tree: 9110e17070dd0c537986f2878b6f5483643108e7 [path history] [tgz]
  1. files/
  2. Manifest
  3. metadata.xml
  4. openssl-1.1.1i.ebuild

OpenSSL ebuild notes

The Chrome OS openssl ebuild carries the following modifications vs. upstream:

  • ${P}-blocklist.patch - a code change that allows blocklisting of certificates by serial or hash. This is useful for quickly blocking known-bad certificates. The patch for this isn‘t exactly ideal (it checks each cert in a chain against the file system), so ideally this would be cleaned up to use a better implementation and/or upstream facilities (this was implemented years ago, it’s possible that there's a better-supported way available now).

  • ${P}-chromium-compatibility.patch - allows relaxing certificate validation to match earlier OpenSSL versions, controlled via environment variables. We should really drop this - see b/172208472.

  • ${P}-ARM-assembly-pack.patch - fixes assembly to build for arm32

  • cros_optimize_package_for_speed - what it says on the label... ;-)

  • files/openssl.cnf.compat - Similar to chromium-compatibility.patch, this makes OpenSSL behavior match previous versions more closely by disabling support for crypto (notably TLS 1.3 since it no longer supports RSA with PKCS#1 padding, which is the only option since the chaps integration doesn't work with RSA-PSS) and drops the OpenSSL security level to 0 to keep outdated crypto working (namely MD5 in certificate validation, sigh). All this should get dropped, see b/172208472.