[rpms/openssl3] rawhide: We ship a config file without any include directives

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

From: Dmitry Belyavskiy <beldmit@gmail.com>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl3] rawhide: We ship a config file without any include directives
Date: Mon, 08 Jun 2026 11:08:29 GMT	[thread overview]
Message-ID: <178091690971.1.9947646779535145642.rpms-openssl3-a4b8977bd756@fedoraproject.org> (raw)

A new commit has been pushed.

Repo   : rpms/openssl3
Branch : rawhide
Commit : a4b8977bd756b3fda2797439471c9cee4a1bcba7
Author : Dmitry Belyavskiy <beldmit@gmail.com>
Date   : 2026-06-08T13:07:37+02:00
Stats  : +27/-7 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/openssl3/c/a4b8977bd756b3fda2797439471c9cee4a1bcba7?branch=rawhide

Log:
We ship a config file without any include directives

---
diff --git a/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch b/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
index ef9529d..66e80e1 100644
--- a/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
+++ b/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
@@ -47,7 +47,7 @@ new file mode 100644
 index 0000000000..fe2346eb2b
 --- /dev/null
 +++ b/rh-openssl.cnf
-@@ -0,0 +1,403 @@
+@@ -0,0 +1,418 @@
 +#
 +# OpenSSL example configuration file.
 +# See doc/man5/config.pod for more info.
@@ -122,8 +122,8 @@ index 0000000000..fe2346eb2b
 +##[legacy_sect]
 +##activate = 1
 +
-+#Place the third party provider configuration files into this folder
-+.include /etc/pki/tls/openssl3.d
++##Place the third party provider configuration files into this folder
++#.include /etc/pki/tls/openssl3.d
 +
 +
 +[ ssl_module ]
@@ -131,8 +131,23 @@ index 0000000000..fe2346eb2b
 +system_default = crypto_policy
 +
 +[ crypto_policy ]
++CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
++Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
++TLS.MinProtocol = TLSv1.2
++TLS.MaxProtocol = TLSv1.3
++DTLS.MinProtocol = DTLSv1.2
++DTLS.MaxProtocol = DTLSv1.2
++SignatureAlgorithms = ?mldsa44:?mldsa65:?mldsa87:?ECDSA+SHA256:?ECDSA+SHA384:?ECDSA+SHA512:?ed25519:?ed448:?rsa_pss_pss_sha256:?rsa_pss_pss_sha384:?rsa_pss_pss_sha512:?rsa_pss_rsae_sha256:?rsa_pss_rsae_sha384:?rsa_pss_rsae_sha512:?RSA+SHA256:?RSA+SHA384:?RSA+SHA512:?ECDSA+SHA224:?RSA+SHA224
++Groups = *?X25519MLKEM768:?x25519_mlkem768:?SecP256r1MLKEM768:?p256_mlkem768:?SecP384r1MLKEM1024:?p384_mlkem1024/*?X25519:?secp256r1:?X448:?secp521r1:?secp384r1:?ffdhe2048:?ffdhe3072:?ffdhe4096:?ffdhe6144:?ffdhe8192
++
++[req]
++default_bits = 2048
 +
-+.include = /etc/crypto-policies/back-ends/opensslcnf.config
++[openssl_init]
++alg_section = evp_properties
++
++[evp_properties]
++rh-allow-sha1-signatures = no
 +
 +####################################################################
 +[ ca ]

diff --git a/openssl3.spec b/openssl3.spec
index f6ebbb5..b8900e6 100644
--- a/openssl3.spec
+++ b/openssl3.spec
@@ -34,7 +34,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl3
 Version: 3.5.6
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 1
 Source0: openssl-%{version}.tar.gz
 Source1: fips-hmacify.sh
@@ -140,7 +140,8 @@ Provides: deprecated()
 %description libs
 OpenSSL is a toolkit for supporting cryptography. The openssl-libs
 package contains the libraries that are used by various applications which
-support cryptographic algorithms and protocols.
+support cryptographic algorithms and protocols. This version provides libs
+for OpenSSL 3.5 for compatibility purposes.
 
 %package devel
 Summary: Files for development of applications which will use OpenSSL
@@ -494,8 +495,12 @@ fi
 %ldconfig_scriptlets libs
 
 %changelog
+* Mon Jun 08 2026 Dmitry Belyavskiy <beldmit@gmail.com> - 1:3.5.6-4
+- We don't use include directives in the compat package to avoid interference
+  with the upcoming 4.0 release. We use the DEFAULT crypto policy instead.
+
 * Tue Apr 28 2026 Dmitry Belyavskiy <beldmit@gmail.com> - 1:3.5.6-3
-- Adjusted dependencies. Added 'Provides: deprectaed()' for all the subpackages
+- Adjusted dependencies. Added 'Provides: deprecated()' for all the subpackages
 
 * Fri Apr 10 2026 Dmitry Belyavskiy <beldmit@gmail.com> - 1:3.5.6-2
 - rebuilt

                 reply	other threads:[~2026-06-08 11:08 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=178091690971.1.9947646779535145642.rpms-openssl3-a4b8977bd756@fedoraproject.org \
    --to=beldmit@gmail.com \
    --cc=git-commits@fedoraproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox