F41 Change Proposal: OpenSSL Deprecate Engine (system-wide)

Deprecate Openssl engine support

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Wiki
Announced

:link: Summary

We disable building the packages using ENGINE API in OpenSSL without breaking ABI.

:link: Owner

:link: Detailed Description

We are going to deprecate OpenSSL engine support. Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0. The engine functionality we are aware of (PKCS#11, TPM) is either covered by providers or will be covered soon.

We don’t plan to remove the API from libcrypto.so. We are going to prevent creating the new packages dependent on OpenSSL ENGINE API and remove ENGINE dependencies from the existing packages.

During discussion of the previous proposal - to completely remove the ENGINE API - there were many relevant arguments why it shouldn’t be done. We agree with them but still want to deprecate the ENGINE support to simplify removing it in the earliest release when it’s feasible.

:link: Feedback

:link: Benefit to Fedora

We get rid of deprecated functionality and enforce using up-to-date API. Engine support is deprecated in OpenSSL upstream, and after provider migration caused some deficiencies with engine support. No new features will be added to engine. So we reduce maintenance burden and potentially attack surface.

It follows approach planned for CentOS 10.

:link: Scope

For most of the packages the maintainers will just have to rebuild their packages after the OpenSSL change lands in compose. For several packages some patches should be implemented to prevent compilation errors.

This change probably requires mass-rebuild.

  • Policies and guidelines: We need reject/modify packages providing OpenSSL engines

  • Trademark approval: N/A (not needed for this Change)

  • Alignment with Community Initiatives:

:link: Upgrade/compatibility impact

None. Users will be encouraged to switch their configurations to use providers instead but existing engines will continue working.

:link: How To Test

OpenSSL libcrypto.so exports the same ENGINE_* symbols as for f40. Applications relying on the ENGINE API can’t be built but still work.

:link: User Experience

Users will be encouraged to reconfigure systems to providers if they use engines. No other changes are expected.

:link: Dependencies

In theory, all OpenSSL-dependent packages. In practice, only those that explicitly use ENGINE api.

:link: Contingency Plan

Returning the engine header file to allow old applications to be built.

  • Contingency mechanism: (What to do? Who will do it?) rebuild OpenSSL and dependent packages
  • Contingency deadline: beta freeze?
  • Blocks release? Yes

:link: Documentation

TBD

:link: Release Notes

TBD

1 Like

This change proposal has now been submitted to FESCo with ticket #3193 for voting.

To find out more, please visit our Changes Policy documentation.

How do you feel about the proposal as written?
  • Strongly in favor
  • In favor, with reservations
  • Neutral
  • Opposed, but could be convinced
  • Strongly opposed
0 voters

If you are in favor but have reservations, or are opposed but something could change your mind, please explain in a reply.

We want everyone to be heard, but many posts repeating the same thing actually makes that harder. If you have something new to say, please say it. If, instead, you find someone has already covered what you’d like to express, please simply giving that post a :heart: instead of reiterating. You can even do this by email, by replying with the heart emoji or just “+1”. This will make long topics easier to follow.

Please note that this is an advisory “straw poll” meant to gauge sentiment. It isn’t a vote or a scientific survey. See About the Change Proposals category for more about the Change Process and moderation policy.

As stated in the previous discussion, STRONGLY OPPOSE unless the headers are agreed to be shipped for users who are using non-Fedora shipped engines. The headers can be shipped in another package (requiring a BR change), but they MUST be shipped with Fedora, and not as a maybe contingency at a later time. I had thought the proper had agreed to that, but it appears that this has gone backwards.

1 Like