The wazuh-manager uses openssl in python module via _openssl.abi3.so (see below) This fails: Traceback (most recent call last): File "/var/ossec/framework/python/lib/python3.9/site-packages/jose/backends/cryptography_backend.py", line 66, in __init__ key = load_pem_public_key(key, self.cryptography_backend()) File "/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazmat/backends/__init__.py", line 15, in default_backend from cryptography.hazmat.backends.openssl.backend import backend File "/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module> from cryptography.hazmat.backends.openssl.backend import backend File "/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 117, in <module> from cryptography.hazmat.bindings.openssl import binding File "/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 14, in <module> from cryptography.hazmat.bindings._openssl import ffi, lib ImportError: /var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: Undefined symbol "ERR_GET_FUNC" and the main reason is that OpenSSL-3.0 is not yet supported by wazuh. Here's where it is linked with libssl.so.3.0: [root@hostname /var/ossec]# ldd framework/python/lib/python3.9/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so framework/python/lib/python3.9/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: libssl.so.30 => /usr/lib/libssl.so.30 (0x3b61fc1b000) libcrypto.so.30 => /lib/libcrypto.so.30 (0x3b620f10000) libthr.so.3 => /lib/libthr.so.3 (0x3b620bba000) libc.so.7 => /lib/libc.so.7 (0x3b61d359000) I made some feeble attempts to fix this by requiring the port to depend on openssl111, but did not succeed: diff --git a/security/wazuh-manager/Makefile b/security/wazuh-manager/Makefile index 55f3be186f55..9da69b620cc8 100644 --- a/security/wazuh-manager/Makefile +++ b/security/wazuh-manager/Makefile @@ -1,6 +1,7 @@ PORTNAME= wazuh DISTVERSIONPREFIX= v DISTVERSION= 4.7.3 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= https://packages.wazuh.com/deps/24/libraries/sources/:wazuh_sources \ LOCAL/acm/${PORTNAME}/:wazuh_cache @@ -26,7 +27,7 @@ LIB_DEPENDS+= libgdbm.so:databases/gdbm \ libffi.so:devel/libffi \ libarrow.so:databases/arrow -USES= cpe gmake perl5 python:3.9 readline shebangfix sqlite:3 uidfix +USES= cpe gmake perl5 python:3.9 readline shebangfix sqlite:3 uidfix ssl USE_GITHUB= yes GH_TUPLE= alonsobsd:wazuh-freebsd:${WAZUH_EXTRAFILE_TAGNAME}:wazuh @@ -144,6 +145,7 @@ ARCH_BASE= ${ARCH:S/aarch64/arm64/g} UNAME_r= ${_OSRELEASE:tl} FBSD_RELEASE= freebsd_${UNAME_r:S/./_/g:S/-/_/g} +#DEFAULT_VERSIONS+= ssl=openssl111 .include <bsd.port.pre.mk> .if ${OSVERSION} >= 1300139 && ${OSVERSION} < 1400000 @@ -162,6 +164,10 @@ DISTFILES+= ${WAZUH_CACHENAME}${EXTRACT_SUFX}:wazuh_cache IGNORE= FreeBSD ${OSVERSION} ${ARCH} is not supported .endif +#.if ${OSVERSION} >= 1400092 +#DEFAULT_VERSIONS+= ssl=openssl111 +#.endif + post-extract: .for FILE in ${EXTERNAL_DISTFILES} @cd ${WRKSRC}/src/external && ${EXTRACT_CMD} ${EXTRACT_BEFORE_ARGS} ${_DISTDIR}/${FILE:S/:wazuh_sources//} ${EXTRACT_AFTER_ARGS} The Wasuh team know about the dependency on the old OpenSSL and they are apparently working on it. It will appear in 4.8. Is there a temporary fix or workaround to get it working on FreeBSD-14.0? wazuh is broken now, other than waiting for wazuh 4.8? The obvious solution would be to force the port to use openssl111, but I failed to get that bit working. Using compat13x is perhaps easier but that would probably require juggling with libmap.conf as well? Oterh ideas? Palle
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=e9a4fa124df4266067528038710fc673549cea52 commit e9a4fa124df4266067528038710fc673549cea52 Author: Jose Alonso Cardenas Marquez <acm@FreeBSD.org> AuthorDate: 2024-06-15 17:38:13 +0000 Commit: Jose Alonso Cardenas Marquez <acm@FreeBSD.org> CommitDate: 2024-06-15 17:38:13 +0000 security/wazuh-*: Update to 4.7.5 - Fix build/installation on aarch64 - Fix runtime issues on 14.x and 15.x because of openssl3 support [1] PR: 279363 Reported by: girgen [1] security/wazuh-agent/Makefile | 2 +- security/wazuh-agent/distinfo | 82 +- security/wazuh-dashboard/Makefile | 2 +- security/wazuh-dashboard/distinfo | 10 +- security/wazuh-dashboard/pkg-plist | 2054 +++++++++++++++++++++++++++++++++++- security/wazuh-indexer/Makefile | 2 +- security/wazuh-indexer/distinfo | 6 +- security/wazuh-manager/Makefile | 6 +- security/wazuh-manager/distinfo | 118 +-- security/wazuh-manager/pkg-plist | 726 +++++++------ security/wazuh-server/Makefile | 4 +- security/wazuh-server/distinfo | 18 +- 12 files changed, 2524 insertions(+), 506 deletions(-)
Hello. I have updated wazuh to 4.7.5. I tested it on 14.x and it runs without openssl issues. Also, I fixed some build/installation issues with wazuh-manager on aarch64. Btw 4.8.0 include some breaking changes (new bundle libraries, python updated to 3.10, openssl updated to 3.x, lot of wazuh-dashboards changes, etc) and it can take me a time before I commit it to ports tree. Thanks for your PR
Lovely. Thanks! Palle