fix: Use vendored openssl on redhat platforms to enable bump of libcurl which requires openssl 3.0.0

craigcomstock · craigcomstock · commit 7278e23917b7 · 2026-03-13T09:08:40.000-05:00
Previously we had stopped vendoring openssl due to conflicts with libpam for user management. Now we will try disabling the use of libpam on redhat platforms in preference for upgrading libcurl. Ticket: ENT-13750
diff --git a/build-scripts/compile-options b/build-scripts/compile-options
@@ -38,19 +38,6 @@ if [ x"$SYSTEM_SSL" = x ]
 then
     # default to using cfengine openssl
     SYSTEM_SSL=0
-    # We don't bundle OpenSSL on some redhat-derived systems due to incompatability with libpam and our openssl.
-    _OS_MAJOR_VERSION="$(echo "$OS_VERSION" | cut -d. -f1)"
-    if [ "$OS" = "rhel" ] && expr "$_OS_MAJOR_VERSION" ">=" "8" >/dev/null
-    then
-        SYSTEM_SSL=1
-    fi
-    if [ "$OS" = "opensuse" ] || [ "$OS" = "sles" ]
-    then
-        if expr "$_OS_MAJOR_VERSION" ">=" "15"
-        then
-            SYSTEM_SSL=1
-        fi
-    fi
     # Detect using system ssl when running a Jenkins job
     if expr x"$label" ":" ".*systemssl" >/dev/null
     then
diff --git a/build-scripts/configure b/build-scripts/configure
@@ -63,10 +63,22 @@ case "$WITH_SYSTEMD" in
   *)    var_append ARGS "--without-systemd-service" ;;
 esac
 
-# RHEL 8 requires an SELinux policy
+# RHEL 8+ requires an SELinux policy and --without-pam to use vendored openssl
 if [ "x$OS" = "xrhel" ] && [ "${VER%\.*}" -gt "7" ]; then
   var_append ARGS "--with-selinux-policy"
 fi
+# rhel >= 7 or opensuse >= 15 need --without-pam in order to use vendored openssl
+if [ "$OS" = "rhel" ] && expr "$_OS_MAJOR_VERSION" ">=" "8" >/dev/null
+then
+    var_append ARGS "--without-pam"
+fi
+if [ "$OS" = "opensuse" ] || [ "$OS" = "sles" ]
+then
+    if expr "$_OS_MAJOR_VERSION" ">=" "15"
+    then
+        var_append ARGS "--without-pam"
+    fi
+fi
 
 # Cross-compiling Windows?
 case "$ARCH-${OS_FAMILY}" in
diff --git a/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec b/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec
@@ -19,11 +19,11 @@ mkdir -p %{_builddir}
 %setup -q -n curl-%{curl_version}
 
 # we don't bundle OpenSSL on RHEL 8 (and newer in the future)
-%if %{?rhel}%{!?rhel:0} > 7
-%define ssl_prefix /usr
-%else
+#%if %{?rhel}%{!?rhel:0} > 7
+#%define ssl_prefix /usr
+#%else
 %define ssl_prefix %{prefix}
-%endif
+#%endif
 
 ./configure \
     --with-sysroot=%{prefix} \
diff --git a/deps-packaging/openldap/cfbuild-openldap.spec b/deps-packaging/openldap/cfbuild-openldap.spec
@@ -21,12 +21,12 @@ mkdir -p %{_builddir}
 
 %patch0 -p0
 
-# we don't bundle OpenSSL on RHEL 8 (and newer in the future)
-%if %{?rhel}%{!?rhel:0} > 7
-CPPFLAGS=-I%{buildprefix}/include:/usr/include
-%else
+## we don't bundle OpenSSL on RHEL 8 (and newer in the future)
+#%if %{?rhel}%{!?rhel:0} > 7
+#CPPFLAGS=-I%{buildprefix}/include:/usr/include
+#%else
 CPPFLAGS=-I%{buildprefix}/include
-%endif
+#%endif
 
 #
 # glibc-2.8 errorneously hides peercred(3) under #ifdef __USE_GNU.
diff --git a/deps-packaging/openssl/0008-Define-_XOPEN_SOURCE_EXTENDED-as-1.patch b/deps-packaging/openssl/0008-Define-_XOPEN_SOURCE_EXTENDED-as-1.patch
@@ -25,9 +25,9 @@ index 97454a4b81..299323390c 100644
 @@ -11,7 +11,7 @@
  
  #ifdef OPENSSL_SYS_VMS
-   /* So fd_set and friends get properly defined on OpenVMS */
--# define _XOPEN_SOURCE_EXTENDED
-+# define _XOPEN_SOURCE_EXTENDED 1
+ /* So fd_set and friends get properly defined on OpenVMS */
+-#define _XOPEN_SOURCE_EXTENDED
++#define _XOPEN_SOURCE_EXTENDED 1
  #endif
  
  #include <stdio.h>
diff --git a/deps-packaging/zlib/AIX_LDSHARED.patch b/deps-packaging/zlib/AIX_LDSHARED.patch
diff --git a/deps-packaging/zlib/cfbuild-zlib.spec b/deps-packaging/zlib/cfbuild-zlib.spec
@@ -3,7 +3,6 @@ Name: cfbuild-zlib
 Version: %{version}
 Release: 1
 Source0: zlib-1.3.2.tar.gz
-Patch0: AIX_LDSHARED.patch
 License: MIT
 Group: Other
 Url: https://cfengine.com
@@ -17,7 +16,6 @@ AutoReqProv: no
 mkdir -p %{_builddir}
 %setup -q -n zlib-1.3.2
 
-%patch0 -p1
 
 %build
 
diff --git a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in
@@ -27,21 +27,6 @@ Requires(post): /usr/sbin/usermod, /bin/sed
 Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
 %endif
 
-# we don't bundle OpenSSL on RHEL 8 (and newer in the future)
-%if %{?rhel}%{!?rhel:0} == 8
-Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit)
-Requires: libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)
-%endif
-
-# We build against systems with the latest available dependencies such as OpenSSL.
-# We use rpm -q --provides to determine the highest API present in OpenSSL and then use that as a Requires.
-# OPENSSL_VERSION is determined in build-scripts/package script.
-# This should ensure that when packages are installed with yum/dnf any required OpenSSL package upgrades will be performed or the installation will fail.
-%if %{?rhel}%{!?rhel:0} > 8
-Requires: libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit)
-Requires: libssl.so.3()(64bit) libssl.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit)
-%endif
-
 # cfbs/Build requires Python 3.5+ (not available on RHEL 6)
 %if %{?rhel}%{!?rhel:0} == 7
 Requires: python3 >= 3.5
@@ -98,11 +83,6 @@ rm -f %{prefix}/ssl/misc/tsget
 rm -f %{prefix}/ssl/openssl.cnf.dist
 rm -f %{prefix}/ssl/misc/tsget.pl
 
-# Add an openssl symlink if openssl binary doesn't exist
-if ! [ -f $RPM_BUILD_ROOT%{prefix}/bin/openssl ]; then
-  ln -s `which openssl` $RPM_BUILD_ROOT%{prefix}/bin/openssl
-fi
-
 # Hub does not need cf-upgrade, it is only present in host packages
 rm -f $RPM_BUILD_ROOT%{prefix}/bin/cf-upgrade
 
@@ -239,12 +219,10 @@ exit 0
 # Note that prefix/bin/openssl is outside of `if`, since
 # on RHEL8 it's a symlink to a system-wide openssl binary
 %{prefix}/bin/openssl
-%if %{?rhel}%{!?rhel:0} <= 7
 %dir %{prefix}/ssl
 %{prefix}/ssl/openssl.cnf
 %{prefix}/ssl/ct_log_list.cnf
 %{prefix}/ssl/ct_log_list.cnf.dist
-%endif
 
 %prefix/bin/git
 %prefix/bin/gitk
diff --git a/packaging/cfengine-nova/cfengine-nova.spec.in b/packaging/cfengine-nova/cfengine-nova.spec.in
@@ -23,21 +23,6 @@ Recommends: gzip
 Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
 %endif
 
-# we don't bundle OpenSSL on RHEL 8 (and newer in the future)
-%if %{?rhel}%{!?rhel:0} == 8
-Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit)
-Requires: libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)
-%endif
-
-# We build against systems with the latest available dependencies such as OpenSSL.
-# We use rpm -q --provides to determine the highest API present in OpenSSL and then use that as a Requires.
-# OPENSSL_VERSION is determined in build-scripts/package script.
-# This should ensure that when packages are installed with yum/dnf any required OpenSSL package upgrades will be performed or the installation will fail.
-%if %{?rhel}%{!?rhel:0} > 8
-Requires: libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit)
-Requires: libssl.so.3()(64bit) libssl.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit)
-%endif
-
 AutoReqProv: no
 
 %if %{?with_debugsym}%{!?with_debugsym:0}
