Given that there have been some openssl/libressl vulnerabilities very recently, upon attempting to upgrade LibreSSL to 3.5.4 this kind of thing is happening when I attempt to start synapse after the package upgrade: ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: Undefined symbol "DTLS_get_link_min_mtu" I have tried manually setting this symbol to something defined as a wild attempt to fix this issue, but the chain of issues continues: ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: Undefined symbol "EVP_DigestFinalXOF" I see a libressl patch in py-cryptography's port, but maybe this is not enough?
This seems indeed at least partially related to the py-cryptography libressl patch, which removes the symbol DTLS_get_link_min_mtu. Add zirias (originator of the patch), maybe he has some input
Just to clarify, this didn't happen with previous LibreSSL versions?
Not to me, however my last build was back at Q32022.
(In reply to dave from comment #3) Then that was probably still LibreSSL 3.4? Ok, I'll have a look ASAP, seems the patch just fixed building but breaks at runtime :(
Yes, LibreSSL was 3.4.3 at that time.
Created attachment 240339 [details] testfix1 Looks like I patche too much here, these symbols are still not present in LibreSSL. So, yould you please test rebuilding py-cryptography with the attached patch? It just restores the dummy definitions of these missing symbols when building with LibreSSL.
Traceback (most recent call last): File "/usr/local/lib/python3.9/runpy.py", line 197, in _run_module_as_main return _run_code(code, main_globals, None, File "/usr/local/lib/python3.9/runpy.py", line 87, in _run_code exec(code, run_globals) File "/usr/local/lib/python3.9/site-packages/synapse/app/homeserver.py", line 28, in <module> from synapse.api.urls import ( File "/usr/local/lib/python3.9/site-packages/synapse/api/urls.py", line 22, in <module> from synapse.config.homeserver import HomeServerConfig File "/usr/local/lib/python3.9/site-packages/synapse/config/homeserver.py", line 40, in <module> from .repository import ContentRepositoryConfig File "/usr/local/lib/python3.9/site-packages/synapse/config/repository.py", line 22, in <module> from synapse.config.server import generate_ip_set File "/usr/local/lib/python3.9/site-packages/synapse/config/server.py", line 27, in <module> from twisted.conch.ssh.keys import Key File "/usr/local/lib/python3.9/site-packages/twisted/conch/ssh/keys.py", line 74, in <module> if default_backend().ed25519_supported(): File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/backends/__init__.py", line 14, in default_backend from cryptography.hazmat.backends.openssl.backend import backend File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 6, in <module> from cryptography.hazmat.backends.openssl.backend import backend File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 113, in <module> from cryptography.hazmat.bindings.openssl import binding File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 14, in <module> from cryptography.hazmat.bindings._openssl import ffi, lib ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: Undefined symbol "EVP_DigestFinalXOF" This is exactly where I got to when trying to do almost exactly what you did. :)
Created attachment 240367 [details] testfix2 Ahh, the horrors of late binding ... and I didn't notice that other missing symbol in your first message, sorry! Please try *this* patch instead and let me know, thanks.
This patch appears to work. By "appears" I mean that synapse actually restarted after recompiling py-cryptography (and everything else that depended on it).
(In reply to dave from comment #9) Thanks. If it starts successfully, it means the issue of missing symbols is resolved, so I'll prepare a commit now to fix this.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f482d5d27c1afbbc3b9ed65d31c7eba92fe04393 commit f482d5d27c1afbbc3b9ed65d31c7eba92fe04393 Author: Felix Palmen <zirias@FreeBSD.org> AuthorDate: 2023-02-25 06:52:40 +0000 Commit: Felix Palmen <zirias@FreeBSD.org> CommitDate: 2023-03-12 08:47:06 +0000 security/py-cryptography: Fix runtime /w libressl When built with LibreSSL, a few symbols were missing, so consumers failed at runtime. PR: 269705 Approved by: sunpoet (maintainer, timeout) Approved by: tcberner (mentor, implicit: libressl) Differential Revision: https://reviews.freebsd.org/D38765 security/py-cryptography/Makefile | 1 + security/py-cryptography/files/patch-libressl35 | 41 ++++++++++++++++++------- 2 files changed, 31 insertions(+), 11 deletions(-)
The fix for the missing symbols is now committed.