T8508: Add build scripts to build Openssl 3.1.2 by sever-sever · Pull Request #1161 · vyos/vyos-build

sever-sever · 2026-04-15T13:45:48Z

Change summary

Update FIPS-140-3 compatible OpenSSL 3.1.2
The FIPS provider does not get built and installed automatically.
To enable it, you need to configure OpenSSL using the enable-fips option.

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Code style update (formatting, renaming)
Refactoring (no functional changes)
Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
Other (please describe):

Related Task(s)

https://vyos.dev/T8508

Related PR(s)

vyos/vyos-1x#5139

How to test / Smoketest result

vyos_bld@882a313f0805:/vyos/work/T8508/vyos-build/scripts/package-build/openssl$ ./build.py
...

vyos_bld@882a313f0805:/vyos/work/T8508/vyos-build/scripts/package-build/openssl$ ls -ls | grep deb
 1520 -rw-r--r--  1 vyos_bld vyos_bld  1554856 Apr 15 13:38 libcrypto3-udeb_3.1.2-1_amd64.udeb
 2008 -rw-r--r--  1 vyos_bld vyos_bld  2054668 Apr 15 13:38 libssl3_3.1.2-1_amd64.deb
 4672 -rw-r--r--  1 vyos_bld vyos_bld  4780432 Apr 15 13:38 libssl3-dbgsym_3.1.2-1_amd64.deb
  220 -rw-r--r--  1 vyos_bld vyos_bld   222144 Apr 15 13:38 libssl3-udeb_3.1.2-1_amd64.udeb
 2408 -rw-r--r--  1 vyos_bld vyos_bld  2465500 Apr 15 13:38 libssl-dev_3.1.2-1_amd64.deb
 2316 -rw-r--r--  1 vyos_bld vyos_bld  2367856 Apr 15 13:38 libssl-doc_3.1.2-1_all.deb
 1392 -rw-r--r--  1 vyos_bld vyos_bld  1424152 Apr 15 13:38 openssl_3.1.2-1_amd64.deb
  676 -rw-r--r--  1 vyos_bld vyos_bld   690912 Apr 15 13:38 openssl-dbgsym_3.1.2-1_amd64.deb
15700 -rw-r--r--  1 vyos_bld vyos_bld 16073703 Apr 15 13:30 openssl_debian_openssl-3.1.2-1.tar.gz
vyos_bld@882a313f0805:/vyos/work/T8508/vyos-build/scripts/package-build/openssl$

Check modules

vyos@r14:~$ ls /usr/lib/x86_64-linux-gnu/ossl-modules/fips.so
/usr/lib/x86_64-linux-gnu/ossl-modules/fips.so
vyos@r14:~$

Install FIPS:

vyos@r14:~$ sudo openssl fipsinstall \
>   -module /usr/lib/x86_64-linux-gnu/ossl-modules/fips.so \
>   -out /usr/lib/ssl/fipsmodule.cnf
HMAC : (KAT_Integrity) : Pass
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
AES_GCM : (KAT_Cipher) : Pass
AES_ECB_Decrypt : (KAT_Cipher) : Pass
RNG : (Continuous_RNG_Test) : Pass
RSA : (KAT_Signature) : Pass
ECDSA : (KAT_Signature) : Pass
ECDSA : (KAT_Signature) : Pass
DSA : (KAT_Signature) : Pass
TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
TLS13_KDF_EXPAND : (KAT_KDF) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
	name:     	OpenSSL FIPS Provider
	version:  	3.1.2
	build:    	3.1.2
INSTALL PASSED
vyos@r14:~$

Additional configs and checks:

vyos@r14:~$ sudo sed -i 's|^# \[default_sect\]|[default_sect]\nactivate = 1|' /etc/ssl/openssl.cnf
vyos@r14:~$ grep -n "default_sect" /etc/ssl/openssl.cnf
58:default = default_sect
71:[default_sect]
vyos@r14:~$ 
vyos@r14:~$ 
vyos@r14:~$ openssl list -providers
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.1.2
    status: active
  fips
    name: OpenSSL FIPS Provider
    version: 3.1.2
    status: active
vyos@r14:~$

Build an image ISO:

vyos@r14:~$ /usr/libexec/vyos/tests/smoke/cli/test_pki.py
test_certificate_eapol_update (__main__.TestPKI.test_certificate_eapol_update) ... ok
test_certificate_https_update (__main__.TestPKI.test_certificate_https_update) ... ok
test_certificate_in_use (__main__.TestPKI.test_certificate_in_use) ... ok
test_invalid_ca_valid_certificate (__main__.TestPKI.test_invalid_ca_valid_certificate) ... ok
test_valid_pki (__main__.TestPKI.test_valid_pki) ... ok

----------------------------------------------------------------------
Ran 5 tests in 15.559s

OK
vyos@r14:~$ 
vyos@r14:~$ /usr/libexec/vyos/tests/smoke/cli/test_system_login.py
test_add_linux_system_user (__main__.TestSystemLogin.test_add_linux_system_user) ... ok
test_delete_current_user (__main__.TestSystemLogin.test_delete_current_user) ... ok
test_pam_nologin (__main__.TestSystemLogin.test_pam_nologin) ... 
Broadcast message from root@debian on pts/1 (Wed 2026-04-15 14:30:01 UTC):

The system will reboot at Wed 2026-04-15 14:34:01 UTC!

                                                                               
Broadcast message from root@r14 (somewhere) (Wed Apr 15 14:30:01 2026):        
                                                                               
System reboot is scheduled 4
                                                                               
                                                                               
Broadcast message from root@r14 (somewhere) (Wed Apr 15 14:30:01 2026):        
                                                                               
System reboot is scheduled 4
                                                                               
                                                                               
Broadcast message from root@r14 (somewhere) (Wed Apr 15 14:30:02 2026):        
                                                                               
Scheduled reboot has been cancelled 2026-04-15 14:30:02
                                                                               
                                                                               
Broadcast message from root@r14 (somewhere) (Wed Apr 15 14:30:02 2026):        
                                                                               
Scheduled reboot has been cancelled 2026-04-15 14:30:02
                                                                               
ok
test_radius_kernel_features (__main__.TestSystemLogin.test_radius_kernel_features) ... ok
test_system_login_max_login_session (__main__.TestSystemLogin.test_system_login_max_login_session) ... ok
test_system_login_otp (__main__.TestSystemLogin.test_system_login_otp) ... ok
test_system_login_radius_ipv4 (__main__.TestSystemLogin.test_system_login_radius_ipv4) ... ok
test_system_login_radius_ipv6 (__main__.TestSystemLogin.test_system_login_radius_ipv6) ... ok
test_system_login_tacacs (__main__.TestSystemLogin.test_system_login_tacacs) ... ok
test_system_login_user (__main__.TestSystemLogin.test_system_login_user) ... ok
test_system_login_weak_password_warning (__main__.TestSystemLogin.test_system_login_weak_password_warning) ... ok
test_system_user_ssh_key (__main__.TestSystemLogin.test_system_user_ssh_key) ... ok

----------------------------------------------------------------------
Ran 12 tests in 73.406s

OK
vyos@r14:~$ 

vyos@r14:~$ show version all | match openssl
ii  openssl                          3.1.2-1                                  amd64        Secure Sockets Layer toolkit - cryptographic utility
ii  openssl-dbgsym                   3.1.2-1                                  amd64        debug symbols for openssl
ii  python3-openssl                  23.0.0-1                                 all          Python 3 wrapper around the OpenSSL library
ii  rsyslog-openssl                  8.2302.0-1+deb12u1                       amd64        TLS protocol support for rsyslog (OpenSSL)
vyos@r14:~$

Checklist:

I have read the CONTRIBUTING document
I have linked this PR to one or more Phabricator Task(s)
My commit headlines contain a valid Task id
My change requires a change to the documentation
I have updated the documentation accordingly

github-actions · 2026-04-15T13:46:00Z

👍
No issues in PR Title / Commit Title

Update FIPS-140-3 compatible OpenSSL 3.1.2 The FIPS provider does not get built and installed automatically. To enable it, you need to configure OpenSSL using the enable-fips option.

alexandr-san4ez

I tested the new build and everything works as expected:

vyos@vyos1:~$ sudo openssl fipsinstall -module /usr/lib/x86_64-linux-gnu/ossl-modules/fips.so -out /usr/lib/ssl/fipsmodule.cnf
HMAC : (KAT_Integrity) : Pass
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
AES_GCM : (KAT_Cipher) : Pass
AES_ECB_Decrypt : (KAT_Cipher) : Pass
RNG : (Continuous_RNG_Test) : Pass
RSA : (KAT_Signature) : Pass
ECDSA : (KAT_Signature) : Pass
ECDSA : (KAT_Signature) : Pass
DSA : (KAT_Signature) : Pass
TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
TLS13_KDF_EXPAND : (KAT_KDF) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
        name:           OpenSSL FIPS Provider
        version:        3.1.2
        build:          3.1.2
INSTALL PASSED

github-actions Bot added the current VyOS rolling release label Apr 15, 2026

github-actions Bot assigned sever-sever Apr 15, 2026

sever-sever requested review from c-po, dmbaturin, jestabro and zdc April 15, 2026 13:54

T8508: Add build scripts to build Openssl 3.1.2

6879b20

Update FIPS-140-3 compatible OpenSSL 3.1.2 The FIPS provider does not get built and installed automatically. To enable it, you need to configure OpenSSL using the enable-fips option.

sever-sever force-pushed the T8508 branch from 5434188 to 6879b20 Compare April 17, 2026 11:23

sever-sever requested review from asklymenko, hedrok and sarthurdev April 17, 2026 14:12

sever-sever mentioned this pull request Apr 20, 2026

T8529: Add configuration CLI to enable OpenSSL FIPS vyos/vyos-1x#5139

Draft

12 tasks

alexandr-san4ez approved these changes Apr 27, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

T8508: Add build scripts to build Openssl 3.1.2#1161

T8508: Add build scripts to build Openssl 3.1.2#1161
sever-sever wants to merge 1 commit intovyos:currentfrom
sever-sever:T8508

sever-sever commented Apr 15, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 15, 2026 •

edited

Loading

Uh oh!

alexandr-san4ez left a comment

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

Conversation

sever-sever commented Apr 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Change summary

Types of changes

Related Task(s)

Related PR(s)

How to test / Smoketest result

Checklist:

Uh oh!

github-actions Bot commented Apr 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

alexandr-san4ez left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

sever-sever commented Apr 15, 2026 •

edited

Loading

github-actions Bot commented Apr 15, 2026 •

edited

Loading