Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.0.beta
Affects Version/s: rhel-10.0
Component/s: stunnel
Labels:
- Accepted
- CY24Q3

Fixed in Build:
stunnel-5.72-5.el10
Regression:
None
Severity:
Important
Epic Link:
CRYPTO-14598
sprint_count:
2

Pool Team:

sst_security_crypto
Sub-System Group:

ssg_security

Internal Target Milestone:
26
Story Points:
1
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Products:

Red Hat Enterprise Linux
Sprint:
Crypto24Q2, Crypto24Q3

Acceptance Criteria:

Hide

AC: readelf --syms --wide /usr/bin/stunnel | grep ENGINE comes up empty

Show
AC: readelf --syms --wide /usr/bin/stunnel | grep ENGINE comes up empty
Git Pull Request:
https://gitlab.com/redhat/centos-stream/rpms/stunnel/-/merge_requests/11
Preliminary Testing:
Pass
Test Link:
https://pkgs.devel.redhat.com/cgit/tests/stunnel/tree/Regression/RHEL-33749-stop-using-OpenSSL-ENGINE-API-in-stunnel
Errata Link:
https://errata.engineering.redhat.com/advisory/135579
Gating Tests:

Not Needed
Test Coverage:

Automated

Release Note Type:
Removed Functionality
Release Note Text:

Hide
Stunnel no longer supports the deprecated OpenSSL ENGINE API. The most common use was to access hardware security tokens using PKCS#11 through the openssl-pkcs11 package. As a replacement, you can use pkcs11-provider, which uses the new OpenSSL provider API.

Show
Stunnel no longer supports the deprecated OpenSSL ENGINE API. The most common use was to access hardware security tokens using PKCS#11 through the openssl-pkcs11 package. As a replacement, you can use pkcs11-provider, which uses the new OpenSSL provider API.
Release Note Status:
Proposed

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Dear colleagues,

Our scanning identified your component as one of the packages using OpenSSL ENGINE API.

Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0. The engine functionality we are aware of (PKCS#11, TPM) is either covered by providers maintained by Crypto Team now or will be covered soon.

We kindly ask you to implement patches or apply compiling options to eliminate the code relying on ENGINE API. Even if we don’t eliminate the ENGINE API completely for backward binary compatibility, the compilation of applications using the ENGINE API will soon become impossible.

We kindly ask you to add this work to the nearest sprint. We have a side-tag f41-build-side-86419 to build and a Copr build https://copr.fedorainfracloud.org/coprs/dbelyavs/openssl-no-engine/build/7107098/

Feel free to reach the Crypto team, Dmitry Belyavskiy, Sahana Prasad, or Clemens Lang directly if you have any problems with the necessary changes.

links to

RHBA-2024:135579 stunnel update

Assignee:: Clemens Lang

Reporter:: pme bot

Developer:: Clemens Lang

QA Contact:: Miluse Bezo Konecna

Doc Contact:: Jan Fiala

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/04/23 11:23 AM

Updated:: 2024/09/23 4:22 PM

Target end:: 2024/08/26

Details

Description

Attachments

Issue Links

Activity

People

Dates