Bug 271656 - [exp-run] with OpenSSL 3.0 in the base system
Summary: [exp-run] with OpenSSL 3.0 in the base system
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Ports Framework (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Port Management Team
URL:
Keywords:
Depends on: 271868 271961 272190 272220 272240
Blocks: 14.0r
  Show dependency treegraph
 
Reported: 2023-05-26 13:28 UTC by Ed Maste
Modified: 2023-09-26 14:32 UTC (History)
18 users (show)

See Also:

Attachments
megacmd.patch (1.08 KB, patch)
2023-06-13 07:50 UTC, kikadf 		no flags Details | Diff
dns/powerdns: fix build with OpenSSL 3.0 as base (1.75 KB, patch)
2023-06-23 14:22 UTC, Ralf van der Enden 		tremere: maintainer-approval+
Details | Diff
dns/powerdns-recursor: fix build with OpenSSL 3.0 as base (1.18 KB, patch)
2023-06-23 14:23 UTC, Ralf van der Enden 		tremere: maintainer-approval+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ed Maste freebsd_committer freebsd_triage 2023-05-26 13:28:59 UTC 
Pierre Pronchery is iterating on updating base system OpenSSL to 3.0.
Comment 1 Ed Maste freebsd_committer freebsd_triage 2023-05-26 13:31:12 UTC 
Diff with snapshot of Pierre's work is at https://people.freebsd.org/~emaste/bugs/PR271656/openssl-3-base-system.diff

(diff is too large to attach to bugzilla)
Comment 2 Muhammad Moinur Rahman freebsd_committer freebsd_triage 2023-05-26 13:32:27 UTC 
Is there a merged and buildable branch available anywhere in the wild which I can try ?
Comment 3 Muhammad Moinur Rahman freebsd_committer freebsd_triage 2023-05-26 13:34:27 UTC 
(In reply to Ed Maste from comment #1)
I can rerun an exp-run with the patchset but if there is no new OSVERSION defined I cannot do too much from my side. There are around 60 ports which failed to build with OpenSSL 30 ports.
Comment 4 Ed Maste freebsd_committer freebsd_triage 2023-05-26 13:46:53 UTC 
(In reply to Muhammad Moinur Rahman from comment #2)
You should be able to grab it from https://github.com/khorben/freebsd-src/tree/khorben/openssl-3.0
(although it will get force-pushed from time to time)

> if there is no new OSVERSION defined

Bumping __FreeBSD_version is definitely called for when the update goes in, but is it also needed for the exp-run to be useful?

> There are around 60 ports which failed to build with OpenSSL 30 ports.

Thanks - what I'm hoping to find here is whether there are other unintended consequences of the base system update.
Comment 6 Ed Maste freebsd_committer freebsd_triage 2023-05-26 16:08:10 UTC 
For php I'd say this is an issue to be fixed in the port:

/wrkdirs/usr/ports/lang/php80/work/php-8.0.28/ext/openssl/openssl.c:3804:18: warning: 'RSA_new' is deprecated [-Wdeprecated-declarations]
                                                rsaparam = RSA_new();
                                                           ^
/usr/include/openssl/rsa.h:201:1: note: 'RSA_new' has been explicitly marked deprecated here
OSSL_DEPRECATEDIN_3_0 RSA *RSA_new(void);
^
/usr/include/openssl/macros.h:182:49: note: expanded from macro 'OSSL_DEPRECATEDIN_3_0'
#   define OSSL_DEPRECATEDIN_3_0                OSSL_DEPRECATED(3.0)
                                                ^
/usr/include/openssl/macros.h:62:52: note: expanded from macro 'OSSL_DEPRECATED'
#     define OSSL_DEPRECATED(since) __attribute__((deprecated))
                                                   ^

compiling ossl.c
In file included from ossl.c:10:
In file included from ./ossl.h:31:
/usr/include/openssl/ts.h:32:11: fatal error: 'openssl/ess.h' file not found
# include <openssl/ess.h>
          ^~~~~~~~~~~~~~~
1 error generated.



For ruby31 we seem to have a missing header:

compiling ossl.c
In file included from ossl.c:10:
In file included from ./ossl.h:31:
/usr/include/openssl/ts.h:32:11: fatal error: 'openssl/ess.h' file not found
# include <openssl/ess.h>
          ^~~~~~~~~~~~~~~
1 error generated.



python2.7 looks like it's either incompatible or fails to detect OpenSSL correctly:

1 warning generated.
warning: openssl 0x00000000 is too old for _hashlib
building dbm using ndbm
Comment 7 Muhammad Moinur Rahman freebsd_committer freebsd_triage 2023-05-26 21:39:44 UTC 
(In reply to Ed Maste from comment #6)
As we have to do extended usage of php(in my workplace) we have already tested to build and run php80 with some hacks which did not yield any optimistic results for us as there were some runtime failures. And it's marked to be removed by end of this year I am not too much inclined to fix or invest time to fix it.

And I am too big of a noob to even portray any feedback for python or ruby.
Comment 8 Antoine Brodin freebsd_committer freebsd_triage 2023-05-28 19:04:46 UTC 
www/node18 fails to build (56 ports skipped) :

https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-05-26_13h59m21s/logs/errors/node18-18.16.0.log
Comment 9 Pierre Pronchery 2023-06-02 22:32:19 UTC 
(In reply to Muhammad Moinur Rahman from comment #2)
Hi Muhammad, I have updated my branch on GitHub, merging OpenSSL 3.0.9 in base:
https://github.com/khorben/freebsd-src/tree/khorben/openssl-3.0.9

A corresponding pull-up request is ready here:
https://github.com/freebsd/freebsd-src/pull/760

Let me know if you need any additional information to help with the operation.
Thank you!
Comment 10 Muhammad Moinur Rahman freebsd_committer freebsd_triage 2023-06-02 22:34:25 UTC 
(In reply to Pierre Pronchery from comment #9)
Thanks. I am already building my jail with that branch.

I think I can hack python27 to build. But I still need to check ruby31. :)
Comment 11 Pierre Pronchery 2023-06-02 22:36:15 UTC 
(In reply to Ed Maste from comment #6)
The missing <openssl/ess.h> header was my mistake, I have fixed it since.
Comment 12 Antoine Brodin freebsd_committer freebsd_triage 2023-06-03 08:31:19 UTC 
I restarted the exp-run at https://pkg-status.freebsd.org/gohan05/build.html?mastername=mainamd64openssl3-default&build=2023-06-03_08h18m08s  and  https://pkg-status.freebsd.org/gohan04/build.html?mastername=maini386openssl3-default&build=2023-06-03_08h13m56s

You can sort the failures by number of skipped ports.  On i386 it seems that "openssl x509" has runtime issue.
Comment 13 commit-hook freebsd_committer freebsd_triage 2023-06-03 14:09:16 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a5b3714057750ecbb8db8912edf5c481ff46ef2b

commit a5b3714057750ecbb8db8912edf5c481ff46ef2b
Author:     Muhammad Moinur Rahman <bofh@FreeBSD.org>
AuthorDate: 2023-06-03 14:05:49 +0000
Commit:     Muhammad Moinur Rahman <bofh@FreeBSD.org>
CommitDate: 2023-06-03 14:08:49 +0000

    lang/python27: Fix build with OpenSSL 3 and later

    PR:             271656
    Reported by:    exp-run
    Approved by:    portmgr (blanket)

 lang/python27/Makefile | 10 ++++++++++
 1 file changed, 10 insertions(+)
Comment 14 commit-hook freebsd_committer freebsd_triage 2023-06-03 20:00:14 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=4fec4429208ad765eeb85fdab532a4b0be7b5fb4

commit 4fec4429208ad765eeb85fdab532a4b0be7b5fb4
Author:     Muhammad Moinur Rahman <bofh@FreeBSD.org>
AuthorDate: 2023-06-03 18:36:36 +0000
Commit:     Muhammad Moinur Rahman <bofh@FreeBSD.org>
CommitDate: 2023-06-03 19:59:23 +0000

    lang/php80: Mark IGNORE_SSL for base

    Considering that OpenSSL 3.0.9 will be merged at OSVERSION 1400089 mark
    IGNORE_SSL for base ssl version. In case this happens later we will fix
    the OSVERSION.

    PR:             271656
    Sponsored by:   Bounce Experts

 lang/php80/Makefile | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
Comment 15 Ed Maste freebsd_committer freebsd_triage 2023-06-05 17:34:53 UTC 
(In reply to Antoine Brodin from comment #12)
Thanks Antoine. With bofh@'s fixes/workarounds applied to python27 and php80 the main issues are now node18 and node16 (it appears ldc breakage is something else).

For i386 caa_root_nss:

===>  Building for ca_root_nss-3.89.1
##  Untrusted certificates omitted from this bundle: 23
openssl x509 failed with exit code 11 at /wrkdirs/usr/ports/security/ca_root_nss/work/MAca-bundle.pl line 84.
*** Error code 255
Comment 16 Muhammad Moinur Rahman freebsd_committer freebsd_triage 2023-06-05 18:07:04 UTC 
(In reply to Ed Maste from comment #15)
From what I can see is node16 decided to shorten their EOL to match the date of OpenSSL 1.1.X. Although we are not sure what are we going to do in the ports tree(Remove openssl ports or not) as this requires a discussion which I plan to do in our upcoming meeting. Removing node16 will also break another gazillion of ports specially electrons and atoms.
Comment 17 Antoine Brodin freebsd_committer freebsd_triage 2023-06-06 07:06:32 UTC 
The most problematic ports are:

www/node18 : 233 skipped
www/node16 : 15 skipped

New failure logs:

https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/mumble-1.3.3_10.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/murmur-1.3.3_6.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/spotify-tui-0.25.0_18.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/umurmur-0.2.17_2.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/pcb-rnd-3.0.6.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/mariadb104-client-10.4.29.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/mongodb40-tools-4.0.28_12.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/movine-0.11.0_4.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/mysql56-client-5.6.51.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/mysql57-client-5.7.41.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/xrootd-4.10.0_3.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/gbump-1.0.1_32.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/godot2-2.1.6_5.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/godot2-tools-2.1.6_5.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/golangci-lint-1.53.1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/hs-threadscope-0.2.14.1_1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/kiwix-lib-9.4.1_8.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/kore-4.1.0.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/mongo-c-driver-1.23.2_3.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/poco-1.10.1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/py27-subversion-lts-1.10.8.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/py39-subversion-1.14.2_2.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/sccache-0.2.15_22,1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/thrift-c_glib-0.16.0,1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/ucommon-7.0.0_6.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/dog-0.1.0_24.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/powerdns-4.7.4_1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/powerdns-recursor-4.8.4_1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/apache-openoffice-4.1.14_1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/vsftpd-ssl-3.0.5_1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/tippecanoe-2.26.1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/erlang-runtime22-22.3.4.26_1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/erlang-runtime23-23.3.4.18_1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/ruby30-3.0.6_1,1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/tauthon-2.8.3_1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/archiveopteryx-3.2.0_9.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/datovka-4.22.1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/rspamd-3.5_1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/rspamd-devel-3.4.a1.20221001_3.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/oscam-1.20.20210729.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/ringrtc-2.27.0.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/telegram-desktop-qt6-4.8.1_4.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/telegram-desktop-4.8.1_4.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/hs-cardano-node-8.0.0.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/asterisk16-16.30.0_1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/asterisk18-18.18.0.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/easysoap-0.8.0_7.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/lavinmq-1.0.1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/megacmd-1.6.3.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/mpd5-5.9_16.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/nuster-5.0.4.21.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/rpki-client-8.2_1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/sl2tps-0.4.2_2.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/x11vnc-0.9.16_3.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/nzbget-21.1_2.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/git-crypt-0.7.0.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/gost-engine-g20220520.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/krb5-119-1.19.4.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/libpki-0.9.2_3.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/opensc-0.23.0.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/openssl_tpm_engine-0.5.0_2.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/p5-Filter-Crypto-2.09.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/p5-openxpki-3.24.1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/pam_ocra-1.5.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/pam_p11-0.3.1_1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/rubygem-openssl2-2.2.3.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/sequoia-0.19.0_26.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/softether-4.41.9787.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/sslsplit-0.5.5_1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/xca-2.4.0.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/barrier-2.4.0.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/cfengine318-3.18.2.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/flowgger-0.2.10_25.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/fusefs-s3fs-1.91.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/istatserver-3.02_2.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/pftop-0.8_2.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/rsfetch-2.0.0_32.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/vector-0.10.0_24.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/apt-cacher-ng-3.2_2.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/bozohttpd-20210227.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/castor-0.8.16_25.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/dot-http-0.2.0_4.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/h2o-2.2.6_1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/h2o-devel-2.3.0.d.20230427.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/kristall-g2021.11.20.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/lagrange-1.15.9.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/lychee-0.7.1_16.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/node16-16.20.0_1.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/node18-18.16.0.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/node19-19.9.0.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/node20-20.2.0.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/rearx-0.1.4_21.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/squid-devel-5.0.6.log
https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/wcmcommander-0.20.0_11.log
Comment 18 Antoine Brodin freebsd_committer freebsd_triage 2023-06-06 13:29:10 UTC 
On the builder with the i386 jails,  there are several:

pid 17746 (openssl), jid 660, uid 0: exited on signal 11 (core dumped)
pid 1976 (openssl), jid 700, uid 0: exited on signal 11 (core dumped)
pid 96509 (openssl), jid 661, uid 0: exited on signal 11 (core dumped)
pid 31520 (openssl), jid 639, uid 0: exited on signal 11 (core dumped)
pid 95317 (openssl), jid 674, uid 0: exited on signal 11 (core dumped)
Comment 19 Muhammad Moinur Rahman freebsd_committer freebsd_triage 2023-06-06 20:57:40 UTC 
Hi Pierre,

I believe your commit to support RFC3779 broke the build. :'(
Comment 20 Muhammad Moinur Rahman freebsd_committer freebsd_triage 2023-06-07 13:58:36 UTC 
(In reply to Antoine Brodin from comment #18)
Hi Antoine .. Can you update the ports tree and rerun the bulk build? No need for the entire tree just the updates so that we can see if the consumers of node18/node20 builds fine.
Comment 21 Pierre Pronchery 2023-06-07 18:37:10 UTC 
(In reply to Muhammad Moinur Rahman from comment #19)
Hi Muhammad, do you mean the build of FreeBSD base, or of ports?
I just completed a build of FreeBSD base without trouble (with CCACHE). I am now trying again without CCACHE, and it looks good so far.
Comment 22 Muhammad Moinur Rahman freebsd_committer freebsd_triage 2023-06-08 17:03:27 UTC 
(In reply to Pierre Pronchery from comment #21)
Hi Pierre I meant the base. I do not use CCACHE at all but when I try to build the tip)openssl-3.0.9) it fails although if I checkout the previous commit it build fine. :'(
Comment 23 Antoine Brodin freebsd_committer freebsd_triage 2023-06-08 18:19:30 UTC 
Did someone have a look at the openssl(1) segmentation faults on i386 (and probably other 32 bits archs) ?
Comment 24 Muhammad Moinur Rahman freebsd_committer freebsd_triage 2023-06-08 18:56:28 UTC 
(In reply to Antoine Brodin from comment #23)
Unfortunately the i386 arch does not build on my builder box. However I tried to look at the error for ca_root_nss and it looks like there are some malformed certificates which are not processed properly.
Comment 25 Dimitry Andric freebsd_committer freebsd_triage 2023-06-09 10:50:22 UTC 
(In reply to Antoine Brodin from comment #23)
The problem is that BN_ULONG is sometimes defined incorrectly on i386; depending on how the openssl config headers are included, it is sometimes "unsigned long", and sometimes "unsigned long long". For some files it is the former, and then the bignum logic tries to shift right with 32 bits, which is undefined behavior.

In particular, the part here: https://github.com/khorben/freebsd-src/blob/khorben/openssl-3.0.9/crypto/openssl/include/openssl/configuration.h#L125 :

# if !defined(OPENSSL_SYS_UEFI)
#  undef BN_LLONG
/* Only one for the following should be defined */
#  define SIXTY_FOUR_BIT_LONG
#  undef SIXTY_FOUR_BIT
#  undef THIRTY_TWO_BIT
# endif

SIXTY_FOUR_BIT_LONG should not be defined on i386, it is normally defined in crypto/bn_conf.h, and I have no idea why openssl tries to define it superflously in configuration.h.

In bn_conf.h, the definition is guarded with __LP64__:

#ifdef __LP64__
#define SIXTY_FOUR_BIT_LONG
#undef SIXTY_FOUR_BIT
#undef THIRTY_TWO_BIT
#else
#undef SIXTY_FOUR_BIT_LONG
#undef SIXTY_FOUR_BIT
#define THIRTY_TWO_BIT
#endif

In both files there is some comment about "UEFI builds" so I assume this is our own customization, and this is not upstream in OpenSSL?
Comment 26 Dimitry Andric freebsd_committer freebsd_triage 2023-06-09 11:22:26 UTC 
https://github.com/khorben/freebsd-src/pull/1 should solve the i386 segfaults (those would have happened on other 32 bit platforms too, most likely)
Comment 27 Muhammad Moinur Rahman freebsd_committer freebsd_triage 2023-06-10 15:37:59 UTC 
From the last exp-run there are 193 failures which I believe is a good number for us. I have also fixed a number of ports after that so it should reduce the number a bit more. For now I think my work is mostly done. Once this is merged into base and we have an OSVERSION to work with I can fix some more with DEPRECATED warnings or older API Compatibility.

https://pkg-status.freebsd.org/gohan05/build.html?mastername=mainamd64openssl3-default&build=2023-06-08_17h26m08s
Comment 28 Bernard Spil freebsd_committer freebsd_triage 2023-06-11 11:31:04 UTC 
(In reply to Muhammad Moinur Rahman from comment #22)

Got a request to enable RFC3379 option for the ports. Is there currently an issue with that? Or has it been fixed?

Thanks, Bernard.
Comment 29 Juraj Lutter freebsd_committer freebsd_triage 2023-06-11 12:41:01 UTC 
RFC3779 is (and has been) enabled in OpenSSL in base.
Comment 30 commit-hook freebsd_committer freebsd_triage 2023-06-13 05:16:51 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f89fd0980a5cbcc54597578015f660643cdccf0f

commit f89fd0980a5cbcc54597578015f660643cdccf0f
Author:     Eugene Grosbein <eugen@FreeBSD.org>
AuthorDate: 2023-06-13 05:12:49 +0000
Commit:     Eugene Grosbein <eugen@FreeBSD.org>
CommitDate: 2023-06-13 05:12:49 +0000

    databases/mysql57-client: be ready for OpenSSL 3.0 in base

    Fix build by merging another change in ssl.cmake from MySQL 8.0
    PORTREVISION not bumped intentionally.

    PR:             271656

 .../mysql57-client/files/patch-cmake_ssl.cmake     | 40 ++++++++++++++++++----
 1 file changed, 34 insertions(+), 6 deletions(-)
Comment 31 commit-hook freebsd_committer freebsd_triage 2023-06-13 06:33:02 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f8301140055f9b0fac6e3c23458e48c7cff2ef05

commit f8301140055f9b0fac6e3c23458e48c7cff2ef05
Author:     Eugene Grosbein <eugen@FreeBSD.org>
AuthorDate: 2023-06-13 06:26:00 +0000
Commit:     Eugene Grosbein <eugen@FreeBSD.org>
CommitDate: 2023-06-13 06:26:00 +0000

    databases/mysql56-client: be ready for OpenSSL 3.0 in base

    Use same approach as in f89fd0980a5cbcc54597578015f660643cdccf0f
    for mysql57-client. PORTREVISION not bumped intentionally.

    PR:             271656

 .../mysql56-client/files/patch-cmake_ssl.cmake     | 34 ++++++++++++++++++++--
 1 file changed, 31 insertions(+), 3 deletions(-)
Comment 32 commit-hook freebsd_committer freebsd_triage 2023-06-13 06:39:05 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c2664553adba708d98bffc275a651955d73edf1c

commit c2664553adba708d98bffc275a651955d73edf1c
Author:     Juraj Lutter <otis@FreeBSD.org>
AuthorDate: 2023-06-12 06:54:34 +0000
Commit:     Juraj Lutter <otis@FreeBSD.org>
CommitDate: 2023-06-13 06:38:20 +0000

    www/node16: Fix build with OpenSSL 3

    - This was tested only with OpenSSL 3 from base but not with openssl30
      or openssl31 ports.
    - Regen patches

    PR:     271656

 ...eps_openssl_config_archs_linux-elf_no-asm_openssl.gypi |  4 ++--
 .../files/patch-deps_openssl_openssl-cl__no__asm.gypi     |  6 +++---
 www/node16/files/patch-deps_openssl_openssl__no__asm.gypi |  6 +++---
 www/node16/files/patch-node.gypi                          |  4 ++--
 www/node16/files/patch-src_crypto_crypto__util.cc (new)   | 15 +++++++++++++++
 5 files changed, 25 insertions(+), 10 deletions(-)
Comment 33 kikadf 2023-06-13 07:50:06 UTC 
Created attachment 242755 [details]
megacmd.patch

I can't reproduce the megacmd build error with the ports version of openssl30, so I can't test the fix. Can you test the attached patch, is it resolve the build failure?

The fix based on https://www.openssl.org/docs/manmaster/man7/migration_guide.html:

ERR_load_*(), ERR_func_error_string(), ERR_get_error_line(), ERR_get_error_line_data(), ERR_get_state()

OpenSSL now loads error strings automatically so these functions are not needed.
Comment 34 Muhammad Moinur Rahman freebsd_committer freebsd_triage 2023-06-13 08:23:42 UTC 
(In reply to kikadf from comment #33)
Testing.
Comment 35 commit-hook freebsd_committer freebsd_triage 2023-06-13 10:06:46 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=5d7e275412166f6448cbe6b0390653471dfb9b3d

commit 5d7e275412166f6448cbe6b0390653471dfb9b3d
Author:     kikadf <kikadf.01@gmail.com>
AuthorDate: 2023-06-13 08:22:54 +0000
Commit:     Muhammad Moinur Rahman <bofh@FreeBSD.org>
CommitDate: 2023-06-13 10:06:13 +0000

    net/megacmd: Fix build with openssl-3.x

    PR:             271656

 net/megacmd/files/patch-sdk_src_mega__evt__tls.cpp (new) | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
Comment 36 Dani I. 2023-06-14 11:24:11 UTC 
Hey guys, may i ask, whats going to happen to OpenSSL in the base for FreeBSD 12.4 and 13.2? Both of these are supported for longer than OpenSSL 1.1.1 is supported and i guess, FreeBSD won't backport OpenSSL 3.0.0 to these RELENG-Releases? What are the plans about compatibility and mostly security?
Comment 37 Pierre Pronchery 2023-06-14 11:40:32 UTC 
(In reply to Dani I. from comment #36)
> Hey guys, may i ask, whats going to happen to OpenSSL in the base for FreeBSD 12.4
> and 13.2? Both of these are supported for longer than OpenSSL 1.1.1 is supported
> and i guess, FreeBSD won't backport OpenSSL 3.0.0 to these RELENG-Releases? What
> are the plans about compatibility and mostly security?

I am not making any plans (nor responsible for it), but my understanding of the current situation is that:

* No backport has been organised for FreeBSD 12.4 nor 13.2 so far;
* The broader Open Source community will be facing the same problem and will collectively have to offer support and patches for OpenSSL 1.x beyond its planned EOL, which may well then also land into FreeBSD 12.4 and 13.2;
* The outcome of the current migration will help us determine if a backport would effectively be a better option, such a decision will depend on binary & source compatibility, and on performance at the very least.

HTH!
Comment 38 Ralf van der Enden 2023-06-17 23:13:43 UTC 
Hi. I've been trying to get base to build with the openssl patch from PR#770 (freebsd-src). But it keeps failing on missing .h files.

Can anyone point me in the right direction for getting a working 14-CURRENT base + openssl 3.0 ?

Thanks in advance.
Comment 39 Eugene Grosbein freebsd_committer freebsd_triage 2023-06-18 02:44:34 UTC 
(In reply to Ralf van der Enden from comment #38)

git clone -b khorben/openssl-3.0.9 https://github.com/khorben/freebsd-src.git src-ossl30

SRCCONF=/dev/null
SRC_ENV_CONF=/dev/null
__MAKE_CONF=/dev/null
MAKEOBJDIRPREFIX=/usr/obj-ossl30
export SRCCONF SRC_ENV_CONF __MAKE_CONF MAKEOBJDIRPREFIX

mkdir $MAKEOBJDIRPREFIX
cd src-ossl30
make buildworld buildkernel
Comment 40 Ralf van der Enden 2023-06-23 14:22:47 UTC 
Created attachment 242954 [details]
dns/powerdns: fix build with OpenSSL 3.0 as base
Comment 41 Ralf van der Enden 2023-06-23 14:23:39 UTC 
Created attachment 242955 [details]
dns/powerdns-recursor: fix build with OpenSSL 3.0 as base
Comment 42 Michael Osipov 2023-06-23 21:08:47 UTC 
What about the numerous performance issues reported against 3.0+?
Comment 43 Ed Maste freebsd_committer freebsd_triage 2023-06-23 21:16:01 UTC 
(In reply to Michael Osipov from comment #42)
> What about the numerous performance issues reported against 3.0+?

Performance issues where they exist in certain 3rd party software will have to be investigated and addressed after OpenSSL 3 lands.
Comment 44 Ed Maste freebsd_committer freebsd_triage 2023-06-24 00:40:45 UTC 
commit b077aed33b7b6aefca7b17ddb250cf521f938613
Merge: b08ee10c0646 b84c4564effd
Author: Pierre Pronchery <pierre@freebsdfoundation.org>
Date:   Fri Jun 23 18:53:35 2023 -0400

    Merge OpenSSL 3.0.9

https://cgit.freebsd.org/src/commit/?id=b077aed33b7b6aefca7b17ddb250cf521f938613
Comment 45 Dimitry Andric freebsd_committer freebsd_triage 2023-06-26 09:57:35 UTC 
* bug 272190 for security/pkcs11-helper (also clang16 related)
Comment 46 Guido Falsi freebsd_committer freebsd_triage 2023-06-26 10:24:43 UTC 
Added bug #272220 about a runtime issue happening in security/pam_ssh_agent_auth when compiled on head with OpenSSL v3.
Comment 47 Bruno Damour 2023-06-29 09:55:51 UTC 
Added bug #272280 with a minimal fix
Comment 48 commit-hook freebsd_committer freebsd_triage 2023-07-01 21:00:46 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=5de9420ad540b5a13c8d397b19f0d12f54fb5dfc

commit 5de9420ad540b5a13c8d397b19f0d12f54fb5dfc
Author:     Dimitry Andric <dim@FreeBSD.org>
AuthorDate: 2023-07-01 20:59:23 +0000
Commit:     Dimitry Andric <dim@FreeBSD.org>
CommitDate: 2023-07-01 20:59:23 +0000

    Create correct engines debug directory after OpenSSL 3.0.9 merge

    PR:             271656
    Fixes:          b077aed33b7b ("Merge OpenSSL 3.0.9")

 etc/mtree/BSD.debug.dist | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 49 Mike Cui 2023-07-05 17:45:10 UTC 
FreeRadius builds but fails at launch time with error:
"Failed loading legacy provider"

Seems like the call to OSSL_PROVIDER_load(NULL, "legacy") failed here:
https://github.com/FreeRADIUS/freeradius-server/blob/release_3_2_3/src/main/tls.c#L3689
Comment 50 Mike Cui 2023-07-05 18:46:45 UTC 
(In reply to Mike Cui from comment #49)
Looks like dlopen("/usr/lib/ossl-modules/legacy.so") failed with: Undefined symbol "ossl_md4_functions"
Comment 51 Guido Falsi freebsd_committer freebsd_triage 2023-07-06 06:59:29 UTC 
(In reply to Mike Cui from comment #50)

This should be fixed by commit 87e08018b175e564b6a19ee41bc65af66f55e078 and following related ones. [1]



[1] https://cgit.freebsd.org/src/commit/?id=87e08018b175e564b6a19ee41bc65af66f55e078
Comment 52 Gert Doering 2023-07-08 08:44:46 UTC 
I can confirm that loading the legacy provider works again for OpenVPN (and also for openssl CLI, "openssl list -provider legacy -cipher-algorithms").

Loading the FIPS provider still fails - not sure if this is known/intentional?

$ openssl list -provider fips -cipher-algorithms
list: unable to load provider fips
Hint: use -provider-path option or OPENSSL_MODULES environment variable.
0020A189C32C0000:error:1C8000D5:Provider routines:SELF_TEST_post:missing config data:/usr/src/crypto/openssl/providers/fips/self_test.c:290:
0020A189C32C0000:error:1C8000E0:Provider routines:ossl_set_error_state:fips module entering error state:/usr/src/crypto/openssl/providers/fips/self_test.c:388:
0020A189C32C0000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:/usr/src/crypto/openssl/providers/fips/fipsprov.c:707:
0020A189C32C0000:error:078C0105:common libcrypto routines:provider_init:init fail:/usr/src/crypto/openssl/crypto/provider_core.c:932:name=fips

(this is with src at commit c81495a621c4)
Comment 53 Guido Falsi freebsd_committer freebsd_triage 2023-07-08 09:56:11 UTC 
(In reply to Gert Doering from comment #52)

I don't have a reference to give, but I have seen discussion stating that the issue with the FIPS provider is known and being worked on. There have also been issues with ARM architectures, but it looks like those have been solved.
Comment 54 Pierre Pronchery 2023-07-08 20:54:10 UTC 
(In reply to Guido Falsi from comment #53)
I have managed to track down the issue, and make the FIPS provider work on FreeBSD.
Here is a copy of my comment on GitHub's #787 PR to this effect: (https://github.com/freebsd/freebsd-src/pull/787)

> I just confirmed that the FIPS module can be configured to load correctly, with this pull-up request applied, on my local amd64 machine:
> 
> * Enabling the FIPS provider in `openssl.cnf` disables the default module, so make sure it has `activate = 1` in its section.
> * The default module is required for `openssl fipsinstall`, otherwise no HMAC provider is available to generate the corresponding configuration file. (Defaults to `fips.cnf`)
> * The output of `openssl fipsinstall` (the configuration file) needs to be installed in e.g., `/etc/ssl/fipsmodule.cnf` and included by `openssl.cnf` in order for the FIPS provider to work. (Check the provider's section name to be correct and matching that of `fipsmodule.cnf`, e.g., `fips_sect`)
> * The configuration file depends on the binary code of the `fips.so` provider module, therefore in order for FreeBSD to ship a working FIPS provider by default, `openssl fipsinstall` (or an equivalent) has to be executed to generate it once all of OpenSSL is done building.
Comment 55 Ed Maste freebsd_committer freebsd_triage 2023-09-26 14:32:08 UTC 
OpenSSL 3 is now in main and stable/14.