[Buildroot] [PATCH 1/1] package/libopenssl: add option to disable unwanted features

Thomas Petazzoni thomas.petazzoni at bootlin.com
Sat May 9 19:24:16 UTC 2020

Hello Erwan,

On Wed,  6 May 2020 07:59:19 +0200
Erwan GAUTRON <erwan.gautron at bertin.fr> wrote:

> Openssl implements lot of algorithms that are not required in
> some emdedded devices and cyphers known as weak.
> Secure embedded systems shall disable unused algorithms (and weak algo)
> in order to be certified.
> This patch allows to select algorithms and mecanims to disable
> such as md5
> Signed-off-by: Erwan GAUTRON <erwan.gautron at bertin.fr>

Thanks for your patch!

> +	bool "openssl no cipher CHACHA"
> +	help
> +	  Remove CHACHA cipher in libopenssl.

I think it is quite odd to have inverted boolean options, i.e that
disable a feature when the option is enabled. Could we turn them
around, so that they use positive logic ? Of course, that means adding
a "default y" to keep backward compatibility, unless we decide that all
those ciphers are really dangerous (many of them are!) and disable them
by default.

> +	bool "openssl no compression"
> +	help
> +	  Remove compression in libopenssl.
> +
> +	bool "zlib no compression"
> +	help
> +	  Remove zlib in libopenssl.

Do these options allow to drop the zlib dependency of libopenssl ? If
so, we should do this and make the zlib dependency optional.


Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering

More information about the buildroot mailing list