Our hardware is based on the imx6ulevk reference board and we use imx-4.1.15-1.0.0_ga as our reference yocto package. And in that package it uses openssl 1.0.2d which has a lot of CVE vulnerabilities. However, if I try to upgrade to later versions (ideally 1.0.2n) I get a lot of compiler errors.
NOTE: When I upgrade openssl I use one of our layers (not poky/meta/recipes-connectivity/openssl) and then define the preferred version in our layer/conf/layer.conf file. However, when I do that i get multiple python errors, rpm errors, linux-libc-header errors etc. Which leads me to believe there are a lot of openssl dependencies in the openembedded layer. However, I was able to upgrade expat, curl, rpcbind, and python this way.