Do not build OpenSSL ENGINE support on RHEL >= 10

OpenSSL ENGINEs are deprecated upstream, have subtle bugs, and (as all deprecated functionality) are not supposed to be used in FIPS mode. There is now a good alternative in pkcs11-provider, so remove support for ENGINEs from stunnel. Resolves: RHEL-33749 Signed-off-by: Clemens Lang <cllang@redhat.com>
2024-07-01 19:22:09 +02:00 · 2024-07-01 19:22:09 +02:00 · b92f9796ed
commit b92f9796ed
parent d08d7b6f2d
1 changed files with 12 additions and 1 deletions
--- a/stunnel.spec
+++ b/stunnel.spec
@ -7,6 +7,12 @@
 %bcond_without libwrap
 %endif

+%if 0%{?rhel} >= 10
+%bcond_without openssl_engine
+%else
+%bcond_without openssl_engine
+%endif
+
 Summary: A TLS-encrypting socket wrapper
 Name: stunnel
 Version: 5.72
@ -81,6 +87,11 @@ if pkg-config openssl ; then
 	CFLAGS="$CFLAGS `pkg-config --cflags openssl`";
 	LDFLAGS="`pkg-config --libs-only-L openssl`"; export LDFLAGS
 fi
+
+CPPFLAGS_NO_ENGINE=""
+%if !%{with openssl_engine}
+	CPPFLAGS_NO_ENGINE="-DOPENSSL_NO_ENGINE"
+%endif
 %configure --enable-fips --enable-ipv6 --with-ssl=%{_prefix} \
 %if %{with libwrap}
 --enable-libwrap \
@ -88,7 +99,7 @@ fi
 --disable-libwrap \
 %endif
 	--with-bashcompdir=%{_datadir}/bash-completion/completions \
-	CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'"
+	CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"' $CPPFLAGS_NO_ENGINE"
 make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"

 %install