From a34eff06296a4808ba299ab2affc2c7ab063c915 Mon Sep 17 00:00:00 2001
From: Craig Comstock <craig.comstock@northern.tech>
Date: Tue, 2 Sep 2025 11:11:35 -0500
Subject: [PATCH 1/2] Changed suse-15 to use system openssl as redhats do

This is due to dependency trouble with libpam and libcrypto when cf-agent tries to run chpasswd for example. In that case pam-unix.so wont load.

Ticket: ENT-12528
Changelog: title
---
 ci/cfengine-build-host-setup.cf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ci/cfengine-build-host-setup.cf b/ci/cfengine-build-host-setup.cf
index 35a2195c6..5d18dd2b9 100644
--- a/ci/cfengine-build-host-setup.cf
+++ b/ci/cfengine-build-host-setup.cf
@@ -129,6 +129,10 @@ bundle agent cfengine_build_host_setup
       "platform-python-devel" -> { "cfbs shebang", "ENT-11338" }
         comment => "py3_shebang_fix macro needs /usr/bin/pathfix.py from platform-python-devel package";
 
+    suse_15::
+        "openssl-devel" -> { "ENT-12528" }
+          comment => "like redhat, suse 15+ needs to build with system openssl.";
+
     (redhat_8|centos_8|redhat_9).(yum_dnf_conf_ok)::
       "java-1.8.0-openjdk-headless" package_policy => "delete",
         comment => "Installing Development Tools includes this jdk1.8 which we do not want.";

From d0acb71f617fd6ba3206dc725efc5bcda01e78d2 Mon Sep 17 00:00:00 2001
From: Craig Comstock <craig.comstock@northern.tech>
Date: Thu, 28 Aug 2025 14:38:43 -0500
Subject: [PATCH 2/2] Adjusted compile-options to not bundle OpenSSL on newer
 SuSE systems due to libpam/openssl incompatability

Ticket: ENT-12528
Changelog: title
(cherry picked from commit ae019a5c283cbcb4f73aef02ad6793de67ad28d1)
---
 build-scripts/compile-options   | 12 ++++++++++--
 ci/cfengine-build-host-setup.cf |  4 ++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/build-scripts/compile-options b/build-scripts/compile-options
index 7fba52be5..a22225324 100644
--- a/build-scripts/compile-options
+++ b/build-scripts/compile-options
@@ -36,11 +36,19 @@ export PROJECT
 # Otherwise, we build it.
 if [ x"$SYSTEM_SSL" = x ]
 then
-    # We don't bundle OpenSSL on RHEL 8 (and newer in the future)
-    if [ "$OS" = "rhel" ] && expr "$OS_VERSION" ">=" "8" >/dev/null
+    # We don't bundle OpenSSL on some redhat-derived systems due to incompatability with libpam and our openssl.
+    _OS_MAJOR_VERSION="$(echo "$OS_VERSION" | cut -d. -f1)"
+    if [ "$OS" = "rhel" ] && expr "$_OS_MAJOR_VERSION" ">=" "8" >/dev/null
     then
         SYSTEM_SSL=1
     fi
+    if [ "$OS" = "opensuse" ] || [ "$OS" = "sles" ]
+    then
+        if expr "$_OS_MAJOR_VERSION" ">=" "15"
+        then
+            SYSTEM_SSL=1
+        fi
+    fi
     # Detect using system ssl when running a Jenkins job
     if expr x"$label" ":" ".*systemssl" >/dev/null
     then
diff --git a/ci/cfengine-build-host-setup.cf b/ci/cfengine-build-host-setup.cf
index 5d18dd2b9..7cac09e72 100644
--- a/ci/cfengine-build-host-setup.cf
+++ b/ci/cfengine-build-host-setup.cf
@@ -130,8 +130,8 @@ bundle agent cfengine_build_host_setup
         comment => "py3_shebang_fix macro needs /usr/bin/pathfix.py from platform-python-devel package";
 
     suse_15::
-        "openssl-devel" -> { "ENT-12528" }
-          comment => "like redhat, suse 15+ needs to build with system openssl.";
+      "libopenssl-devel" -> { "ENT-12528" }
+        comment => "like redhat, suse 15+ needs to build with system openssl.";
 
     (redhat_8|centos_8|redhat_9).(yum_dnf_conf_ok)::
       "java-1.8.0-openjdk-headless" package_policy => "delete",