Disabling support of building OpenSSL engines

This is a rejected Change proposal for Fedora Linux.
This document represents a proposed Change that has been rejected or withdrawn as part of the Changes process. This page is preserved for historical record.

Summary

We disable support of building engines in OpenSSL and remove the deprecated openssl-devel-engine subpackage.

Owner

• Name: Dmitry Belyavskiy
• Email: dbelyavs@redhat.com

Current status

• Targeted release: Fedora Linux 43
• Last updated: 2025-04-07
• Announced
• Discussion thread
• FESCo issue: #3375
• Tracker bug: <will be assigned by the Wrangler>
• Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

We are going to build OpenSSL without engine support. Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0. The engine functionality we are aware of (PKCS#11, TPM) is covered by providers. The package necessary to build engines (openssl-devel-engine) is already declared as deprecated and will be removed. For the applications that still unconditionally refer to openssl/engine.h we will provide a dummy engine.h file

Feedback

Benefit to Fedora

We get rid of deprecated functionality and enforce using up-to-date API. Engine support is deprecated in OpenSSL upstream, and after provider migration caused some deficiencies with engine support. No new features will be added to engine. So we reduce maintenance burden and potentially attack surface.

Scope

• Proposal owners: maintainers of packages relying to openssl engine functionality

Thanks to Richard W.M. Jones for providing this list:

• * bind-32:9.18.33-1.fc43.src
• * boinc-client-8.0.2-2.fc42.src
• * cpprest-2.10.19-6.fc42.src
• * curl-8.12.1-1.fc43.src
• * dotnet8.0-8.0.113-1.fc43.src
• * erlang-26.2.5.9-1.fc43.src
• * fsverity-utils-1.6-2.fc42.src
• * fuse-encfs-1.9.5-24.fc42.src
• * gambas3-3.20.1-2.fc43.src
• * gdal-3.10.2-3.fc43.src
• * grpc-1.48.4-46.fc43.src
• * hitch-1.8.0-7.fc42.src
• * httping-3.6-2.fc42.src
• * kea-2.6.1-8.fc43.src
• * libcoap-4.3.5-7.fc42.src
• * minizip-ng-4.0.8-3.fc42.src
• * mosquitto-2.0.20-5.fc43.src
• * mstflint-4.25.0-8.fc42.src
• * myproxy-6.2.16-8.fc42.src
• * mysql8.0-8.0.40-3.fc42.src
• * nbdkit-1.42.0-2.fc43.src # I fixed this one yesterday
• * nextcloud-client-3.15.3-2.fc42.src
• * nrpe-4.1.3-2.fc42.src
• * ocspd-1.9.0-34.fc43.src
• * openssl-gost-engine-3.0.3-6.fc42.src
• * openssl-pkcs11-0.4.13-2.fc42.src
• * osslsigncode-2.9-3.fc42.src
• * pdns-4.9.3-1.fc42.src
• * pdns-recursor-5.2.0-2.fc42.src
• * poedit-3.5.2-3.fc42.src
• * proxygen-2025.02.03.00-1.fc43.src
• * pypy3.10-7.3.17-5.3.10.fc42.src
• * pypy3.9-7.3.16-4.3.9.fc42.src
• * pypy-7.3.17-2.fc42.src
• * qbittorrent-1:5.0.3-2.fc42.src
• * R-AsioHeaders-devel-1.22.1.2-2.fc42.noarch
• * rb_libtorrent-2.0.11-1.fc42.src
• * root-6.34.04-2.fc43.src
• * R-openssl-2.2.0-2.fc42.src
• * s2n-tls-1.5.10-2.fc42.src
• * sbsigntools-0.9.5-8.fc42.src
• * sendmail-8.18.1-5.fc42.src
• * sslsplit-0.5.5-16.fc42.src
• * strongswan-5.9.14-5.fc41.src
• * stunnel-5.74-2.fc42.src
• * systemd-257.3-7.fc43.src
• * tinc-1.0.36-15.fc42.src
• * tor-0.4.8.13-2.fc42.src
• * tpm2-tss-engine-1.2.0-7.fc42.src
• * trafficserver-9.2.6-1.fc42.src
• * trojan-1.16.0-27.fc42.src
• * uboot-tools-1:2025.04-0.4.rc2.fc43.src
• * ufdbGuard-1.35.8-5.fc43.src
• * uperf-1.0.8-6.fc42.src
• * websocketpp-0.8.2-17.fc42.src
• * wesnoth-1.19.9-1.fc43.src
• * workflow-0.11.7-2.fc42.src
• * wpa_supplicant-1:2.11-4.fc42.src
• * xca-2.7.0-2.fc42.src
• * xmms2-0.9.4-3.fc42.src
• * yadifa-2.6.7-2.fc42.src
• * znc-1.9.1-6.fc42.src

• Other developers:

• Release engineering: #Releng issue number

This change probably requires mass-rebuild.

• Policies and guidelines: N/A (not needed for this Change)

• Trademark approval: N/A (not needed for this Change)

• Alignment with the Fedora Strategy:

Upgrade/compatibility impact

OpenSSL engines will no longer be supported. Engines will not be supported in openssl configuration files (presumably silently ignored). Users will have to reconfigure systems to providers if they use engines.

Early Testing (Optional)

Do you require 'QA Blueprint' support? Y/N

How To Test

Applications using OpenSSL ENGINE API can't be built. ENGINE API is still exported by libcrypto.

User Experience

Users will have to reconfigure systems to providers if they use engines. No other changes are expected.

Dependencies

In theory, all OpenSSL-dependent packages. In practice, only those that explicitly use ENGINE api.

Contingency Plan

Reenable openssl-devel-engine package keeping it deprecated

• Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
• Contingency deadline: N/A (not a System Wide Change)
• Blocks release? N/A (not a System Wide Change), Yes/No

Documentation

TBD

N/A (not a System Wide Change)

Release Notes

TBD