From d5501e77208825b6ebffe51e8d680cdd84cfd0ab Mon Sep 17 00:00:00 2001
From: Colin Pinnell McAllister <colinmca242@gmail.com>
Date: Fri, 13 Feb 2026 17:01:28 -0600
Subject: [PATCH] openssl: Disable TLS 1.0/1.1 by default

TLS 1.0 and TLS 1.1 have been deprecated by the IETF since 2021.
Disables support by default in packageconfig, requiring users to
explicitly opt-in for these deprecated protocols.

Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
index c0d02b617b..6b9ccef0b5 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
@@ -29,8 +29,8 @@ PACKAGECONFIG:class-native = ""
 PACKAGECONFIG:class-nativesdk = ""
 
 PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
-PACKAGECONFIG[no-tls1] = "no-tls1"
-PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
+PACKAGECONFIG[tls1] = ",no-tls1"
+PACKAGECONFIG[tls1_1] = ",no-tls1_1"
 PACKAGECONFIG[manpages] = ""
 PACKAGECONFIG[fips] = "enable-fips"
 
-- 
2.47.3