F41 Change Proposal: Disable openSSL Engine Support (system-wide)

dbelyavs · March 8, 2024, 8:48pm

Disable Openssl engine support

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Wiki
Announced

Summary

We disable support of engines in OpenSSL

Owner

Name: Dmitry Belyavskiy
Email: dbelyavs@redhat.com

Detailed Description

We are going to build OpenSSL without engine support. Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0. The engine functionality we are aware of (PKCS#11, TPM) is either covered by providers or will be covered soon.

Feedback

Benefit to Fedora

We get rid of deprecated functionality and enforce using up-to-date API. Engine support is deprecated in OpenSSL upstream, and after provider migration caused some deficiencies with engine support. No new features will be added to engine. So we reduce maintenance burden and potentially attack surface.

It follows approach planned for CentOS 10.

Scope

Proposal owners: maintainers of packages enumerated here: CentOS-Stream-10-20240227.d.0 results plus probably owners of some Fedora-only packages

For most of the packages the maintainers will just have to rebuild their packages after the OpenSSL change lands in compose. For several packages some patches should be implemented to prevent compilation errors.

Other developers: -
Release engineering: #Releng issue number

This change probably requires mass-rebuild.

Policies and guidelines: We need reject/modify packages providing OpenSSL engines
Trademark approval: N/A (not needed for this Change)
Alignment with Community Initiatives:

Upgrade/compatibility impact

OpenSSL engines will no longer be supported. Engines will not be supported in openssl configuration files (presumably silently ignored). Users will have to reconfigure systems to providers if they use engines.

How To Test

OpenSSL libcrypto.so doesn’t export any ENGINE_* symbols (~120 lines). Application is normally built.

User Experience

Users will have to reconfigure systems to providers if they use engines. No other changes are expected.

Dependencies

In theory, all OpenSSL-dependent packages. In practice, only those that explicitly use ENGINE api.

Contingency Plan

Reenable engine support but remove engine header file to allow old applications work preventing appearing new ones.

Contingency mechanism: (What to do? Who will do it?) rebuild OpenSSL and dependent packages
Contingency deadline: beta freeze?
Blocks release? Yes

Documentation

TBD

Release Notes

TBD

amoloney · March 19, 2024, 7:01pm

This change proposal has now been submitted to FESCo with ticket #3182 for voting.

To find out more, please visit our Changes Policy documentation.

amoloney · May 21, 2024, 11:18am

This change has been rejected by FESCo for Fedora Linux 41.

To find out more about how our changes policy works, please visit our docs site.

Topic		Replies	Views
F41 Change Proposal: OpenSSL Deprecate Engine (system-wide) Change Proposals fesco , f41	12	756	December 6, 2024
F43 change Proposal: Disabling support of building OpenSSL engines (system-wide) Change Proposals fesco , f43	20	223	March 10, 2025
F41 Change Proposal: Make OpenSSL distrust SHA-1 signatures by default (system-wide) Change Proposals fesco , f41	9	561	November 12, 2024
F41 Change Proposal: RPM 4.20 (System-Wide) Change Proposals fesco , f41	62	1130	November 12, 2024
F42 Change Proposal: Remove fips-mode-setup (system-wide) Change Proposals fesco , f42	15	391	February 18, 2025