From 96548d97cbad4c125cdc07aa21182390513ca2c6 Mon Sep 17 00:00:00 2001 From: Colin Pinnell McAllister Date: Sat, 7 Feb 2026 05:51:32 -0600 Subject: [PATCH] python3-cryptography: Add legacy-openssl packageconfig Fixes [YOCTO #15416] The OpenSSL legacy provider supplies algorithms that are either used infrequently or have been deemed insecure by modern standards. The Python3 cryptography module can optionally support this provider via the openssl-ossl-module-legacy package. Currently, the cryptography module builds with legacy provider support enabled by default, regardless of whether the legacy modules are actually included in the system. This patch makes that dependency explicit by introducing a legacy-openssl packageconfig option that: * Ensures runtime dependency on openssl-ossl-module-legacy when enabled * Allows users to disable legacy algorithm support via build configuration * Aligns python3-cryptography's defaults with OpenSSL's current defaults The packageconfig option defaults to enabled for consistency with OpenSSL's current configuration and to avoid breaking existing deployments. A future security improvement will disable legacy modules by default in OpenSSL, at which point this packageconfig can also default to disabled. Signed-off-by: Colin Pinnell McAllister Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- meta/recipes-devtools/python/python3-cryptography.bb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/recipes-devtools/python/python3-cryptography.bb b/meta/recipes-devtools/python/python3-cryptography.bb index b3b45cd172..366fda5e87 100644 --- a/meta/recipes-devtools/python/python3-cryptography.bb +++ b/meta/recipes-devtools/python/python3-cryptography.bb @@ -22,6 +22,11 @@ require ${BPN}-crates.inc inherit pypi python_maturin cargo-update-recipe-crates pkgconfig +PACKAGECONFIG ??= "legacy-openssl" +PACKAGECONFIG[legacy-openssl] = ",,,openssl-ossl-module-legacy" + +export CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY = "${@bb.utils.contains('PACKAGECONFIG', 'legacy-openssl', '0', '1', d)}" + DEPENDS += " \ python3-cffi-native \ openssl \ -- 2.47.3