mbox series

[0/3] Disable OpenSSL and Python3-cryptography legacy features by default

Message ID 20260211184917.1045939-1-colinmca242@gmail.com
Headers show
Series Disable OpenSSL and Python3-cryptography legacy features by default | expand

Message

Colin Pinnell McAllister Feb. 11, 2026, 6:49 p.m. UTC 
TLS 1.0 and 1.1 have been deprecated by the IETF since 2021, and
OpenSSL's legacy module contains deprecated and unmaintained components.
This series disables legacy support by default in both OpenSSL and
python3-cryptography, requiring users to explicitly opt-in if needed.

The first two patches add packageconfig options to control legacy TLS
protocol support and the legacy OpenSSL module. The final patch aligns
python3-cryptography with the new OpenSSL defaults.

Note that the TLS 1.0/1.1 changes replace the existing "no-tls1" and
"no-tls1_1" packageconfig options with affirmative "tls1" and "tls1_1"
options that are disabled by default. While less disruptive to enable
the "no-*" options by default, using affirmative options provides
consistency with the new "legacy" option and is clearer than having
default-enabled "no-*" options.

Testing performed:
* Verified both recipes build successfully with and without the new
  options
* Ran OpenSSL ptests with legacy enabled/disabled and TLS 1.0/1.1
  disabled
* Ran python3-cryptography ptests with legacy-openssl disabled
* Confirmed ptests correctly skip tests for disabled legacy features

Colin Pinnell McAllister (3):
  openssl: Disable TLS 1.x by default
  openssl: Add legacy packageconfig option
  python3-cryptography: Disable legacy-openssl by default

 meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 14 +++++++++-----
 .../python/python3-cryptography.bb                 |  2 +-
 2 files changed, 10 insertions(+), 6 deletions(-)