tree: ac3580f170a8fab7c3be581246730d86ec20a497 [path history] [tgz]
  1. files/
  2. Manifest
  3. metadata.xml
  4. openssl-1.1.1v.ebuild

OpenSSL ebuild notes

The Chrome OS openssl ebuild carries the following modifications vs. upstream:

  • ${P}-blocklist.patch - a code change that allows blocklisting of certificates by serial or hash. This is useful for quickly blocking known-bad certificates. The patch for this isn‘t exactly ideal (it checks each cert in a chain against the file system), so ideally this would be cleaned up to use a better implementation and/or upstream facilities (this was implemented years ago, it’s possible that there's a better-supported way available now).

  • ${P}-chromium-compatibility.patch - allows relaxing certificate validation to match earlier OpenSSL versions, controlled via environment variables. We should really drop this - see b/172208472.

  • cros_optimize_package_for_speed - what it says on the label... ;-)

  • files/openssl.cnf.compat - Similar to chromium-compatibility.patch, this makes OpenSSL behavior match previous versions more closely by disabling support for crypto (notably TLS 1.3 since it no longer supports RSA with PKCS#1 padding, which is the only option since the chaps integration doesn't work with RSA-PSS) and drops the OpenSSL security level to 0 to keep outdated crypto working (namely MD5 in certificate validation, sigh). All this should get dropped, see b/172208472.