After upgrading ntopng from 5.6.d20231023,1 to 6.0.d20231103,1 on very recent amd64 stable/14 1400500, I get these error messages when attempting to start ntopng. The selected SSL library is OpenSSL from base via /etc/make.conf. Nov 5 10:38:45 <user.err> WITHHELD ntopng[64079]: 05/Nov/2023 10:38:45 [HTTPserver.cpp:1624] ERROR: [HTTP] load_dll: libssl.so: cannot find SSLv23_server_method Nov 5 10:38:45 <user.err> WITHHELD ntopng[64079]: 05/Nov/2023 10:38:45 [mongoose.c:4809] ERROR: load_dll: libssl.so: cannot find SSLv23_server_method Nov 5 10:38:45 <user.err> WITHHELD ntopng[64079]: 05/Nov/2023 10:38:45 [HTTPserver.cpp:1924] ERROR: Unable to start HTTP server (IPv4) on ports [2001:WITHHELD]:3000,[2001:WITHHELD]:3001s Nov 5 10:38:45 <user.err> WITHHELD ntopng[64079]: 05/Nov/2023 10:38:45 [HTTPserver.cpp:1927] ERROR: Either port in use or another ntopng instance is running (using the same port) Another problem might be that ntopng 6.x doesn't properly recognise IPv6 addresses.
(In reply to Trond Endrestøl from comment #0) Hi, thanks for reporting. These two look a little nasty, both of them, I don't have solutions right away. The SSL issues looks like an old name is being looked up for a function. Maybe this can be foxed with an ifdef in the code, I need to test it. I did not notice them when testing on head, but maybe I did not look hard enough. The second one is unclear to me. What do you mean by "doesn't properly recognize IPv6 addresses" what do you expect and what is being done instead? In my testing the software did show IPv6 addresses in the UI. I noticed nothing strange. Also this could be an upstream issue, not depending on the port.
One question, do you happen to also have some other libssl installed on the system? Or old libssl not removed via `make delete-old-libs` after upgrade? Maybe the port is getting confused about which one to load. I'm trying to gather some information about this, definitely caused by the migration to OpenSSL v3 in base, but I honestly thought I avoided this pitfall with the upgrade.
(In reply to Guido Falsi from comment #1) > The second one is unclear to me. What do you mean by "doesn't properly recognize IPv6 addresses" what do you expect and what is being done instead? It could be a typo in the source code, but it is a bit funny stating something to be IPv4 addresses and then actually show IPv6 addresses. And, yes, I have configured ntopng to bind to my IPv6 address.
(In reply to Guido Falsi from comment #2) make delete-old-libs is run automatically by my OS upgrade script. This is what I have: OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023) Running ldd /usr/local/bin/ntopng gives: /usr/local/bin/ntopng: [...] libssl.so.30 => /usr/lib/libssl.so.30 (0x13737f91d000) [...] We had something similar for security/py-certbot, see PR 273656, https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273656. My workaround is to export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 but that didn't fly in this case for ntopng.
(In reply to Trond Endrestøl from comment #4) Regarding the SSL issue, I don't have solution but I was looking at the source code. Looks like the error is happening in the embedded mongoose web server. But I'm not sure why, what it is exactly trying to do that causes the error. The mongoose version they include is really old, but cannot be simply replaced, since they customized it, and also, the API could have changed. (the newer versions source code looks completely different) Looks like it is actually trying to check each and every symbol it is going to use, and that fails for removed ones, even if there is a drop in replacement. For the one you report as erroring out OpenSSL has preprocessor workarounds, but I guess they cannot fix runtime checks. Maybe we can just swap the function names. at [1] you find a link to a relevant code line. I'm not sure how to address this, I need some time to test, and maybe ask upstream. Regarding the "Unable to start HTTP server (IPv4) on ports", I found the code line with that string. There's no detection, it's just a fixed string. [2] For this one I don't really see a point in fixing it in ports. You could file a PR upstream, or maybe I could file it, but to do that I'd ask you for an alternative text to put in that error message. [1] https://github.com/ntop/ntopng/blob/14c0fb29b9ee790c059a0ca22b285eec97951c41/third-party/mongoose/mongoose.c#L430 [2] https://github.com/ntop/ntopng/blob/14c0fb29b9ee790c059a0ca22b285eec97951c41/src/HTTPserver.cpp#L1924
Created attachment 246144 [details] patch v1 Hi again, can you test the attached patch and report if it fixes the issue? Thanks in advance.
(In reply to Guido Falsi from comment #6) We got a different error message this time. Nov 5 21:28:11 <user.err> WITHHELD ntopng[31436]: 05/Nov/2023 21:28:11 [HTTPserver.cpp:1624] ERROR: [HTTP] load_dll: libssl.so: cannot find SSL_library_init Nov 5 21:28:11 <user.err> WITHHELD ntopng[31436]: 05/Nov/2023 21:28:11 [mongoose.c:4809] ERROR: load_dll: libssl.so: cannot find SSL_library_init Nov 5 21:28:11 <user.err> WITHHELD ntopng[31436]: 05/Nov/2023 21:28:11 [HTTPserver.cpp:1924] ERROR: Unable to start HTTP server (IPv4) on ports [2001:WITHHELD]:3000,[2001:WITHHELD]:3001s Nov 5 21:28:11 <user.err> WITHHELD ntopng[31436]: 05/Nov/2023 21:28:11 [HTTPserver.cpp:1927] ERROR: Either port in use or another ntopng instance is running (using the same port)
(In reply to Trond Endrestøl from comment #7) Oh. Let's hope this symbol is as easy to replace as the other two.
Created attachment 246146 [details] patch v2 I have created a new patch. Looks like there was a useful line in configure.ac which I removed. SO, this patch has a completely different strategy than the previous one. I tested with a dummy certificate and it works for me. Can you test this one too? Thanks for you time!
(In reply to Guido Falsi from comment #9) Success! Nothing was logged to the “user” facility (or category as I prefer to call it). # service ntopng status ; geoip-ntopng.sh ; service ntopng restart ; sleep 1 ; service ntopng status ntopng is not running. /root/bin/geoip-ntopng.sh: /usr/local/share/ntopng/httpdocs/geoip/GeoLite2-ASN.mmdb was lost and was recreated by me. /root/bin/geoip-ntopng.sh: /usr/local/share/ntopng/httpdocs/geoip/GeoLite2-City.mmdb was lost and was recreated by me. ntopng not running? Starting ntopng. 06/Nov/2023 19:02:38 [Redis.cpp:169] Successfully connected to redis 127.0.0.1@0 06/Nov/2023 19:02:38 [Redis.cpp:169] Successfully connected to redis 127.0.0.1@0 06/Nov/2023 19:02:39 [NetworkInterface.cpp:3745] Cleanup interface dummy 06/Nov/2023 19:02:39 [Ntop.cpp:2597] Parent process is exiting (this is normal) ntopng is running as pid 45609.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=80656e393399a82da0db224a847b221034748cc3 commit 80656e393399a82da0db224a847b221034748cc3 Author: Guido Falsi <madpilot@FreeBSD.org> AuthorDate: 2023-11-06 21:12:59 +0000 Commit: Guido Falsi <madpilot@FreeBSD.org> CommitDate: 2023-11-06 21:12:59 +0000 net/ntopng: Fix OpenSSL support in embedded webserver PR: 274925 net/ntopng/Makefile | 1 + net/ntopng/files/patch-configure.ac.in | 18 +++++++++--------- 2 files changed, 10 insertions(+), 9 deletions(-)
Committed the patch. Thanks for testing it!