The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.
For details on how to fill out this form, see the documentation.
To report an issue with this template, file an issue in the pgm_docs repo.
Change Proposal Name Disabling support of building OpenSSL engines
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
We disable support of building engines in OpenSSL and remove the deprecated openssl-devel-engine subpackage.
Owner
- Name: Dmitry Belyavskiy
- Email: dbelyavs@redhat.com
Current status
- Targeted release: Fedora Linux 43
- Last updated: 2025-02-10
- [<link to devel-announce post will be added by Wrangler> Announced]
- [<will be assigned by the Wrangler> Discussion thread]
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
We are going to build OpenSSL without engine support. Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0. The engine functionality we are aware of (PKCS#11, TPM) is covered by providers. The package necessary to build engines (openssl-devel-engine) is already declared as deprecated and will be removed. For the applications that still unconditionally refer to openssl/engine.h we will provide a dummy engine.h file
Feedback
Benefit to Fedora
We get rid of deprecated functionality and enforce using up-to-date API. Engine support is deprecated in OpenSSL upstream, and after provider migration caused some deficiencies with engine support. No new features will be added to engine. So we reduce maintenance burden and potentially attack surface.
Scope
- Proposal owners: maintainers of packages relying to openssl engine funcionality
- Other developers:
- Release engineering: #Releng issue number
This change probably requires mass-rebuild.
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy:
Upgrade/compatibility impact
OpenSSL engines will no longer be supported. Engines will not be supported in openssl configuration files (presumably silently ignored). Users will have to reconfigure systems to providers if they use engines.
Early Testing (Optional)
Do you require 'QA Blueprint' support? Y/N
How To Test
Applications using OpenSSL ENGINE API can't be built. ENGINE API is still exported by libcrypto.
User Experience
Users will have to reconfigure systems to providers if they use engines. No other changes are expected.
Dependencies
In theory, all OpenSSL-dependent packages. In practice, only those that explicitly use ENGINE api.
Contingency Plan
Reenable openssl-devel-engine package keeping it deprecated
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
TBD
N/A (not a System Wide Change)
Release Notes
TBD
