diff mbox series

[1/1] openssl: 3.4.2 -> 3.5.2

Message ID c33930b39db477506067200c5c4f19cec0079b95.1758250424.git.liezhi.yang@windriver.com
State New
Headers show
Series [1/1] openssl: 3.4.2 -> 3.5.2 | expand

Commit Message

Robert Yang Sept. 19, 2025, 2:55 a.m. UTC 
From: Robert Yang <liezhi.yang@windriver.com>

The benefit of OpenSSL 3.5 is that it is an LTS supported to 2030, which can
save the maintenance time in the long run.

* New features:
  - Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA)
  - Support for server side QUIC (RFC 9000)
  - Support for 3rd party QUIC stacks including 0-RTT support
  - Support added for opaque symmetric key objects (EVP_SKEY)
  - A new configuration option no-tls-deprecated-ec to disable support for TLS
    groups deprecated in RFC8422
  - A new configuration option enable-fips-jitter to make the FIPS provider to
    use the JITTER seed source
  - Support for central key generation in CMP
  - Support for multiple TLS keyshares and improved TLS key establishment group
    configurability
  - API support for pipelining in provided cipher algorithms

  - The full list of changes since OpenSSL 3.4:
    https://github.com/openssl/openssl/blob/openssl-3.5/CHANGES.md#openssl-35

* Test info
$ bitbake world core-image-sato core-image-minimal

Works well

$ runqemu tmp/deploy/images/qemux86-64/core-image-sato-qemux86-64.rootfs.qemuboot.conf nographic kvm
$ ptest-runner openssl
All tests successful.
Files=341, Tests=4466, 206 wallclock secs (16.53 usr  1.34 sys + 582.73 cusr 109.85 csys = 710.45 CPU)
Result: PASS
DURATION: 206
END: /usr/lib/openssl/ptest
2025-09-18T10:17
STOP: ptest-runner
TOTAL: 1 FAIL: 0

All tests successful, the similar results to minimal image.

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
 .../openssl/{openssl_3.4.2.bb => openssl_3.5.2.bb}              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssl/{openssl_3.4.2.bb => openssl_3.5.2.bb} (99%)

Comments

Alexander Kanavin Sept. 19, 2025, 10:21 a.m. UTC | #1 
On Fri, 19 Sept 2025 at 04:55, Robert Yang via lists.openembedded.org
<liezhi.yang=windriver.com@lists.openembedded.org> wrote:
> The benefit of OpenSSL 3.5 is that it is an LTS supported to 2030, which can
> save the maintenance time in the long run.

Yes, and it also add new features, breaking the promise the project
makes to its users.

This update cannot be done without TSC approval. You need to get that first.

Alex
Peter Kjellerstedt Sept. 19, 2025, 2 p.m. UTC | #2 
> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Alexander Kanavin via lists.openembedded.org
> Sent: den 19 september 2025 12:21
> To: liezhi.yang@windriver.com
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH 1/1] openssl: 3.4.2 -> 3.5.2
> 
> On Fri, 19 Sept 2025 at 04:55, Robert Yang via lists.openembedded.org <liezhi.yang=windriver.com@lists.openembedded.org> wrote:
> > The benefit of OpenSSL 3.5 is that it is an LTS supported to 2030, which can
> > save the maintenance time in the long run.
> 
> Yes, and it also add new features, breaking the promise the project
> makes to its users.
> 
> This update cannot be done without TSC approval. You need to get that
> first.
> 
> Alex

Also, this proposal was for Walnascar, which will be EoL after the 
next release (or two). Thus updating OpenSSL to a new minor version 
now makes no sense.

If it had been suggested for Scarthgap and the meta-lts-mixins layer, 
then I would have more understood it.

//Peter
Robert Yang Sept. 21, 2025, 3:15 p.m. UTC | #3 
Hi Alex,

On 9/19/25 18:21, Alexander Kanavin wrote:
> On Fri, 19 Sept 2025 at 04:55, Robert Yang via lists.openembedded.org
> <liezhi.yang=windriver.com@lists.openembedded.org> wrote:
>> The benefit of OpenSSL 3.5 is that it is an LTS supported to 2030, which can
>> save the maintenance time in the long run.
> 
> Yes, and it also add new features, breaking the promise the project
> makes to its users.
> 
> This update cannot be done without TSC approval. You need to get that first.

This has been talked on TSC, but not approved yet, so I sent the patch out.

// Robert

> 
> Alex
Robert Yang Sept. 21, 2025, 3:19 p.m. UTC | #4 
On 9/19/25 22:00, Peter Kjellerstedt wrote:
>> -----Original Message-----
>> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Alexander Kanavin via lists.openembedded.org
>> Sent: den 19 september 2025 12:21
>> To: liezhi.yang@windriver.com
>> Cc: openembedded-core@lists.openembedded.org
>> Subject: Re: [OE-core] [PATCH 1/1] openssl: 3.4.2 -> 3.5.2
>>
>> On Fri, 19 Sept 2025 at 04:55, Robert Yang via lists.openembedded.org <liezhi.yang=windriver.com@lists.openembedded.org> wrote:
>>> The benefit of OpenSSL 3.5 is that it is an LTS supported to 2030, which can
>>> save the maintenance time in the long run.
>>
>> Yes, and it also add new features, breaking the promise the project
>> makes to its users.
>>
>> This update cannot be done without TSC approval. You need to get that
>> first.
>>
>> Alex
> 
> Also, this proposal was for Walnascar, which will be EoL after the
> next release (or two). Thus updating OpenSSL to a new minor version
> now makes no sense.
 > > If it had been suggested for Scarthgap and the meta-lts-mixins layer,
> then I would have more understood it.

I haven't tested it for Scarthgap, I think we need do it firstly for Walnascar,
then Scarthgap if it works.

// Robert

> 
> //Peter
>
Steve Sakoman Sept. 22, 2025, 1:57 p.m. UTC | #5 
On Sun, Sep 21, 2025 at 8:19 AM Robert Yang via lists.openembedded.org
<liezhi.yang=windriver.com@lists.openembedded.org> wrote:
>
>
>
> On 9/19/25 22:00, Peter Kjellerstedt wrote:
> >> -----Original Message-----
> >> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Alexander Kanavin via lists.openembedded.org
> >> Sent: den 19 september 2025 12:21
> >> To: liezhi.yang@windriver.com
> >> Cc: openembedded-core@lists.openembedded.org
> >> Subject: Re: [OE-core] [PATCH 1/1] openssl: 3.4.2 -> 3.5.2
> >>
> >> On Fri, 19 Sept 2025 at 04:55, Robert Yang via lists.openembedded.org <liezhi.yang=windriver.com@lists.openembedded.org> wrote:
> >>> The benefit of OpenSSL 3.5 is that it is an LTS supported to 2030, which can
> >>> save the maintenance time in the long run.
> >>
> >> Yes, and it also add new features, breaking the promise the project
> >> makes to its users.
> >>
> >> This update cannot be done without TSC approval. You need to get that
> >> first.
> >>
> >> Alex
> >
> > Also, this proposal was for Walnascar, which will be EoL after the
> > next release (or two). Thus updating OpenSSL to a new minor version
> > now makes no sense.
>  > > If it had been suggested for Scarthgap and the meta-lts-mixins layer,
> > then I would have more understood it.
>
> I haven't tested it for Scarthgap, I think we need do it firstly for Walnascar,
> then Scarthgap if it works.

I will be building the final walnascar release on Friday.

I don't feel comfortable doing this just prior to EOL with minimal
testing and bake time.

The TSC can of course decide to do it, but I'd push for scheduling at
least one more release afterwards to deal with any breakage.

Steve

>
> // Robert
>
> >
> > //Peter
> >
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#223801): https://lists.openembedded.org/g/openembedded-core/message/223801
> Mute This Topic: https://lists.openembedded.org/mt/115322467/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Robert Yang Sept. 22, 2025, 3:23 p.m. UTC | #6 
On 9/22/25 21:57, Steve Sakoman wrote:
> On Sun, Sep 21, 2025 at 8:19 AM Robert Yang via lists.openembedded.org
> <liezhi.yang=windriver.com@lists.openembedded.org> wrote:
>>
>>
>>
>> On 9/19/25 22:00, Peter Kjellerstedt wrote:
>>>> -----Original Message-----
>>>> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Alexander Kanavin via lists.openembedded.org
>>>> Sent: den 19 september 2025 12:21
>>>> To: liezhi.yang@windriver.com
>>>> Cc: openembedded-core@lists.openembedded.org
>>>> Subject: Re: [OE-core] [PATCH 1/1] openssl: 3.4.2 -> 3.5.2
>>>>
>>>> On Fri, 19 Sept 2025 at 04:55, Robert Yang via lists.openembedded.org <liezhi.yang=windriver.com@lists.openembedded.org> wrote:
>>>>> The benefit of OpenSSL 3.5 is that it is an LTS supported to 2030, which can
>>>>> save the maintenance time in the long run.
>>>>
>>>> Yes, and it also add new features, breaking the promise the project
>>>> makes to its users.
>>>>
>>>> This update cannot be done without TSC approval. You need to get that
>>>> first.
>>>>
>>>> Alex
>>>
>>> Also, this proposal was for Walnascar, which will be EoL after the
>>> next release (or two). Thus updating OpenSSL to a new minor version
>>> now makes no sense.
>>   > > If it had been suggested for Scarthgap and the meta-lts-mixins layer,
>>> then I would have more understood it.
>>
>> I haven't tested it for Scarthgap, I think we need do it firstly for Walnascar,
>> then Scarthgap if it works.
> 
> I will be building the final walnascar release on Friday.
> 
> I don't feel comfortable doing this just prior to EOL with minimal
> testing and bake time.
> 
> The TSC can of course decide to do it, but I'd push for scheduling at
> least one more release afterwards to deal with any breakage.

Yes, delay it makes sense to me.

// Robert

> 
> Steve
> 
>>
>> // Robert
>>
>>>
>>> //Peter
>>>
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#223801): https://lists.openembedded.org/g/openembedded-core/message/223801
>> Mute This Topic: https://lists.openembedded.org/mt/115322467/3620601
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
Randy MacLeod Sept. 24, 2025, 6:31 p.m. UTC | #7 
On 2025-09-21 11:15 a.m., Robert Yang via lists.openembedded.org wrote:
> Hi Alex,
>
> On 9/19/25 18:21, Alexander Kanavin wrote:
>> On Fri, 19 Sept 2025 at 04:55, Robert Yang via lists.openembedded.org
>> <liezhi.yang=windriver.com@lists.openembedded.org> wrote:
>>> The benefit of OpenSSL 3.5 is that it is an LTS supported to 2030, 
>>> which can
>>> save the maintenance time in the long run.
>>
>> Yes, and it also add new features, breaking the promise the project
>> makes to its users.
>>
>> This update cannot be done without TSC approval. You need to get that 
>> first.
>
> This has been talked on TSC, but not approved yet, so I sent the patch 
> out.
>
>
Hi Robert,


Richard was saying that the TSC needs a formal email proposal
with pros, cons and some data about testing in order to discuss this idea.

Can you gather that and send an email to:
tsc@lists.openembedded.org ?
I think that Adrian, who I've CCed, is also interested so maybe he can help
to review the email? Just send a draft here to the list if you like.

../Randy



>
> // Robert
>
>>
>> Alex
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#223800):https://lists.openembedded.org/g/openembedded-core/message/223800
> Mute This Topic:https://lists.openembedded.org/mt/115322467/3616765
> Group Owner:openembedded-core+owner@lists.openembedded.org
> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Robert Yang Sept. 26, 2025, 6:15 a.m. UTC | #8 
On 9/25/25 02:31, Randy MacLeod wrote:
> On 2025-09-21 11:15 a.m., Robert Yang via lists.openembedded.org wrote:
>> Hi Alex,
>>
>> On 9/19/25 18:21, Alexander Kanavin wrote:
>>> On Fri, 19 Sept 2025 at 04:55, Robert Yang via lists.openembedded.org
>>> <liezhi.yang=windriver.com@lists.openembedded.org> wrote:
>>>> The benefit of OpenSSL 3.5 is that it is an LTS supported to 2030, which can
>>>> save the maintenance time in the long run.
>>>
>>> Yes, and it also add new features, breaking the promise the project
>>> makes to its users.
>>>
>>> This update cannot be done without TSC approval. You need to get that first.
>>
>> This has been talked on TSC, but not approved yet, so I sent the patch out.
>>
>>
> Hi Robert,
> 
> 
> Richard was saying that the TSC needs a formal email proposal
> with pros, cons and some data about testing in order to discuss this idea.

Since walnascar will be EOL in about 2 months, so I'm leaning to drop this patch.

// Robert

> 
> Can you gather that and send an email to:
> tsc@lists.openembedded.org ?
> I think that Adrian, who I've CCed, is also interested so maybe he can help
> to review the email? Just send a draft here to the list if you like.
> 
> ../Randy
> 
> 
> 
>>
>> // Robert
>>
>>>
>>> Alex
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#223800):https://lists.openembedded.org/g/openembedded-core/message/223800
>> Mute This Topic:https://lists.openembedded.org/mt/115322467/3616765
>> Group Owner:openembedded-core+owner@lists.openembedded.org
>> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
> 
> -- 
> # Randy MacLeod
> # Wind River Linux
>
diff mbox series

Patch

diff --git a/meta/recipes-connectivity/openssl/openssl_3.4.2.bb b/meta/recipes-connectivity/openssl/openssl_3.5.2.bb
similarity index 99%
rename from meta/recipes-connectivity/openssl/openssl_3.4.2.bb
rename to meta/recipes-connectivity/openssl/openssl_3.5.2.bb
index 2998e37e758..cd0d22e48ad 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.4.2.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.2.bb
@@ -18,7 +18,7 @@  SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "17b02459fc28be415470cccaae7434f3496cac1306b86b52c83886580e82834c"
+SRC_URI[sha256sum] = "c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec"
 
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"