[PATCH] openssl: add support for config snippet includes

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

* [PATCH] openssl: add support for config snippet includes
@ 2026-02-13 17:47 Jan Luebbe
  2026-02-15 18:05 ` [OE-core] " Mathieu Dubois-Briand
  0 siblings, 1 reply; 2+ messages in thread
From: Jan Luebbe @ 2026-02-13 17:47 UTC (permalink / raw)
  To: openembedded-core; +Cc: Jan Luebbe

This allows configuration (such as enabling providers) to be done by
adding snippet files to /usr/lib/ssl-3/openssl.cnf.d or
/etc/ssl/openssl.cnf.d instead of modifying a copy of the full
configuration file. As new snippets can be added from separate recipes,
targeted changes can be done in multiple layers.

For example, the pkcs11-provider can be enabled by adding a pkcs11.cnf
containing something like:
  [default_sect]
  activate = 1

  [provider_sect]
  pkcs11 = pkcs11_sect

  [pkcs11_sect]
  pkcs11-module-path = /usr/lib/libckteec.so.0
  pkcs11-module-quirks = no-operation-state no-deinit
  pkcs11-module-encode-provider-uri-to-pem = true
  activate = 1

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
---
 meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
index c0d02b617ba5..7375867dd1df 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
@@ -186,6 +186,16 @@ do_install () {
 	fi
 }
 
+do_install:append:class-target () {
+        # Add support for config snippet includes
+        echo "" >> ${D}${sysconfdir}/ssl/openssl.cnf
+        echo ".include ${libdir}/ssl-3/openssl.cnf.d" >> ${D}${sysconfdir}/ssl/openssl.cnf
+        echo ".include ${sysconfdir}/ssl/openssl.cnf.d" >> ${D}${sysconfdir}/ssl/openssl.cnf
+
+        install -d ${D}${libdir}/ssl-3/openssl.cnf.d
+        install -d ${D}${sysconfdir}/ssl/openssl.cnf.d
+}
+
 do_install:append:class-native () {
 	create_wrapper ${D}${bindir}/openssl \
 	    OPENSSL_CONF=\${OPENSSL_CONF:-${libdir}/ssl-3/openssl.cnf} \
-- 
2.47.3



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [OE-core] [PATCH] openssl: add support for config snippet includes
  2026-02-13 17:47 [PATCH] openssl: add support for config snippet includes Jan Luebbe
@ 2026-02-15 18:05 ` Mathieu Dubois-Briand
  0 siblings, 0 replies; 2+ messages in thread
From: Mathieu Dubois-Briand @ 2026-02-15 18:05 UTC (permalink / raw)
  To: Jan Luebbe, openembedded-core

On Fri Feb 13, 2026 at 6:47 PM CET, Jan Luebbe wrote:
> This allows configuration (such as enabling providers) to be done by
> adding snippet files to /usr/lib/ssl-3/openssl.cnf.d or
> /etc/ssl/openssl.cnf.d instead of modifying a copy of the full
> configuration file. As new snippets can be added from separate recipes,
> targeted changes can be done in multiple layers.
>
> For example, the pkcs11-provider can be enabled by adding a pkcs11.cnf
> containing something like:
>   [default_sect]
>   activate = 1
>
>   [provider_sect]
>   pkcs11 = pkcs11_sect
>
>   [pkcs11_sect]
>   pkcs11-module-path = /usr/lib/libckteec.so.0
>   pkcs11-module-quirks = no-operation-state no-deinit
>   pkcs11-module-encode-provider-uri-to-pem = true
>   activate = 1
>
> Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
> ---

Hi Jan,

Thanks for your patch.

It looks like this is failing on the autobuilder:

ERROR: core-image-sato-1.0-r0 do_rootfs: Could not invoke dnf. Command '/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/recipe-sysroot-native/usr/bin/dnf -v --rpmverbosity=info -y -c /srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/rootfs/etc/dnf/dnf.conf --setopt=reposdir=/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/rootfs/etc/yum.repos.d --installroot=/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/rootfs --setopt=logdir=/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/temp --repofrompath=oe-repo,/srv/pokybuild/yocto-worker/multilib/build/build/tmp/work/qemux86_64-poky-linux/core-image-sato/1.0/oe-rootfs-repo --nogpgcheck install dnf packagegroup-base-extended packagegroup-core-boot packagegroup-core-ssh-dropbear packagegroup-core-x11-base packagegroup-core-x11-sato pango-module-basic-fc psplash rpm run-postinsts lib32-connman-gnome lib32-pango-module-basic-fc locale-base-c locale-base-en-us locale-base-en-gb' returned 1:
...
Error: Transaction test error:
  file /etc/ssl/openssl.cnf conflicts between attempted installs of lib32-openssl-conf-3.5.5-r0.x86 and openssl-conf-3.5.5-r0.x86_64_v3

https://autobuilder.yoctoproject.org/valkyrie/#/builders/92/builds/3170

Can you have a look at the issue?

Thanks,
Mathieu

-- 
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-02-15 18:05 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-13 17:47 [PATCH] openssl: add support for config snippet includes Jan Luebbe
2026-02-15 18:05 ` [OE-core] " Mathieu Dubois-Briand

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox