[PATCH] package: openssl: Enable built engines per default

Florian Eckert fe at dev.tdt.de
Fri Apr 23 07:10:56 BST 2021

Hello Daniel,
Hello Eneas,

On 2021-04-23 01:36, Eneas U de Queiroz wrote:
> On Thu, Apr 22, 2021 at 3:55 AM Daniel Danzberger <daniel at dd-wrt.com> 
> wrote:
>> Automatically enable an engine in the openssl.cnf if it has been 
>> build.
>> Before this change, /etc/openssl.cnf had to be edited manually on the
>> system to enable the engine.
>> +define Package/libopenssl-conf/enable
>> +       $(if $(CONFIG_PACKAGE_libopenssl-$(2)),sed -i 
>> s/^\#*$(2)=$(2)/$(2)=$(2)/ $(1)/etc/ssl/openssl.cnf)
>> +endef
>>  define Package/libopenssl-conf/install
>>         $(INSTALL_DIR) $(1)/etc/ssl
>>         $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
>> +       $(call Package/libopenssl-conf/enable,$(1),devcrypto)
>> +       $(call Package/libopenssl-conf/enable,$(1),afalg)
>> +       $(call Package/libopenssl-conf/enable,$(1),padlock)

> I do like the idea, though. My first thought was to add an install
> script to the engine packages.  The problem is that the config file
> may have been changed in a way that sed may produce unwanted results.

How about if we create a uci default script and check on the running 
system what is installed?
And then we could generate a file and add or remove an include line form 
the openssl.cnf [1]?

> Another option, which may be the easiest and safest, is to use your
> approach, but only uncomment the engines built into the firmware (=y),
> and not the ones built as modules.

I think this is not an option, because not all want to have all engines 

That is my opinion.
Thanks florian

[1] https://github.com/openssl/openssl/blob/master/apps/openssl.cnf#L10

More information about the openwrt-devel mailing list