Skip to content

Automatically use system openssl configuration on rpm builds#13625

Closed
adamlazik1 wants to merge 1 commit into
theforeman:rpm/developfrom
adamlazik1:tls
Closed

Automatically use system openssl configuration on rpm builds#13625
adamlazik1 wants to merge 1 commit into
theforeman:rpm/developfrom
adamlazik1:tls

Conversation

@adamlazik1

Copy link
Copy Markdown
Contributor

@evgeni

evgeni commented Jun 18, 2026

Copy link
Copy Markdown
Member

Why are we adding a feature in the main repo, just to patch it in packaging?

@adamlazik1

Copy link
Copy Markdown
Contributor Author

Why are we adding a feature in the main repo, just to patch it in packaging?

To differentiate between deb in rpm builds I believe.

@evgeni

evgeni commented Jun 18, 2026

Copy link
Copy Markdown
Member

Differentiate how?
theforeman/smart-proxy#947 already has code to fall back to non-crypto-policy if the system has no support for that (like Debian)

@adamlazik1

Copy link
Copy Markdown
Contributor Author

I believe that the argument was that an edge case can happen in which in the opensslcnf.config file is missing, but we should assume that crypto-policies are always applied on an rpm system.

@evgeni

evgeni commented Jun 18, 2026

Copy link
Copy Markdown
Member

Then check for the existence of /etc/crypto-policies/ directly?

Patching at the packaging level is automatically buying you future build problems (including Packit problems), which I really would recommend against.

- logger.debug "No crypto-policies detected, using HIGH cipher string as default."
- 'HIGH'
- end
+ 'PROFILE=SYSTEM'

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On upstream, this either logs crypto-policies are used, or not.
On Satellite, this deletes any logging - there will be no information about crypto-policies.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On Satellite, this deletes any logging - there will be no information about crypto-policies.

Would it make sense to log something that has no alternatives?

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it won't leave the user wondering. It's probably nice to see "yes, if I set crypto policies, they will be taken into account".

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on what @evgeni said in the comments I am reevaluating whether we should have this patch at all. If a RHEL system has crypto-policies enabled but no config file, that's a broken system and probably not something we should deal with. Opinions?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ekohl also said that the patch might not be necessary in here theforeman/smart-proxy#947 (comment)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought the reason for this patch was to avoid autodetection during startup every time. If it isn't a problem (and I don't think it is), I also think this patch doesn't need to exist at all. A system either has crypto-policies or it doesn't, and we don't really care whether it's rpm based or something else based.

If a system is broken in a way that it does have crypto policies and doesn't have the file, it's nice to have this exception caught and communicated somehow, but for this case you don't need to explain things, just say that the file doesn't exist.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants