[v2] python3-cryptography: Add legacy-openssl packageconfig

Message ID	20260207115132.36854-1-colinmca242@gmail.com
State	New
Headers	show Return-Path: <colinmca242@gmail.com> ip: 209.85.160.46, mailfrom: colinmca242@gmail.com) From: Colin Pinnell McAllister <colinmca242@gmail.com> To: openembedded-core@lists.openembedded.org Cc: Colin Pinnell McAllister <colinmca242@gmail.com> Subject: [PATCH v2] python3-cryptography: Add legacy-openssl packageconfig Date: Sat, 7 Feb 2026 05:51:32 -0600 Message-ID: <20260207115132.36854-1-colinmca242@gmail.com> In-Reply-To: <20260122025736.187410-1-colinmca242@gmail.com> References: <20260122025736.187410-1-colinmca242@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[v2] python3-cryptography: Add legacy-openssl packageconfig \| expand [v2] python3-cryptography: Add legacy-openssl packageconfig

Message ID

20260207115132.36854-1-colinmca242@gmail.com

State

New

Headers

From: Colin Pinnell McAllister <colinmca242@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: Colin Pinnell McAllister <colinmca242@gmail.com>
Subject: [PATCH v2] python3-cryptography: Add legacy-openssl packageconfig
Date: Sat,  7 Feb 2026 05:51:32 -0600
Message-ID: <20260207115132.36854-1-colinmca242@gmail.com>
In-Reply-To: <20260122025736.187410-1-colinmca242@gmail.com>
References: <20260122025736.187410-1-colinmca242@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[v2] python3-cryptography: Add legacy-openssl packageconfig | expand

Commit Message

Colin Pinnell McAllister Feb. 7, 2026, 11:51 a.m. UTC

Fixes [YOCTO #15416]

The OpenSSL legacy provider supplies algorithms that are either used
infrequently or have been deemed insecure by modern standards. The
Python3 cryptography module can optionally support this provider via the
openssl-ossl-module-legacy package.

Currently, the cryptography module builds with legacy provider support
enabled by default, regardless of whether the legacy modules are
actually included in the system. This patch makes that dependency
explicit by introducing a legacy-openssl packageconfig option that:

* Ensures runtime dependency on openssl-ossl-module-legacy when enabled
* Allows users to disable legacy algorithm support via build configuration
* Aligns python3-cryptography's defaults with OpenSSL's current defaults

The packageconfig option defaults to enabled for consistency with
OpenSSL's current configuration and to avoid breaking existing
deployments. A future security improvement will disable legacy modules
by default in OpenSSL, at which point this packageconfig can also
default to disabled.

Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com>
---
v2 changes:
* Updated commit message to clarify intent and rationale for the change

This patch stands on its own and can be merged without the related
OpenSSL patch. I will work on the OpenSSL patch separately, since
there's some work required to ensure ptests can run without the legacy
provider. Additionally, the libcrypto dependency needs to be
investigated. I do not want this change to be blocked by the OpenSSL
patch, since this is a bugfix that can be merged independently.

 meta/recipes-devtools/python/python3-cryptography.bb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-cryptography.bb b/meta/recipes-devtools/python/python3-cryptography.bb
index b3b45cd172..366fda5e87 100644
--- a/meta/recipes-devtools/python/python3-cryptography.bb
+++ b/meta/recipes-devtools/python/python3-cryptography.bb
@@ -22,6 +22,11 @@  require ${BPN}-crates.inc
 
 inherit pypi python_maturin cargo-update-recipe-crates pkgconfig
 
+PACKAGECONFIG ??= "legacy-openssl"
+PACKAGECONFIG[legacy-openssl] = ",,,openssl-ossl-module-legacy"
+
+export CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY = "${@bb.utils.contains('PACKAGECONFIG', 'legacy-openssl', '0', '1', d)}"
+
 DEPENDS += " \
     python3-cffi-native \
     openssl \

[v2] python3-cryptography: Add legacy-openssl packageconfig

Commit Message

Patch