Please publish the openssl-static artifact to maven

[jsolomon8080]

We consume this project and ship it to customers who run it on a large variety of Linux distros: RHEL 8/9, Ubuntu 20.04/22.04 etc.

We also want to make a FIPS compliant version of our product which means configuring all the code to run in a FIPS compliant way. Asking this project to worry about FIPS compliance seems out of scope or you would have closed #799.

However, that's not necessary. If we could consume the openssl-static version of this project, then we can include our own fips.so module, our own openssl.cnf file and appropriate environment variables to configure the static openssl library you have linked against to run in a fips enforcing mode. We want openssl to be statically linked because we cannot rely on nor easily configure the dynamic linking openssl version (we are loath to set LD_LIBRARY_PATH). And as long as this project statically links a recent version of APR (I currently see 1.7.5) and openssl (I currently see 3.1.6), we can rely on it.

I think this suggestion is more actionable than #799 because we are not asking you to do anything but publish an artifact that is already configured. Users are then free to enable or not enable FIPS compliance using well understood methods that are independent of your build of openssl. The benefits of a static build are large which presumably is why you provide pom.xml files for both boringssl-static and openssl-static.

[normanmaurer]

We are not feeling comfortable with release a openssl-static version due the security implications. For BoringSSL we have a better handle.