cfengine · github-actions · Apr 13, 2026 · Apr 20, 2026 · Apr 16, 2026 · Apr 20, 2026
diff --git a/README.md b/README.md
@@ -139,7 +139,7 @@ File `install-dependencies` and the relevant subdirectories in `deps-packaging`
 | [libyaml](https://pyyaml.org/wiki/LibYAML)                                        | 0.2.5  | 0.2.5  | 0.2.5  |                          |
 | [LMDB](https://github.com/LMDB/lmdb/)                                             | 0.9.35 | 0.9.35 | 0.9.35 |                          |
 | [OpenLDAP](https://www.openldap.org/software/download/OpenLDAP/openldap-release/) | 2.6.13 | 2.6.13 | 2.6.13 | Enterprise agent only    |
-| [OpenSSL](https://openssl.org/)                                                   | 3.6.2  | 3.6.2  | 3.6.1  | See **note** below       |
+| [OpenSSL](https://openssl.org/)                                                   | 3.6.2  | 3.6.2  | 3.6.1  |                          |
 | [PCRE](https://www.pcre.org/)                                                     | -      | -      | -      |                          |
 | [PCRE2](https://github.com/PCRE2Project/pcre2/releases/)                          | 10.47  | 10.47  | 10.47  |                          |
 | [pthreads-w32](https://sourceware.org/pub/pthreads-win32/)                        | 2-9-1  | 2-9-1  | 2-9-1  | Windows Enterprise agent |
@@ -148,8 +148,6 @@ File `install-dependencies` and the relevant subdirectories in `deps-packaging`
 | [librsync](https://github.com/librsync/librsync/releases)                         | -      | 2.3.4  | 2.3.4  |                          |
 | [leech](https://github.com/larsewi/leech/releases)                                | -      | 0.2.0  | 0.2.0  |                          |
 
-**Note:** We don't package OpenSSL for RHEL >= 8 and SuSE >= 15.
-We use the systems bundled SSL for these platforms.
 
 ### Enterprise Hub dependencies
 

diff --git a/build-scripts/compile-options b/build-scripts/compile-options
@@ -32,10 +32,6 @@ export PROJECT
 # It's a flag: if it's set to 1 - then we use system OpenSSL.
 # Otherwise, we build it.
 if [ -z "$SYSTEM_SSL" ]; then
-    # We don't bundle OpenSSL on some redhat-derived systems due to incompatability with libpam and our openssl.
-    if [ "$OS" = "rhel" ] && [ "$OS_VERSION_MAJOR" -ge "8" ]; then
-        SYSTEM_SSL=1
-    fi
     if [ "$OS" = "opensuse" ] || [ "$OS" = "sles" ]; then
         if [ "$OS_VERSION_MAJOR" -ge "15" ]; then
             SYSTEM_SSL=1
@@ -126,7 +122,6 @@ solaris | aix)
     ;;
 esac
 
-# We use system bundled SSL on RHEL >= 8
 if [ "$SYSTEM_SSL" != 1 ]; then
     # zlib is a compression library which is a dependency of OpenSSL.
     # TODO: can we remove zlib dependency? (CFE-4013)

diff --git a/build-scripts/configure b/build-scripts/configure
@@ -89,6 +89,11 @@ yes)
     ;;
 esac
 
+# RHEL 8 using vendored openssl can't use libpam since the distribution libpam is linked with openssl 1.x
+if [ "$OS" = "rhel" ] && [ "$_OS_VERSION_MAJOR" -eq "8" ]; then
+  var_append ARGS "--without-pam"
+fi
+
 # RHEL 8 requires an SELinux policy
 if [ "$OS" = "rhel" ] && [ "$OS_VERSION_MAJOR" -ge "8" ]; then
     var_append ARGS "--with-selinux-policy"

diff --git a/build-scripts/install-dependencies b/build-scripts/install-dependencies
@@ -146,7 +146,7 @@ for dep in $DEPS; do
         optimize=yes
         debugsym=no
         versuffix=+untested
-        tests=no
+        tests=yes
         ;;
     RELEASE)
         optimize=yes

diff --git a/build-scripts/package b/build-scripts/package
@@ -195,13 +195,6 @@ rpm | lpp)
             exit 1
         fi
         log_debug "SELinux policy version: $SELINUX_POLICY_VERSION"
-        # Get OpenSSL version to ensure compatibility
-        OPENSSL_VERSION=$(rpm -q --provides openssl-libs | grep OPENSSL_ | sed 's/^.*_\([0-9.]*\).*$/\1/' | sort -n | tail -1)
-        if [ -z "$OPENSSL_VERSION" ]; then
-            log_error "Unable to determine OpenSSL package version"
-            exit 1
-        fi
-        log_debug "OpenSSL version: $OPENSSL_VERSION"
     fi
 
     # Generate RPM spec file from template, substituting version info and scripts
@@ -210,7 +203,6 @@ rpm | lpp)
         -e "s/@@VERSION@@/$RPM_VERSION/g" \
         -e "s/@@RELEASE@@/$safe_prefix$RPM_RELEASE/g" \
         -e "s/@@SELINUX_POLICY_VERSION@@/$SELINUX_POLICY_VERSION/g" \
-        -e "s/@@OPENSSL_VERSION@@/$OPENSSL_VERSION/g" \
         -e "/^%pre\$/r $PREINSTALL" \
         -e "/^%post\$/r $POSTINSTALL" \
         -e "/^%preun\$/r $PREREMOVE" \

diff --git a/ci/centos-7-setup-devtoolset-11.sh b/ci/centos-7-setup-devtoolset-11.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -ex
+sudo yum install -y centos-release-scl
+sudo rm -f /etc/yum.repos.d/CentOS-SCLo-scl.repo
+sudo sed -i 's,^#baseurl.*$,baseurl=https://vault.centos.org/7.9.2009/sclo/x86_64/rh/,' /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
+sudo sed -i '/mirrorlist/d' /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
+sudo yum update -y
+sudo yum install -y devtoolset-11
+if ! grep "source /opt/rh/devtoolset-11/enable" /usr/lib/rpm/find-debuginfo.sh; then
+  sudo sed -i '1a\source /opt/rh/devtoolset-11/enable' /usr/lib/rpm/find-debuginfo.sh
+fi
+source /opt/rh/devtoolset-11/enable
diff --git a/ci/cfengine-build-host-setup.cf b/ci/cfengine-build-host-setup.cf
@@ -162,16 +162,12 @@ bundle agent cfengine_build_host_setup
       "platform-python-devel" -> { "cfbs shebang", "ENT-11338" }
         comment => "py3_shebang_fix macro needs /usr/bin/pathfix.py from platform-python-devel package";
 
-    suse_15::
-      "libopenssl-devel" -> { "ENT-12528" }
-        comment => "like redhat, suse 15+ needs to build with system openssl.";
 
     (redhat_8|centos_8|redhat_9|redhat_10).(yum_dnf_conf_ok)::
       "java-1.8.0-openjdk-headless" package_policy => "delete",
         comment => "Installing Development Tools includes this jdk1.8 which we do not want.";
       "pkgconf" comment => "pkgconfig renamed to pkgconf in rhel8";
       "selinux-policy-devel" comment => "maybe add to _7 and _6?";
-      "openssl-devel";
 
     (redhat_9|redhat_10).(yum_dnf_conf_ok)::
       "perl-Sys-Hostname" comment => "Needed by __04_examples_outputs_check_outputs_cf";
@@ -345,6 +341,7 @@ findtime = 600",
         comment => "Comment out insecure SSH auth directives in sshd_config and drop-ins";
       "/etc/ssh/sshd_config"
         edit_line => prepend_if_no_line("$(sshd_hardening_directives) no"),
+        if => fileexists("/etc/ssh/sshd_config"),
         classes => if_repaired("sshd_hardened"),
         comment => "Ensure SSH hardening directives are at the top of sshd_config, before any Include";
 

diff --git a/ci/fix-buildhost.sh b/ci/fix-buildhost.sh
@@ -1,3 +1,16 @@
+#!/usr/bin/env bash
+# it is expected that this file is sourced, not executed directly
+set -ex
+my_path="$(realpath "${BASH_SOURCE[0]}")"
+my_dir="$(dirname "$my_path")"
+
+if [ -f /etc/os-release ]; then
+  source /etc/os-release
+  if [ "$ID" = "centos" ] && [ "$VERSION_ID" = "7" ]; then
+    source "$my_dir"/centos-7-setup-devtoolset-11.sh
+  fi
+fi
+
 if [ "$(uname)" = "HP-UX" ]; then
   # /etc/profile contains tty code that won't work well when sourced and this VUE env var guards against running those bits
   # https://ftp.mirrorservice.org/sites/www.bitsavers.org/pdf/hp/9000_hpux/9.x/B1171-90044_HP_Visual_User_Environment_System_Administration_Manual_Nov91.pdf
@@ -10,3 +23,23 @@ if [ -f /etc/profile ]; then
   # e.g. ent-14014: custom build of ssh needed for build-artifacts-cache needed and /etc/profile has PATH=/opt/craig/bin:$PATH
   . /etc/profile
 fi
+
+mkdir -p ~/.ssh
+echo "build-artifacts-cache.cloud.cfengine.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGahpsY8Phk2+isBmuJQjjQVlh6BNL/Qetc14g26gowV" >> ~/.ssh/known_hosts
+
+# /etc/profile can contain tricky things, on suse for example it includes a call to tty which will fail in CI
+# so only source /etc/profile where we absolutely need it.
+if [ "$(uname)" = "HP-UX" ] || [ "$(uname)" = "SunOS" ]; then
+  if [ -f /etc/profile ]; then
+    # running on the proxied host or not we want to make sure local customizations are taken
+    # e.g. ent-14014: custom build of ssh needed for build-artifacts-cache needed and /etc/profile has PATH=/opt/craig/bin:$PATH
+    . /etc/profile
+  fi
+fi
+# ENT-13750 we return to vendored openssl on rpm platforms so remove possibly installed development packages
+if command -v zypper >/dev/null 2>/dev/null; then
+  sudo zypper remove -y libopenssl-devel || true
+fi
+if command -v yum >/dev/null 2>/dev/null; then
+  sudo yum erase -y openssl-devel || true
+fi
diff --git a/ci/linux-install-jdk21.sh b/ci/linux-install-jdk21.sh
@@ -9,15 +9,15 @@ install_jdk() {
   baseurl=https://download.oracle.com/java/21/archive/
   major_version=21
   baseurl="https://download.oracle.com/java/${major_version}/archive/"
-  version=21.0.10
+  version=21.0.11
   if uname -m | grep aarch64; then
     tarball=jdk-${version}_linux-aarch64_bin.tar.gz
     # checksum from https://download.oracle.com/java/${major_version}/archive/jdk-${version}_linux-aarch64_bin.tar.gz.sha256
-    sha=edaf800c6deb1e7daeb448ef9c6a047551fd681942cb9e37e2729ae1a3918d1d
+    sha=2ebe89cad767abba83fb0b8cedd2d2d9bcbf947315fde78f7263a57a24f43b96
   else
     tarball=jdk-${version}_linux-x64_bin.tar.gz
     # checksum from https://download.oracle.com/java/${major_version}/latest/jdk-${version}_linux-x64_bin.tar.gz.sha256
-    sha=773eff7191d996d3b6ce3a99c21ce69cf2d836fd07277106313732a098d4309a
+    sha=e1c25a83f9e2e374c93e0c29cc3d98a947621ae0fefa4a8d932951eb160c47c3
   fi
   wget --quiet "$baseurl$tarball"
   echo "$sha  $tarball" | sha256sum --check -