Support for OpenSSL Providers in mender

As part of configuring mender to use hardware-backed keys (Security | Mender documentation), we are looking to use a new OpenSSL engine.

But OpenSSL 1.1.1 has reached End of Life on September 11th and won’t be receiving updates.

As mentioned in OpenSSL 3.0 migration guide, Engines are no longer supported in OpenSSL 3.0 and have been replaced by OpenSSL providers. (/docs/manmaster/man7/migration_guide.html).

I briefly reviewed the Mender client code and it seems like the client uses OpenSSL engines. Can you please tell me if there are plans to add support for OpenSSL Providers in place of Engines in the near future?

There are plans yes, but it will only be part of the new C++ rewrite. The Golang client is not going to receive any more features apart from bug fixes.

1 Like

Thanks for the information @kacf
Can you please provide information on the rough timeline by when we could see the OpenSSL providers feature in the new C++ client? We need to make a decision on either writing an OpenSSL engine for now or a provider directly, based on the timeline. :smile:

I can’t provide a hard timeline, but the goal is to try to finalize the project in October, with hopefully a release either in late October or in November.

2 Likes

This info is helpful. Thank you.

Came across this problem as well.

It is November now, what is the status of C++ client release? :slight_smile:

I noticed there is a recipe for it at https://github.com/mendersoftware/meta-mender/blob/feature-c%2B%2B-client/meta-mender-core/recipes-mender/mender-client/mender_3.99.0%2Breally4.0.0-alpha1.bb. Something worth testing?

1 Like

That one is getting quite old by now, however you can try the latest from the development branch. Obviously this is not streamlined, since we are in the process of preparing for release right now. But here’s what you can try:

  1. Start with the branch from this pull request, since it fixes many issues. I’m working on this as we speak, so I may push more changes there.
  2. Put these lines in local.conf:
    PREFERRED_VERSION_mender = "feature-c++-client-git%"
    PREFERRED_VERSION_mender-flash = "master-git%"
    SRC_URI:pn-mender = "gitsm://github.com/mendersoftware/mender;protocol=https;branch=feature-c++-client"
    SRC_URI:pn-mender-native = "gitsm://github.com/mendersoftware/mender;protocol=https;branch=feature-c++-client"
    
    Actually I’m not sure if the last two lines are needed, but I don’t have time to check it right now.

That will give you the freshest of the fresh, so your mileage may vary. But let me know how it goes!

1 Like