From 411c9ce2647389e415a2af0c445e787de9f82fa4 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Wed, 29 Sep 2021 18:45:10 -0700 Subject: [PATCH] Add openssl 1.0.2zb, remove old releases, fix lets encrypt See the blog post for why we need to workaround this. Signed-off-by: Tim Smith --- config/software/openssl.rb | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/config/software/openssl.rb b/config/software/openssl.rb index f83087a46..cfae36ef2 100644 --- a/config/software/openssl.rb +++ b/config/software/openssl.rb @@ -23,17 +23,15 @@ dependency "cacerts" dependency "openssl-fips" if fips_mode? -default_version "1.0.2za" # do_not_auto_update +default_version "1.0.2zb" # do_not_auto_update # Openssl builds engines as libraries into a special directory. We need to include # that directory in lib_dirs so omnibus can sign them during macOS deep signing. lib_dirs lib_dirs.concat(["#{install_dir}/embedded/lib/engines"]) lib_dirs lib_dirs.concat(["#{install_dir}/embedded/lib/engines-1.1"]) if version.start_with?("1.1") -# OpenSSL source ships with broken symlinks which windows doesn't allow. -# So skip error checking with `extract: :lax_tar` -if version.satisfies?("> 1.0.2u") && version.satisfies?("< 1.1.0") - # 1.0.2u was the last public release of 1.0.2. Subsequent releases come from a support contract with OpenSSL Software Services +# 1.0.2u was the last public release of 1.0.2. Subsequent releases come from a support contract with OpenSSL Software Services +if version.satisfies?("< 1.1.0") source url: "https://s3.amazonaws.com/chef-releng/openssl/openssl-#{version}.tar.gz", extract: :lax_tar else # As of 2020-09-09 even openssl-1.0.0.tar.gz can be downloaded from /source/openssl-VERSION.tar.gz @@ -43,14 +41,9 @@ end version("1.1.1l") { source sha256: "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1" } -version("1.1.1k") { source sha256: "892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5" } -version("1.1.1j") { source sha256: "aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf" } -version("1.1.1i") { source sha256: "e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242" } +version("1.0.2zb") { source sha256: "b7d8f8c895279caa651e7f3de9a7b87b8dd01a452ca3d9327f45a9ef31d0c518" } version("1.0.2za") { source sha256: "86ec5d2ecb53839e9ec999db7f8715d0eb7e534d8a1d8688ef25280fbeee2ff8" } -version("1.0.2y") { source sha256: "4882ec99f8e147ab26375da8a6af92efae69b6aef505234764f8cd00a1b81ffc" } -version("1.0.2x") { source sha256: "79cb4e20004a0d1301210aee7e154ddfba3d6a33d0df1f6c5d3257cb915a59c9" } -version("1.0.2w") { source sha256: "a675ad1a9df59015cebcdf713de76a422347c5d99f11232fe75758143defd680" } relative_path "openssl-#{version}" @@ -87,6 +80,9 @@ "shared", ] + # https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ + configure_args += [ "-DOPENSSL_TRUSTED_FIRST_DEFAULT" ] if version.satisfies?("> 1.0.2zb") && version.satisfies?("< 1.1.0") + configure_args += ["--with-fipsdir=#{install_dir}/embedded", "fips"] if fips_mode? configure_cmd =