manylinux: remove bundled OpenSSL to fix FIPS selftest failure

molhamfetnah · molhamfetnah · commit 896ba1766cbe · 2026-05-09T20:55:03.000+03:00
Removes vendored OpenSSL 1.1.1w from manylinux build and relies on system OpenSSL instead. FFmpeg is still built with OpenSSL support via system pkg-config paths. Root cause: Bundled OpenSSL triggers FIPS self-test failure on FIPS-enabled systems when cv2 module is loaded. Fixes: #1191
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @skvark @alalek
diff --git a/docker/manylinux2014/Dockerfile_x86_64 b/docker/manylinux2014/Dockerfile_x86_64
@@ -9,7 +9,6 @@ ARG FREETYPE_VERSION=2.14.1
 ARG LIBPNG_VERSION=1.6.53
 ARG VPX_VERSION=v1.15.2
 ARG NASM_VERSION=2.15.04
-ARG OPENSSL_VERSION=1_1_1w
 ARG QT_VERSION=5.15.18
 ARG YASM_VERSION=1.3.0
 ARG AOM_VERSION=v3.13.1
@@ -60,18 +59,7 @@ RUN curl -O -L https://download.qt.io/archive/qt/5.15/${QT_VERSION}/single/qt-ev
 ENV QTDIR /opt/Qt${QT_VERSION}
 ENV PATH "$QTDIR/bin:$PATH"
 
-RUN mkdir ~/openssl_sources && \
-    cd ~/openssl_sources && \
-    curl -O -L https://github.com/openssl/openssl/archive/OpenSSL_${OPENSSL_VERSION}.tar.gz && \
-    tar -xf OpenSSL_${OPENSSL_VERSION}.tar.gz && \
-    cd openssl-OpenSSL_${OPENSSL_VERSION} && \
-    ./config --prefix="/ffmpeg_build" --openssldir="/ffmpeg_build" no-pinshared shared zlib && \
-    make -j$(getconf _NPROCESSORS_ONLN) && \
-    # skip installing documentation
-    make install_sw && \
-    cd .. && \
-    rm -rf ~/openssl_build ~/openssl_sources
-
+# nasm
 RUN mkdir ~/nasm_sources && \
     cd ~/nasm_sources && \
     curl -O -L http://www.nasm.us/pub/nasm/releasebuilds/${NASM_VERSION}/nasm-${NASM_VERSION}.tar.gz && \
@@ -82,6 +70,7 @@ RUN mkdir ~/nasm_sources && \
     cd .. && \
     rm -rf ~/nasm_sources
 
+# yasm
 RUN mkdir ~/yasm_sources && \
     cd ~/yasm_sources && \
     curl -O -L http://www.tortall.net/projects/yasm/releases/yasm-${YASM_VERSION}.tar.gz && \
@@ -121,13 +110,23 @@ RUN mkdir ~/avif_sources && \
     make install && \
     cd / && rm -rf ~/avif_sources
 
+# FFmpeg (uses system OpenSSL via pkg-config for FIPS compatibility)
 RUN mkdir ~/ffmpeg_sources && \
     cd ~/ffmpeg_sources && \
     curl -O -L https://ffmpeg.org/releases/ffmpeg-${FFMPEG_VERSION}.tar.gz && \
     tar -xf ffmpeg-${FFMPEG_VERSION}.tar.gz && \
     cd ffmpeg-${FFMPEG_VERSION} && \
     PATH=~/bin:$PATH && \
-    PKG_CONFIG_PATH="/ffmpeg_build/lib/pkgconfig" ./configure --prefix="/ffmpeg_build" --extra-cflags="-I/ffmpeg_build/include" --extra-ldflags="-L/ffmpeg_build/lib" --enable-openssl --enable-libvpx --enable-shared --enable-pic --bindir="$HOME/bin" && \
+    PKG_CONFIG_PATH="/usr/lib64/pkgconfig:/usr/lib/pkgconfig:/ffmpeg_build/lib/pkgconfig" \
+    ./configure \
+        --prefix="/ffmpeg_build" \
+        --extra-cflags="-I/ffmpeg_build/include" \
+        --extra-ldflags="-L/ffmpeg_build/lib" \
+        --enable-openssl \
+        --enable-libvpx \
+        --enable-shared \
+        --enable-pic \
+        --bindir="$HOME/bin" && \
     make -j$(getconf _NPROCESSORS_ONLN) && \
     make install && \
     echo "/ffmpeg_build/lib/" >> /etc/ld.so.conf && \
@@ -157,6 +156,6 @@ USER ci
 # Git security vulnerability: https://github.blog/2022-04-12-git-security-vulnerability-announced
 RUN git config --global --add safe.directory /io
 
-ENV PKG_CONFIG_PATH /usr/local/lib/pkgconfig:/ffmpeg_build/lib/pkgconfig
+ENV PKG_CONFIG_PATH /usr/lib64/pkgconfig:/usr/lib/pkgconfig:/usr/local/lib/pkgconfig:/ffmpeg_build/lib/pkgconfig
 ENV LDFLAGS -L/ffmpeg_build/lib
 ENV PATH "$HOME/bin:$PATH"
