Skip to content

Commit 7278e23

Browse files
committed
fix: Use vendored openssl on redhat platforms to enable bump of libcurl which requires openssl 3.0.0
Previously we had stopped vendoring openssl due to conflicts with libpam for user management. Now we will try disabling the use of libpam on redhat platforms in preference for upgrading libcurl. Ticket: ENT-13750
1 parent f478fb0 commit 7278e23

File tree

9 files changed

+25
-86
lines changed

9 files changed

+25
-86
lines changed

build-scripts/compile-options

Lines changed: 0 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -38,19 +38,6 @@ if [ x"$SYSTEM_SSL" = x ]
3838
then
3939
# default to using cfengine openssl
4040
SYSTEM_SSL=0
41-
# We don't bundle OpenSSL on some redhat-derived systems due to incompatability with libpam and our openssl.
42-
_OS_MAJOR_VERSION="$(echo "$OS_VERSION" | cut -d. -f1)"
43-
if [ "$OS" = "rhel" ] && expr "$_OS_MAJOR_VERSION" ">=" "8" >/dev/null
44-
then
45-
SYSTEM_SSL=1
46-
fi
47-
if [ "$OS" = "opensuse" ] || [ "$OS" = "sles" ]
48-
then
49-
if expr "$_OS_MAJOR_VERSION" ">=" "15"
50-
then
51-
SYSTEM_SSL=1
52-
fi
53-
fi
5441
# Detect using system ssl when running a Jenkins job
5542
if expr x"$label" ":" ".*systemssl" >/dev/null
5643
then

build-scripts/configure

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,10 +63,22 @@ case "$WITH_SYSTEMD" in
6363
*) var_append ARGS "--without-systemd-service" ;;
6464
esac
6565

66-
# RHEL 8 requires an SELinux policy
66+
# RHEL 8+ requires an SELinux policy and --without-pam to use vendored openssl
6767
if [ "x$OS" = "xrhel" ] && [ "${VER%\.*}" -gt "7" ]; then
6868
var_append ARGS "--with-selinux-policy"
6969
fi
70+
# rhel >= 7 or opensuse >= 15 need --without-pam in order to use vendored openssl
71+
if [ "$OS" = "rhel" ] && expr "$_OS_MAJOR_VERSION" ">=" "8" >/dev/null
72+
then
73+
var_append ARGS "--without-pam"
74+
fi
75+
if [ "$OS" = "opensuse" ] || [ "$OS" = "sles" ]
76+
then
77+
if expr "$_OS_MAJOR_VERSION" ">=" "15"
78+
then
79+
var_append ARGS "--without-pam"
80+
fi
81+
fi
7082

7183
# Cross-compiling Windows?
7284
case "$ARCH-${OS_FAMILY}" in

deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,11 +19,11 @@ mkdir -p %{_builddir}
1919
%setup -q -n curl-%{curl_version}
2020

2121
# we don't bundle OpenSSL on RHEL 8 (and newer in the future)
22-
%if %{?rhel}%{!?rhel:0} > 7
23-
%define ssl_prefix /usr
24-
%else
22+
#%if %{?rhel}%{!?rhel:0} > 7
23+
#%define ssl_prefix /usr
24+
#%else
2525
%define ssl_prefix %{prefix}
26-
%endif
26+
#%endif
2727

2828
./configure \
2929
--with-sysroot=%{prefix} \

deps-packaging/openldap/cfbuild-openldap.spec

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -21,12 +21,12 @@ mkdir -p %{_builddir}
2121

2222
%patch0 -p0
2323

24-
# we don't bundle OpenSSL on RHEL 8 (and newer in the future)
25-
%if %{?rhel}%{!?rhel:0} > 7
26-
CPPFLAGS=-I%{buildprefix}/include:/usr/include
27-
%else
24+
## we don't bundle OpenSSL on RHEL 8 (and newer in the future)
25+
#%if %{?rhel}%{!?rhel:0} > 7
26+
#CPPFLAGS=-I%{buildprefix}/include:/usr/include
27+
#%else
2828
CPPFLAGS=-I%{buildprefix}/include
29-
%endif
29+
#%endif
3030

3131
#
3232
# glibc-2.8 errorneously hides peercred(3) under #ifdef __USE_GNU.

deps-packaging/openssl/0008-Define-_XOPEN_SOURCE_EXTENDED-as-1.patch

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,9 +25,9 @@ index 97454a4b81..299323390c 100644
2525
@@ -11,7 +11,7 @@
2626

2727
#ifdef OPENSSL_SYS_VMS
28-
/* So fd_set and friends get properly defined on OpenVMS */
29-
-# define _XOPEN_SOURCE_EXTENDED
30-
+# define _XOPEN_SOURCE_EXTENDED 1
28+
/* So fd_set and friends get properly defined on OpenVMS */
29+
-#define _XOPEN_SOURCE_EXTENDED
30+
+#define _XOPEN_SOURCE_EXTENDED 1
3131
#endif
3232

3333
#include <stdio.h>

deps-packaging/zlib/AIX_LDSHARED.patch

Lines changed: 0 additions & 21 deletions
This file was deleted.

deps-packaging/zlib/cfbuild-zlib.spec

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,6 @@ Name: cfbuild-zlib
33
Version: %{version}
44
Release: 1
55
Source0: zlib-1.3.2.tar.gz
6-
Patch0: AIX_LDSHARED.patch
76
License: MIT
87
Group: Other
98
Url: https://cfengine.com
@@ -17,7 +16,6 @@ AutoReqProv: no
1716
mkdir -p %{_builddir}
1817
%setup -q -n zlib-1.3.2
1918

20-
%patch0 -p1
2119

2220
%build
2321

packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in

Lines changed: 0 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -27,21 +27,6 @@ Requires(post): /usr/sbin/usermod, /bin/sed
2727
Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
2828
%endif
2929

30-
# we don't bundle OpenSSL on RHEL 8 (and newer in the future)
31-
%if %{?rhel}%{!?rhel:0} == 8
32-
Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit)
33-
Requires: libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)
34-
%endif
35-
36-
# We build against systems with the latest available dependencies such as OpenSSL.
37-
# We use rpm -q --provides to determine the highest API present in OpenSSL and then use that as a Requires.
38-
# OPENSSL_VERSION is determined in build-scripts/package script.
39-
# This should ensure that when packages are installed with yum/dnf any required OpenSSL package upgrades will be performed or the installation will fail.
40-
%if %{?rhel}%{!?rhel:0} > 8
41-
Requires: libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit)
42-
Requires: libssl.so.3()(64bit) libssl.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit)
43-
%endif
44-
4530
# cfbs/Build requires Python 3.5+ (not available on RHEL 6)
4631
%if %{?rhel}%{!?rhel:0} == 7
4732
Requires: python3 >= 3.5
@@ -98,11 +83,6 @@ rm -f %{prefix}/ssl/misc/tsget
9883
rm -f %{prefix}/ssl/openssl.cnf.dist
9984
rm -f %{prefix}/ssl/misc/tsget.pl
10085

101-
# Add an openssl symlink if openssl binary doesn't exist
102-
if ! [ -f $RPM_BUILD_ROOT%{prefix}/bin/openssl ]; then
103-
ln -s `which openssl` $RPM_BUILD_ROOT%{prefix}/bin/openssl
104-
fi
105-
10686
# Hub does not need cf-upgrade, it is only present in host packages
10787
rm -f $RPM_BUILD_ROOT%{prefix}/bin/cf-upgrade
10888

@@ -239,12 +219,10 @@ exit 0
239219
# Note that prefix/bin/openssl is outside of `if`, since
240220
# on RHEL8 it's a symlink to a system-wide openssl binary
241221
%{prefix}/bin/openssl
242-
%if %{?rhel}%{!?rhel:0} <= 7
243222
%dir %{prefix}/ssl
244223
%{prefix}/ssl/openssl.cnf
245224
%{prefix}/ssl/ct_log_list.cnf
246225
%{prefix}/ssl/ct_log_list.cnf.dist
247-
%endif
248226

249227
%prefix/bin/git
250228
%prefix/bin/gitk

packaging/cfengine-nova/cfengine-nova.spec.in

Lines changed: 0 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -23,21 +23,6 @@ Recommends: gzip
2323
Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
2424
%endif
2525

26-
# we don't bundle OpenSSL on RHEL 8 (and newer in the future)
27-
%if %{?rhel}%{!?rhel:0} == 8
28-
Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit)
29-
Requires: libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)
30-
%endif
31-
32-
# We build against systems with the latest available dependencies such as OpenSSL.
33-
# We use rpm -q --provides to determine the highest API present in OpenSSL and then use that as a Requires.
34-
# OPENSSL_VERSION is determined in build-scripts/package script.
35-
# This should ensure that when packages are installed with yum/dnf any required OpenSSL package upgrades will be performed or the installation will fail.
36-
%if %{?rhel}%{!?rhel:0} > 8
37-
Requires: libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit)
38-
Requires: libssl.so.3()(64bit) libssl.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit)
39-
%endif
40-
4126
AutoReqProv: no
4227

4328
%if %{?with_debugsym}%{!?with_debugsym:0}

0 commit comments

Comments
 (0)