vyos · sever-sever · Apr 15, 2026
diff --git a/.github/workflows/trigger_rebuild_packages.yml b/.github/workflows/trigger_rebuild_packages.yml
@@ -68,6 +68,8 @@ jobs:
               - 'scripts/package-build/netfilter/**'
             node_exporter:
               - 'scripts/package-build/node_exporter/**'
+            openssl:
+              - 'scripts/package-build/openssl/**'
             openvpn-otp:
               - 'scripts/package-build/openvpn-otp/**'
             owamp:
@@ -207,6 +209,10 @@ jobs:
             trigger_build "node_exporter"
           fi
 
+          if [ "${{ steps.changes.outputs.openssl }}" == "true" ]; then
+            trigger_build "openssl"
+          fi
+
           if [ "${{ steps.changes.outputs.openvpn-otp }}" == "true" ]; then
             trigger_build "openvpn-otp"
           fi

diff --git a/scripts/package-build/openssl/.gitignore b/scripts/package-build/openssl/.gitignore
@@ -0,0 +1 @@
+/openssl/
diff --git a/scripts/package-build/openssl/build.py b/scripts/package-build/openssl/build.py
@@ -0,0 +1 @@
+../build.py
diff --git a/scripts/package-build/openssl/package.toml b/scripts/package-build/openssl/package.toml
@@ -0,0 +1,4 @@
+[[packages]]
+name = "openssl"
+commit_id = "debian/openssl-3.1.2-1"  # 3.1.2 FIPS 140-3 validated
+scm_url = "https://salsa.debian.org/debian/openssl.git"
diff --git a/scripts/package-build/openssl/patches/openssl/0001-Enable-FIPS-module.patch b/scripts/package-build/openssl/patches/openssl/0001-Enable-FIPS-module.patch
@@ -0,0 +1,47 @@
+From 1df9a2271c543d1de87dc23bf8ec8da88ded87a3 Mon Sep 17 00:00:00 2001
+From: Viacheslav Hletenko <v.gletenko@vyos.io>
+Date: Fri, 17 Apr 2026 11:00:50 +0000
+Subject: [PATCH] Enable FIPS module
+
+---
+ debian/openssl.install | 1 +
+ debian/rules           | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/debian/openssl.install b/debian/openssl.install
+index 1f270a762a..44444be066 100644
+--- a/debian/openssl.install
++++ b/debian/openssl.install
+@@ -5,6 +5,7 @@ usr/lib/ssl/certs
+ usr/lib/ssl/private
+ usr/lib/ssl/misc/*
+ usr/lib/ssl/openssl.cnf
++usr/lib/ssl/fipsmodule.cnf
+ usr/share/man/man1/*
+ usr/share/man/man5/*
+ usr/share/man/man7/*
+diff --git a/debian/rules b/debian/rules
+index 9078f4f0d7..89bc434adf 100755
+--- a/debian/rules
++++ b/debian/rules
+@@ -29,7 +29,7 @@ ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+ 	MAKEFLAGS += -j$(NUMJOBS)
+ endif
+
+-CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib no-ssl3 enable-unit-test no-ssl3-method enable-rfc3779 enable-cms no-capieng no-rdrand
++CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib no-ssl3 enable-unit-test no-ssl3-method enable-rfc3779 enable-cms no-capieng no-rdrand enable-fips
+ #OPT_alpha = ev4 ev5
+ ARCHOPTS  = OPT_$(DEB_HOST_ARCH)
+ OPTS      = $($(ARCHOPTS))
+@@ -112,6 +112,8 @@ override_dh_auto_install-indep:
+
+ override_dh_auto_install-arch:
+ 	$(MAKE) -C build_shared install DESTDIR=`pwd`/debian/tmp
++	# Install FIPS module
++	$(MAKE) -C build_shared install_fips DESTDIR=`pwd`/debian/tmp
+ 	# pic static libraries, nobody should need them
+ 	cp -pf build_static/libcrypto.a debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libcrypto.a
+ 	cp -pf build_static/libssl.a debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libssl.a
+-- 
+2.39.5
+