Mail archive
alpine-devel

[alpine-devel] Re: openssl 1.1 support

From: Timo Teras <timo.teras_at_iki.fi>
Date: Wed, 24 Oct 2018 20:38:10 +0300

On Wed, 24 Oct 2018 17:19:50 +0200
Natanael Copa <ncopa_at_alpinelinux.org> wrote:

> I didn't remember that I already had done testing/openssl1.1 so I
> re-did the work as testing/openssl. I think I'm losing it... :-/
>
> The plan is now to merge main/openssl1.0, testing/openssl1.1 and
> testing/openssl into a single main/openssl, rebuild all packages that
> currently is linked to libssl against openssl, and finally move
> main/libressl to community/libressl.

Thanks. Sounds like a plan.

> I have currently disabled weak crypto in openssl configure, I am not
> sure we need any of those, so I would appreciate some feedback there.
> I have also built it with no-async for now, but I think we may need
> enable it for nodejs.

Ok. no-async should work with libucontext. Need to figure out how to
ship libucontext - as per-package dependency+extra LIBS flag; or
somehow sneak it in to libc-dev?

> Timo, Do you think you can help with add support for openssl 1.1 to
> apk-tools? Can you also look over the patch list[1] and see if there
> are some of those patches that we need? I suspect we need
> 0004-fix-default-ca-path-for-apps.patch[2], but it would be nice if
> you can confirm that.

Ok. Yes, they made some structs hidden, so need to go through the code
to allocate those dynamically. I'll work on this. Not sure if I get it
done this week - I'll try, but it may be early next week at worst case
when I get to this.

I'll look at the patches too. From top of my head, I think we don't
need 100[1-4], they target VIA Padlock. I used to do them for specific
need, but I don't need them anymore.

0003-use-termios.patch is not needed if it builds.

0004 we may need. To double check.

0009 we may need, it can be verified by checking rpath of
libraries/openssl binary with readelf. Though, they seemed to revamped
the build system so this needs to be checked.

0010-ssl-env-zlib.patch seems to be fixed upstream, by disabling
compression explicitly. You need explicit openssl api call now to
enable ssl/tsl compression. Not worth adding our environment var there
to not add surprises to user.

> There are also some patches that fedora uses that we may want. Some of
> fedoras patches are for multilib and FIPS support, which I don't think
> we care about (yet), but there are some that replaces getenv() with
> secure_getenv(). I think we may want do something similar. It would be
> nice if you can help me look over their patches[3] and let me know
> which ones of them you think we should take.
>
> Timo, do you want continue be listed as the maintainer for openssl? I
> will still help with the full "world" rebuild against openssl 1.1.

I can help with the work. I have been updating it and reviewing update
patches occasionally. But seems others have made it before me on
several times. I've been recently working on few other things.

Thanks for this effort and making things go forward!
Timo


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Wed Oct 24 2018 - 20:38:10 GMT