From b92f9796edc56ae4956e032e2e52b16e7d1d1666 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Mon, 1 Jul 2024 19:22:09 +0200 Subject: [PATCH] Do not build OpenSSL ENGINE support on RHEL >= 10 OpenSSL ENGINEs are deprecated upstream, have subtle bugs, and (as all deprecated functionality) are not supposed to be used in FIPS mode. There is now a good alternative in pkcs11-provider, so remove support for ENGINEs from stunnel. Resolves: RHEL-33749 Signed-off-by: Clemens Lang --- stunnel.spec | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/stunnel.spec b/stunnel.spec index d2bd38d..fa48029 100644 --- a/stunnel.spec +++ b/stunnel.spec @@ -7,6 +7,12 @@ %bcond_without libwrap %endif +%if 0%{?rhel} >= 10 +%bcond_without openssl_engine +%else +%bcond_without openssl_engine +%endif + Summary: A TLS-encrypting socket wrapper Name: stunnel Version: 5.72 @@ -81,6 +87,11 @@ if pkg-config openssl ; then CFLAGS="$CFLAGS `pkg-config --cflags openssl`"; LDFLAGS="`pkg-config --libs-only-L openssl`"; export LDFLAGS fi + +CPPFLAGS_NO_ENGINE="" +%if !%{with openssl_engine} + CPPFLAGS_NO_ENGINE="-DOPENSSL_NO_ENGINE" +%endif %configure --enable-fips --enable-ipv6 --with-ssl=%{_prefix} \ %if %{with libwrap} --enable-libwrap \ @@ -88,7 +99,7 @@ fi --disable-libwrap \ %endif --with-bashcompdir=%{_datadir}/bash-completion/completions \ - CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'" + CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"' $CPPFLAGS_NO_ENGINE" make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now" %install