azurelinux icon indicating copy to clipboard operation
azurelinux copied to clipboard
verified publisher icon microsoft

Introduce openssl-compat packages

Open tobiasb-ms opened this issue 1 month ago • 0 comments

Summary

This change introduces the openssl-compat* set of packages. These are drop-in replacements for openssl* with two key differences:

  1. It is much more similar to Fedora's build of openssl in terms of patches applied.
  2. It ships with the openssl FIPS provider rather than using Microsoft's symcrypt provider.

The overall solution is comprised of three important specs

  1. openssl-compat.spec. This is the main spec file for the openssl-compat packages. It depends on the other specs. This spec is version/release-entangled with openssl itself. All packages have Provides directives so they provide the equivalent openssl package. For example, openssl-compat-libs provides openssl-libs.
  2. openssl-compat-fips-bootstrap.spec. This has the same set of patches and the same configuration as openssl-compat.spec. It produces the FIPS provider (fips.so) and related debug info, which is consumed by openssl-compat. This design allows the version we build/release of fips.so to vary independently of the rest of openssl-compat, so we would only need to get one version certified.
  3. azurelinux-rpm-macros.spec. We added a package azurelinux-openssl-compat-generator that adds the correct Provides directives to the openssl-compat packages post-build. This is necessary to overcome a weakness in our build system that doesn't handle Provides correctly if two packages provide the same thing.

We also have two new marketplace image definitions: marketplace-compat-gen2-fips.json and marketplace-compat-gen2-aarch64-fips.json. These are exactly like the standard FIPS marketplace images except:

  1. They use the core-packages-base-image-compat set of core packages. This provides dnf rather than tdnf and the openssl-compat* packages rather than the openssl* packages.
  2. They add a line to /etc/dnf/dnf.conf that will make dnf ignore the openssl* packages.
Does this affect the toolchain?

NO Note that while openssl is in the toolchain, openssl-compat is not.

Associated issues

ADO: Pending

Test Methodology
  • Built and tested standard marketplace images and the new compat image. Added local repos with the openssl-compat* packages and made sure everything installs correctly.

tobiasb-ms avatar Nov 06 '25 20:11 tobiasb-ms