[OpenWrt-Devel] [PATCH v2] openssl: change defaults: ENGINE:on, NPN:off, misc
dedeckeh at gmail.com
Wed Apr 17 05:28:10 EDT 2019
On Tue, Apr 16, 2019 at 10:12 PM Eneas U de Queiroz via openwrt-devel
<openwrt-devel at lists.openwrt.org> wrote:
> The sender domain has a DMARC Reject/Quarantine policy which disallows
> sending mailing list messages using the original "From" header.
> To mitigate this problem, the original message has been wrapped
> automatically by the mailing list software.
> ---------- Forwarded message ----------
> From: Eneas U de Queiroz <cote2004-github at yahoo.com>
> To: openwrt-devel at lists.openwrt.org
> Cc: Eneas U de Queiroz <cote2004-github at yahoo.com>
> Date: Tue, 16 Apr 2019 17:12:15 -0300
> Subject: [PATCH v2] openssl: change defaults: ENGINE:on, NPN:off, misc
> Enable engine support by default. Right now, some packages require
> this, so it is always enabled by the bots. Many packages will compile
> differently when engine support is detected, needing engine symbols from
> the libraries.
> However, being off by default, a user compiling its own image will fail
> to run some popular packages from the official repo.
> Note that disabling engines did not work in 1.0.2, so this problem never
> showed up before.
> NPN support has been removed in major browsers & servers, and has become
> a small bloat, so it does not make sense to leave it on by default.
> Remove deprecated CONFIG_ENGINE_CRYPTO symbol that is no longer needed.
> Signed-off-by: Eneas U de Queiroz <cote2004-github at yahoo.com>
Patch pushed to master
> v2: increase PKG_RELEASE
> diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
> index ecb9eea389..49f136e845 100644
> --- a/package/libs/openssl/Config.in
> +++ b/package/libs/openssl/Config.in
> @@ -96,7 +96,6 @@ config OPENSSL_WITH_DTLS
> config OPENSSL_WITH_NPN
> - default y
> prompt "Enable NPN support"
> NPN is a TLS extension, obsoleted and replaced with ALPN,
> @@ -246,10 +245,15 @@ comment "Engine/Hardware Support"
> config OPENSSL_ENGINE
> bool "Enable engine support"
> + default y
> This enables alternative cryptography implementations,
> most commonly for interfacing with external crypto devices,
> or supporting new/alternative ciphers and digests.
> + If you compile the library with this option disabled, packages built
> + using an engine-enabled library (i.e. from the official repo) may
> + fail to run. Compile and install the packages with engine support
> + disabled, and you should be fine.
> Note that you need to enable KERNEL_AIO to be able to build the
> afalg engine package.
> @@ -271,12 +275,6 @@ config OPENSSL_ENGINE_BUILTIN_AFALG
> This enables use of hardware acceleration through the
> AF_ALG kernel interface.
> -config OPENSSL_ENGINE_CRYPTO
> - # This symbol is deprecated. Currently it is used by the openssh package.
> - # Once openwrt/packages#8272 is merged, this can be safely removed.
> - bool
> - default OPENSSL_ENGINE_BUILTIN_DEVCRYPTO || PACKAGE_libopenssl-devcrypto
> config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
> prompt "Acceleration support through /dev/crypto"
> diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
> index cb25c5557c..49cea8e45a 100644
> --- a/package/libs/openssl/Makefile
> +++ b/package/libs/openssl/Makefile
> @@ -11,7 +11,7 @@ PKG_NAME:=openssl
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel