Pierre Pronchery is iterating on updating base system OpenSSL to 3.0.
Diff with snapshot of Pierre's work is at https://people.freebsd.org/~emaste/bugs/PR271656/openssl-3-base-system.diff (diff is too large to attach to bugzilla)
Is there a merged and buildable branch available anywhere in the wild which I can try ?
(In reply to Ed Maste from comment #1) I can rerun an exp-run with the patchset but if there is no new OSVERSION defined I cannot do too much from my side. There are around 60 ports which failed to build with OpenSSL 30 ports.
(In reply to Muhammad Moinur Rahman from comment #2) You should be able to grab it from https://github.com/khorben/freebsd-src/tree/khorben/openssl-3.0 (although it will get force-pushed from time to time) > if there is no new OSVERSION defined Bumping __FreeBSD_version is definitely called for when the update goes in, but is it also needed for the exp-run to be useful? > There are around 60 ports which failed to build with OpenSSL 30 ports. Thanks - what I'm hoping to find here is whether there are other unintended consequences of the base system update.
I started a build at https://pkg-status.freebsd.org/gohan05/build.html?mastername=mainamd64openssl3-default&build=2023-05-26_13h59m21s , so far we have: lang/ruby31 fails to build (4109 ports skipped) : https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-05-26_13h59m21s/logs/errors/ruby-3.1.4_1,1.log lang/php80 fails to build (715 ports skipped) : https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-05-26_13h59m21s/logs/errors/php80-8.0.28_1.log lang/python27 fails to package (131 ports skipped) : https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-05-26_13h59m21s/logs/errors/python27-2.7.18_2.log
For php I'd say this is an issue to be fixed in the port: /wrkdirs/usr/ports/lang/php80/work/php-8.0.28/ext/openssl/openssl.c:3804:18: warning: 'RSA_new' is deprecated [-Wdeprecated-declarations] rsaparam = RSA_new(); ^ /usr/include/openssl/rsa.h:201:1: note: 'RSA_new' has been explicitly marked deprecated here OSSL_DEPRECATEDIN_3_0 RSA *RSA_new(void); ^ /usr/include/openssl/macros.h:182:49: note: expanded from macro 'OSSL_DEPRECATEDIN_3_0' # define OSSL_DEPRECATEDIN_3_0 OSSL_DEPRECATED(3.0) ^ /usr/include/openssl/macros.h:62:52: note: expanded from macro 'OSSL_DEPRECATED' # define OSSL_DEPRECATED(since) __attribute__((deprecated)) ^ compiling ossl.c In file included from ossl.c:10: In file included from ./ossl.h:31: /usr/include/openssl/ts.h:32:11: fatal error: 'openssl/ess.h' file not found # include <openssl/ess.h> ^~~~~~~~~~~~~~~ 1 error generated. For ruby31 we seem to have a missing header: compiling ossl.c In file included from ossl.c:10: In file included from ./ossl.h:31: /usr/include/openssl/ts.h:32:11: fatal error: 'openssl/ess.h' file not found # include <openssl/ess.h> ^~~~~~~~~~~~~~~ 1 error generated. python2.7 looks like it's either incompatible or fails to detect OpenSSL correctly: 1 warning generated. warning: openssl 0x00000000 is too old for _hashlib building dbm using ndbm
(In reply to Ed Maste from comment #6) As we have to do extended usage of php(in my workplace) we have already tested to build and run php80 with some hacks which did not yield any optimistic results for us as there were some runtime failures. And it's marked to be removed by end of this year I am not too much inclined to fix or invest time to fix it. And I am too big of a noob to even portray any feedback for python or ruby.
www/node18 fails to build (56 ports skipped) : https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-05-26_13h59m21s/logs/errors/node18-18.16.0.log
(In reply to Muhammad Moinur Rahman from comment #2) Hi Muhammad, I have updated my branch on GitHub, merging OpenSSL 3.0.9 in base: https://github.com/khorben/freebsd-src/tree/khorben/openssl-3.0.9 A corresponding pull-up request is ready here: https://github.com/freebsd/freebsd-src/pull/760 Let me know if you need any additional information to help with the operation. Thank you!
(In reply to Pierre Pronchery from comment #9) Thanks. I am already building my jail with that branch. I think I can hack python27 to build. But I still need to check ruby31. :)
(In reply to Ed Maste from comment #6) The missing <openssl/ess.h> header was my mistake, I have fixed it since.
I restarted the exp-run at https://pkg-status.freebsd.org/gohan05/build.html?mastername=mainamd64openssl3-default&build=2023-06-03_08h18m08s and https://pkg-status.freebsd.org/gohan04/build.html?mastername=maini386openssl3-default&build=2023-06-03_08h13m56s You can sort the failures by number of skipped ports. On i386 it seems that "openssl x509" has runtime issue.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a5b3714057750ecbb8db8912edf5c481ff46ef2b commit a5b3714057750ecbb8db8912edf5c481ff46ef2b Author: Muhammad Moinur Rahman <bofh@FreeBSD.org> AuthorDate: 2023-06-03 14:05:49 +0000 Commit: Muhammad Moinur Rahman <bofh@FreeBSD.org> CommitDate: 2023-06-03 14:08:49 +0000 lang/python27: Fix build with OpenSSL 3 and later PR: 271656 Reported by: exp-run Approved by: portmgr (blanket) lang/python27/Makefile | 10 ++++++++++ 1 file changed, 10 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=4fec4429208ad765eeb85fdab532a4b0be7b5fb4 commit 4fec4429208ad765eeb85fdab532a4b0be7b5fb4 Author: Muhammad Moinur Rahman <bofh@FreeBSD.org> AuthorDate: 2023-06-03 18:36:36 +0000 Commit: Muhammad Moinur Rahman <bofh@FreeBSD.org> CommitDate: 2023-06-03 19:59:23 +0000 lang/php80: Mark IGNORE_SSL for base Considering that OpenSSL 3.0.9 will be merged at OSVERSION 1400089 mark IGNORE_SSL for base ssl version. In case this happens later we will fix the OSVERSION. PR: 271656 Sponsored by: Bounce Experts lang/php80/Makefile | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)
(In reply to Antoine Brodin from comment #12) Thanks Antoine. With bofh@'s fixes/workarounds applied to python27 and php80 the main issues are now node18 and node16 (it appears ldc breakage is something else). For i386 caa_root_nss: ===> Building for ca_root_nss-3.89.1 ## Untrusted certificates omitted from this bundle: 23 openssl x509 failed with exit code 11 at /wrkdirs/usr/ports/security/ca_root_nss/work/MAca-bundle.pl line 84. *** Error code 255
(In reply to Ed Maste from comment #15) From what I can see is node16 decided to shorten their EOL to match the date of OpenSSL 1.1.X. Although we are not sure what are we going to do in the ports tree(Remove openssl ports or not) as this requires a discussion which I plan to do in our upcoming meeting. Removing node16 will also break another gazillion of ports specially electrons and atoms.
The most problematic ports are: www/node18 : 233 skipped www/node16 : 15 skipped New failure logs: https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/mumble-1.3.3_10.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/murmur-1.3.3_6.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/spotify-tui-0.25.0_18.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/umurmur-0.2.17_2.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/pcb-rnd-3.0.6.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/mariadb104-client-10.4.29.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/mongodb40-tools-4.0.28_12.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/movine-0.11.0_4.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/mysql56-client-5.6.51.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/mysql57-client-5.7.41.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/xrootd-4.10.0_3.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/gbump-1.0.1_32.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/godot2-2.1.6_5.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/godot2-tools-2.1.6_5.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/golangci-lint-1.53.1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/hs-threadscope-0.2.14.1_1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/kiwix-lib-9.4.1_8.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/kore-4.1.0.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/mongo-c-driver-1.23.2_3.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/poco-1.10.1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/py27-subversion-lts-1.10.8.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/py39-subversion-1.14.2_2.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/sccache-0.2.15_22,1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/thrift-c_glib-0.16.0,1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/ucommon-7.0.0_6.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/dog-0.1.0_24.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/powerdns-4.7.4_1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/powerdns-recursor-4.8.4_1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/apache-openoffice-4.1.14_1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/vsftpd-ssl-3.0.5_1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/tippecanoe-2.26.1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/erlang-runtime22-22.3.4.26_1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/erlang-runtime23-23.3.4.18_1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/ruby30-3.0.6_1,1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/tauthon-2.8.3_1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/archiveopteryx-3.2.0_9.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/datovka-4.22.1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/rspamd-3.5_1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/rspamd-devel-3.4.a1.20221001_3.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/oscam-1.20.20210729.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/ringrtc-2.27.0.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/telegram-desktop-qt6-4.8.1_4.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/telegram-desktop-4.8.1_4.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/hs-cardano-node-8.0.0.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/asterisk16-16.30.0_1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/asterisk18-18.18.0.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/easysoap-0.8.0_7.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/lavinmq-1.0.1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/megacmd-1.6.3.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/mpd5-5.9_16.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/nuster-5.0.4.21.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/rpki-client-8.2_1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/sl2tps-0.4.2_2.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/x11vnc-0.9.16_3.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/nzbget-21.1_2.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/git-crypt-0.7.0.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/gost-engine-g20220520.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/krb5-119-1.19.4.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/libpki-0.9.2_3.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/opensc-0.23.0.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/openssl_tpm_engine-0.5.0_2.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/p5-Filter-Crypto-2.09.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/p5-openxpki-3.24.1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/pam_ocra-1.5.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/pam_p11-0.3.1_1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/rubygem-openssl2-2.2.3.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/sequoia-0.19.0_26.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/softether-4.41.9787.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/sslsplit-0.5.5_1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/xca-2.4.0.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/barrier-2.4.0.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/cfengine318-3.18.2.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/flowgger-0.2.10_25.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/fusefs-s3fs-1.91.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/istatserver-3.02_2.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/pftop-0.8_2.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/rsfetch-2.0.0_32.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/vector-0.10.0_24.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/apt-cacher-ng-3.2_2.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/bozohttpd-20210227.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/castor-0.8.16_25.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/dot-http-0.2.0_4.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/h2o-2.2.6_1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/h2o-devel-2.3.0.d.20230427.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/kristall-g2021.11.20.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/lagrange-1.15.9.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/lychee-0.7.1_16.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/node16-16.20.0_1.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/node18-18.16.0.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/node19-19.9.0.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/node20-20.2.0.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/rearx-0.1.4_21.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/squid-devel-5.0.6.log https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/wcmcommander-0.20.0_11.log
On the builder with the i386 jails, there are several: pid 17746 (openssl), jid 660, uid 0: exited on signal 11 (core dumped) pid 1976 (openssl), jid 700, uid 0: exited on signal 11 (core dumped) pid 96509 (openssl), jid 661, uid 0: exited on signal 11 (core dumped) pid 31520 (openssl), jid 639, uid 0: exited on signal 11 (core dumped) pid 95317 (openssl), jid 674, uid 0: exited on signal 11 (core dumped)
Hi Pierre, I believe your commit to support RFC3779 broke the build. :'(
(In reply to Antoine Brodin from comment #18) Hi Antoine .. Can you update the ports tree and rerun the bulk build? No need for the entire tree just the updates so that we can see if the consumers of node18/node20 builds fine.
(In reply to Muhammad Moinur Rahman from comment #19) Hi Muhammad, do you mean the build of FreeBSD base, or of ports? I just completed a build of FreeBSD base without trouble (with CCACHE). I am now trying again without CCACHE, and it looks good so far.
(In reply to Pierre Pronchery from comment #21) Hi Pierre I meant the base. I do not use CCACHE at all but when I try to build the tip)openssl-3.0.9) it fails although if I checkout the previous commit it build fine. :'(
Did someone have a look at the openssl(1) segmentation faults on i386 (and probably other 32 bits archs) ?
(In reply to Antoine Brodin from comment #23) Unfortunately the i386 arch does not build on my builder box. However I tried to look at the error for ca_root_nss and it looks like there are some malformed certificates which are not processed properly.
(In reply to Antoine Brodin from comment #23) The problem is that BN_ULONG is sometimes defined incorrectly on i386; depending on how the openssl config headers are included, it is sometimes "unsigned long", and sometimes "unsigned long long". For some files it is the former, and then the bignum logic tries to shift right with 32 bits, which is undefined behavior. In particular, the part here: https://github.com/khorben/freebsd-src/blob/khorben/openssl-3.0.9/crypto/openssl/include/openssl/configuration.h#L125 : # if !defined(OPENSSL_SYS_UEFI) # undef BN_LLONG /* Only one for the following should be defined */ # define SIXTY_FOUR_BIT_LONG # undef SIXTY_FOUR_BIT # undef THIRTY_TWO_BIT # endif SIXTY_FOUR_BIT_LONG should not be defined on i386, it is normally defined in crypto/bn_conf.h, and I have no idea why openssl tries to define it superflously in configuration.h. In bn_conf.h, the definition is guarded with __LP64__: #ifdef __LP64__ #define SIXTY_FOUR_BIT_LONG #undef SIXTY_FOUR_BIT #undef THIRTY_TWO_BIT #else #undef SIXTY_FOUR_BIT_LONG #undef SIXTY_FOUR_BIT #define THIRTY_TWO_BIT #endif In both files there is some comment about "UEFI builds" so I assume this is our own customization, and this is not upstream in OpenSSL?
https://github.com/khorben/freebsd-src/pull/1 should solve the i386 segfaults (those would have happened on other 32 bit platforms too, most likely)
From the last exp-run there are 193 failures which I believe is a good number for us. I have also fixed a number of ports after that so it should reduce the number a bit more. For now I think my work is mostly done. Once this is merged into base and we have an OSVERSION to work with I can fix some more with DEPRECATED warnings or older API Compatibility. https://pkg-status.freebsd.org/gohan05/build.html?mastername=mainamd64openssl3-default&build=2023-06-08_17h26m08s
(In reply to Muhammad Moinur Rahman from comment #22) Got a request to enable RFC3379 option for the ports. Is there currently an issue with that? Or has it been fixed? Thanks, Bernard.
RFC3779 is (and has been) enabled in OpenSSL in base.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f89fd0980a5cbcc54597578015f660643cdccf0f commit f89fd0980a5cbcc54597578015f660643cdccf0f Author: Eugene Grosbein <eugen@FreeBSD.org> AuthorDate: 2023-06-13 05:12:49 +0000 Commit: Eugene Grosbein <eugen@FreeBSD.org> CommitDate: 2023-06-13 05:12:49 +0000 databases/mysql57-client: be ready for OpenSSL 3.0 in base Fix build by merging another change in ssl.cmake from MySQL 8.0 PORTREVISION not bumped intentionally. PR: 271656 .../mysql57-client/files/patch-cmake_ssl.cmake | 40 ++++++++++++++++++---- 1 file changed, 34 insertions(+), 6 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f8301140055f9b0fac6e3c23458e48c7cff2ef05 commit f8301140055f9b0fac6e3c23458e48c7cff2ef05 Author: Eugene Grosbein <eugen@FreeBSD.org> AuthorDate: 2023-06-13 06:26:00 +0000 Commit: Eugene Grosbein <eugen@FreeBSD.org> CommitDate: 2023-06-13 06:26:00 +0000 databases/mysql56-client: be ready for OpenSSL 3.0 in base Use same approach as in f89fd0980a5cbcc54597578015f660643cdccf0f for mysql57-client. PORTREVISION not bumped intentionally. PR: 271656 .../mysql56-client/files/patch-cmake_ssl.cmake | 34 ++++++++++++++++++++-- 1 file changed, 31 insertions(+), 3 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=c2664553adba708d98bffc275a651955d73edf1c commit c2664553adba708d98bffc275a651955d73edf1c Author: Juraj Lutter <otis@FreeBSD.org> AuthorDate: 2023-06-12 06:54:34 +0000 Commit: Juraj Lutter <otis@FreeBSD.org> CommitDate: 2023-06-13 06:38:20 +0000 www/node16: Fix build with OpenSSL 3 - This was tested only with OpenSSL 3 from base but not with openssl30 or openssl31 ports. - Regen patches PR: 271656 ...eps_openssl_config_archs_linux-elf_no-asm_openssl.gypi | 4 ++-- .../files/patch-deps_openssl_openssl-cl__no__asm.gypi | 6 +++--- www/node16/files/patch-deps_openssl_openssl__no__asm.gypi | 6 +++--- www/node16/files/patch-node.gypi | 4 ++-- www/node16/files/patch-src_crypto_crypto__util.cc (new) | 15 +++++++++++++++ 5 files changed, 25 insertions(+), 10 deletions(-)
Created attachment 242755 [details] megacmd.patch I can't reproduce the megacmd build error with the ports version of openssl30, so I can't test the fix. Can you test the attached patch, is it resolve the build failure? The fix based on https://www.openssl.org/docs/manmaster/man7/migration_guide.html: ERR_load_*(), ERR_func_error_string(), ERR_get_error_line(), ERR_get_error_line_data(), ERR_get_state() OpenSSL now loads error strings automatically so these functions are not needed.
(In reply to kikadf from comment #33) Testing.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=5d7e275412166f6448cbe6b0390653471dfb9b3d commit 5d7e275412166f6448cbe6b0390653471dfb9b3d Author: kikadf <kikadf.01@gmail.com> AuthorDate: 2023-06-13 08:22:54 +0000 Commit: Muhammad Moinur Rahman <bofh@FreeBSD.org> CommitDate: 2023-06-13 10:06:13 +0000 net/megacmd: Fix build with openssl-3.x PR: 271656 net/megacmd/files/patch-sdk_src_mega__evt__tls.cpp (new) | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
Hey guys, may i ask, whats going to happen to OpenSSL in the base for FreeBSD 12.4 and 13.2? Both of these are supported for longer than OpenSSL 1.1.1 is supported and i guess, FreeBSD won't backport OpenSSL 3.0.0 to these RELENG-Releases? What are the plans about compatibility and mostly security?
(In reply to Dani I. from comment #36) > Hey guys, may i ask, whats going to happen to OpenSSL in the base for FreeBSD 12.4 > and 13.2? Both of these are supported for longer than OpenSSL 1.1.1 is supported > and i guess, FreeBSD won't backport OpenSSL 3.0.0 to these RELENG-Releases? What > are the plans about compatibility and mostly security? I am not making any plans (nor responsible for it), but my understanding of the current situation is that: * No backport has been organised for FreeBSD 12.4 nor 13.2 so far; * The broader Open Source community will be facing the same problem and will collectively have to offer support and patches for OpenSSL 1.x beyond its planned EOL, which may well then also land into FreeBSD 12.4 and 13.2; * The outcome of the current migration will help us determine if a backport would effectively be a better option, such a decision will depend on binary & source compatibility, and on performance at the very least. HTH!
Hi. I've been trying to get base to build with the openssl patch from PR#770 (freebsd-src). But it keeps failing on missing .h files. Can anyone point me in the right direction for getting a working 14-CURRENT base + openssl 3.0 ? Thanks in advance.
(In reply to Ralf van der Enden from comment #38) git clone -b khorben/openssl-3.0.9 https://github.com/khorben/freebsd-src.git src-ossl30 SRCCONF=/dev/null SRC_ENV_CONF=/dev/null __MAKE_CONF=/dev/null MAKEOBJDIRPREFIX=/usr/obj-ossl30 export SRCCONF SRC_ENV_CONF __MAKE_CONF MAKEOBJDIRPREFIX mkdir $MAKEOBJDIRPREFIX cd src-ossl30 make buildworld buildkernel
Created attachment 242954 [details] dns/powerdns: fix build with OpenSSL 3.0 as base
Created attachment 242955 [details] dns/powerdns-recursor: fix build with OpenSSL 3.0 as base
What about the numerous performance issues reported against 3.0+?
(In reply to Michael Osipov from comment #42) > What about the numerous performance issues reported against 3.0+? Performance issues where they exist in certain 3rd party software will have to be investigated and addressed after OpenSSL 3 lands.
commit b077aed33b7b6aefca7b17ddb250cf521f938613 Merge: b08ee10c0646 b84c4564effd Author: Pierre Pronchery <pierre@freebsdfoundation.org> Date: Fri Jun 23 18:53:35 2023 -0400 Merge OpenSSL 3.0.9 https://cgit.freebsd.org/src/commit/?id=b077aed33b7b6aefca7b17ddb250cf521f938613
* bug 272190 for security/pkcs11-helper (also clang16 related)
Added bug #272220 about a runtime issue happening in security/pam_ssh_agent_auth when compiled on head with OpenSSL v3.
Added bug #272280 with a minimal fix
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=5de9420ad540b5a13c8d397b19f0d12f54fb5dfc commit 5de9420ad540b5a13c8d397b19f0d12f54fb5dfc Author: Dimitry Andric <dim@FreeBSD.org> AuthorDate: 2023-07-01 20:59:23 +0000 Commit: Dimitry Andric <dim@FreeBSD.org> CommitDate: 2023-07-01 20:59:23 +0000 Create correct engines debug directory after OpenSSL 3.0.9 merge PR: 271656 Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9") etc/mtree/BSD.debug.dist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
FreeRadius builds but fails at launch time with error: "Failed loading legacy provider" Seems like the call to OSSL_PROVIDER_load(NULL, "legacy") failed here: https://github.com/FreeRADIUS/freeradius-server/blob/release_3_2_3/src/main/tls.c#L3689
(In reply to Mike Cui from comment #49) Looks like dlopen("/usr/lib/ossl-modules/legacy.so") failed with: Undefined symbol "ossl_md4_functions"
(In reply to Mike Cui from comment #50) This should be fixed by commit 87e08018b175e564b6a19ee41bc65af66f55e078 and following related ones. [1] [1] https://cgit.freebsd.org/src/commit/?id=87e08018b175e564b6a19ee41bc65af66f55e078
I can confirm that loading the legacy provider works again for OpenVPN (and also for openssl CLI, "openssl list -provider legacy -cipher-algorithms"). Loading the FIPS provider still fails - not sure if this is known/intentional? $ openssl list -provider fips -cipher-algorithms list: unable to load provider fips Hint: use -provider-path option or OPENSSL_MODULES environment variable. 0020A189C32C0000:error:1C8000D5:Provider routines:SELF_TEST_post:missing config data:/usr/src/crypto/openssl/providers/fips/self_test.c:290: 0020A189C32C0000:error:1C8000E0:Provider routines:ossl_set_error_state:fips module entering error state:/usr/src/crypto/openssl/providers/fips/self_test.c:388: 0020A189C32C0000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:/usr/src/crypto/openssl/providers/fips/fipsprov.c:707: 0020A189C32C0000:error:078C0105:common libcrypto routines:provider_init:init fail:/usr/src/crypto/openssl/crypto/provider_core.c:932:name=fips (this is with src at commit c81495a621c4)
(In reply to Gert Doering from comment #52) I don't have a reference to give, but I have seen discussion stating that the issue with the FIPS provider is known and being worked on. There have also been issues with ARM architectures, but it looks like those have been solved.
(In reply to Guido Falsi from comment #53) I have managed to track down the issue, and make the FIPS provider work on FreeBSD. Here is a copy of my comment on GitHub's #787 PR to this effect: (https://github.com/freebsd/freebsd-src/pull/787) > I just confirmed that the FIPS module can be configured to load correctly, with this pull-up request applied, on my local amd64 machine: > > * Enabling the FIPS provider in `openssl.cnf` disables the default module, so make sure it has `activate = 1` in its section. > * The default module is required for `openssl fipsinstall`, otherwise no HMAC provider is available to generate the corresponding configuration file. (Defaults to `fips.cnf`) > * The output of `openssl fipsinstall` (the configuration file) needs to be installed in e.g., `/etc/ssl/fipsmodule.cnf` and included by `openssl.cnf` in order for the FIPS provider to work. (Check the provider's section name to be correct and matching that of `fipsmodule.cnf`, e.g., `fips_sect`) > * The configuration file depends on the binary code of the `fips.so` provider module, therefore in order for FreeBSD to ship a working FIPS provider by default, `openssl fipsinstall` (or an equivalent) has to be executed to generate it once all of OpenSSL is done building.
OpenSSL 3 is now in main and stable/14.