-basic-fc psplash rpm run-postinsts lib32-connman-gnome lib32-pango-module-basic-fc locale-base-c locale-base-en-us locale-base-en-gb' returned 1:
...
Error: Transaction test error:
  file /etc/ssl/openssl.cnf conflicts between attempted installs of lib32-openssl-conf-3.5.5-r0.x86 and openssl-conf-3.5.5-r0.x86_64_v3

https://autobuilder.yoctoproject.org/valkyrie/#/builders/92/builds/3170

Can you have a look at the issue?

Thanks,
Mathieu

-- 
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core] [PATCH v2 0/4] Disable OpenSSL and Python3-cryptography legacy features by default

[Mathieu Dubois-Briand]

On Sun Feb 15, 2026 at 5:43 PM CET, Mathieu Dubois-Briand wrote:
> On Sat Feb 14, 2026 at 12:01 AM CET, Colin McAllister via lists.openembedded.org wrote:
>> TLS 1.0 and 1.1 have been deprecated by the IETF since 2021, and
>> OpenSSL's legacy module contains deprecated and unmaintained components.
>> This series disables legacy support by default in both OpenSSL and
>> python3-cryptography, requiring users to explicitly opt-in if needed.
>>
>> The first two patches add packageconfig options to control legacy TLS
>> protocol support and the legacy OpenSSL module. The final patch aligns
>> python3-cryptography with the new OpenSSL defaults.
>>
>> Note that the TLS 1.0/1.1 changes replace the existing "no-tls1" and
>> "no-tls1_1" packageconfig options with affirmative "tls1" and "tls1_1"
>> options that are disabled by default. While less disruptive to enable
>> the "no-*" options by default, using affirmative options provides
>> consistency with the new "legacy" option and is clearer than having
>> default-enabled "no-*" options.
>>
>
> Hi Colin,
>
> Thanks for the new version.
>
> I believe we have a new error:
>
> ERROR: core-image-sato-1.0-r0 do_rootfs: Could not invoke dnf. Command '/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/recipe-sysroot-native/usr/bin/dnf -v --rpmverbosity=info -y -c /srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/rootfs/etc/dnf/dnf.conf --setopt=reposdir=/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/rootfs/etc/yum.repos.d --installroot=/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/rootfs --setopt=logdir=/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/temp --repofrompath=oe-repo,/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/oe-rootfs-repo --nogpgcheck install dnf packagegroup-base-extended packagegroup-core-boot packagegroup-core-ssh-dropbear packagegroup-core-x11-base packagegroup-core-x11-sato pango-module-basic-fc psplash rpm run-postinsts lib32-connman-gnome lib32-pango-module-basic-fc locale-base-c locale-base-en-us locale-base-en-gb' returned 1:
> ...
> Error: Transaction test error:
>   file /etc/ssl/openssl.cnf conflicts between attempted installs of lib32-openssl-conf-3.5.5-r0.x86 and openssl-conf-3.5.5-r0.x86_64_v3
>
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/92/builds/3170
>
> Can you have a look at the issue?
>
> Thanks,
> Mathieu

My bad, the issue probably comes from another patch. This series is
probably good.

Thanks,
Mathieu

-- 
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com