OpenSSL 1.1 is EOL on 11th September 2023 - base system update to OpenSSL 3.0 is necessary. This PR is open to track issues with / changes required for the update.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ffbd1c8bc08ec34006b8c0b6b6d3d333033364f5 commit ffbd1c8bc08ec34006b8c0b6b6d3d333033364f5 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2023-05-24 18:14:28 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-05-24 18:31:14 +0000 libtelnet: specify OpenSSL 1.1 APIs OPENSSL_API_COMPAT can be used to specify the OpenSSL API version in use for the purpose of hiding deprecated interfaces and enabling the appropriate deprecation notices. This change is a NFC while we're still using OpenSSL 1.1.1 but will avoid deprecation warnings upon the switch to OpenSSL 3.0. A future change should migrate to use the OpenSSL 3.0 APIs, or just remove libtelnet. PR: 271615 Event: Kitchener-Waterloo Hackathon 202305 Sponsored by: The FreeBSD Foundation lib/libtelnet/Makefile | 1 + 1 file changed, 1 insertion(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=96e6e5b5fe9b510fd9a416f486860c2acad4219b commit 96e6e5b5fe9b510fd9a416f486860c2acad4219b Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2023-05-09 13:01:40 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-05-24 18:55:07 +0000 ppp: specify OpenSSL 1.1 APIs OPENSSL_API_COMPAT can be used to specify the OpenSSL API version in use for the purpose of hiding deprecated interfaces and enabling the appropriate deprecation notices. This change is a NFC while we're still using OpenSSL 1.1.1 but will avoid deprecation warnings upon the switch to OpenSSL 3.0. A future change should migrate to use the OpenSSL 3.0 APIs. PR: 271615 Reviewed by: emaste Event: Kitchener-Waterloo Hackathon 202305 Sponsored by: The FreeBSD Foundation usr.sbin/ppp/Makefile | 1 + 1 file changed, 1 insertion(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=baef3a5b585f462d9256f3b5a771ab5508ef6fd2 commit baef3a5b585f462d9256f3b5a771ab5508ef6fd2 Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2023-05-09 13:04:45 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-05-24 23:44:24 +0000 tcpdump: specify OpenSSL 1.1 APIs OPENSSL_API_COMPAT can be used to specify the OpenSSL API version in use for the purpose of hiding deprecated interfaces and enabling the appropriate deprecation notices. This change is a NFC while we're still using OpenSSL 1.1.1 but will avoid deprecation warnings upon the switch to OpenSSL 3.0. A future update should migrate to use the OpenSSL 3.0 APIs. PR: 271615 Reviewed by: emaste Event: Kitchener-Waterloo Hackathon 202305 Sponsored by: The FreeBSD Foundation usr.sbin/tcpdump/tcpdump/Makefile | 1 + 1 file changed, 1 insertion(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b238d51d0adc43e2bab347e5ef13c323c1857c5e commit b238d51d0adc43e2bab347e5ef13c323c1857c5e Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2023-05-13 02:38:18 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-05-25 02:16:48 +0000 ldns: specify OpenSSL 1.1 APIs OPENSSL_API_COMPAT can be used to specify the OpenSSL API version in use for the purpose of hiding deprecated interfaces and enabling the appropriate deprecation notices. This change is a NFC while we're still using OpenSSL 1.1.1 but will avoid deprecation warnings upon the switch to OpenSSL 3.0. A future ldns update should migrate to use the OpenSSL 3.0 APIs. This is a recommit of c6750ddec917 after the ldns update in 5afab0e5e56f. PR: 271615 Event: Kitchener-Waterloo Hackathon 202305 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D40082 lib/libldns/Makefile | 1 + 1 file changed, 1 insertion(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=01aee8c92d936470c44821736e0d9e11ed7ce812 commit 01aee8c92d936470c44821736e0d9e11ed7ce812 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2023-05-25 15:24:48 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-05-25 16:20:15 +0000 libfetch: do not call deprecated OpenSSL functions As of OpenSSL 1.1 SSL_library_init() and SSL_load_error_strings() are deprecated. There are replacement initialization functions but they do not need to be called: "As of version 1.1.0 OpenSSL will automatically allocate all resources that it needs so no explicit initialisation is required." Wrap both calls in an OPENSSL_VERSION_NUMBER block. PR: 271615 Reviewed by: Pierre Pronchery <pierre@freebsdfoundation.org> Event: Kitchener-Waterloo Hackathon 202305 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D40265 lib/libfetch/common.c | 2 ++ 1 file changed, 2 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=07523f1d4fae44967b274175d48480fafb6d9f34 commit 07523f1d4fae44967b274175d48480fafb6d9f34 Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2023-05-25 05:42:38 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-05-25 17:15:45 +0000 libradius: specify OpenSSL 1.1 APIs OPENSSL_API_COMPAT can be used to specify the OpenSSL API version in use for the purpose of hiding deprecated interfaces and enabling the appropriate deprecation notices. This change is a NFC while we're still using OpenSSL 1.1.1 but will avoid deprecation warnings upon the switch to OpenSSL 3.0. Future work should migrate to use the OpenSSL 3.0 APIs. PR: 271615 Reviewed by: emaste Event: Kitchener-Waterloo Hackathon 202305 Sponsored by: The FreeBSD Foundation lib/libradius/Makefile | 1 + 1 file changed, 1 insertion(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=77d788e23d0964053b81b5de307fa04bd1ccadc5 commit 77d788e23d0964053b81b5de307fa04bd1ccadc5 Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2023-05-25 06:46:02 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-05-25 17:15:45 +0000 libfetch: specify OpenSSL 1.1 APIs OPENSSL_API_COMPAT can be used to specify the OpenSSL API version in use for the purpose of hiding deprecated interfaces and enabling the appropriate deprecation notices. This change is a NFC while we're still using OpenSSL 1.1.1 but will avoid deprecation warnings upon the switch to OpenSSL 3.0. Future work should migrate to use the OpenSSL 3.0 APIs. PR: 271615 Reviewed by: emaste Event: Kitchener-Waterloo Hackathon 202305 Sponsored by: The FreeBSD Foundation lib/libfetch/Makefile | 1 + 1 file changed, 1 insertion(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=5a7500dab9b8480dacd5a9b70bad1541391342e4 commit 5a7500dab9b8480dacd5a9b70bad1541391342e4 Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2023-05-25 07:26:58 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-05-25 19:08:05 +0000 libarchive: Request the OpenSSL 1.1 API OPENSSL_API_COMPAT can be used to specify the OpenSSL API version in use for the purpose of hiding deprecated interfaces and enabling the appropriate deprecation notices. This change is a NFC while we're still using OpenSSL 1.1.1 but will avoid deprecation warnings upon the switch to OpenSSL 3.0. A future update should migrate to use the OpenSSL 3.0 APIs. PR: 271615 Reviewed by: emaste Event: Kitchener-Waterloo Hackathon 202305 Sponsored by: The FreeBSD Foundation lib/libarchive/Makefile.inc | 1 + 1 file changed, 1 insertion(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=fed03614bd2d070ffb351af8042fda9805341c29 commit fed03614bd2d070ffb351af8042fda9805341c29 Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2023-05-25 17:44:47 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-05-25 20:52:52 +0000 factor: Request the OpenSSL 1.1 API OPENSSL_API_COMPAT can be used to specify the OpenSSL API version in use for the purpose of hiding deprecated interfaces and enabling the appropriate deprecation notices. This change is a NFC while we're still using OpenSSL 1.1.1 but will avoid deprecation warnings upon the switch to OpenSSL 3.0. A future change should migrate to use the OpenSSL 3.0 APIs. PR: 271615 Reviewed by: emaste Event: Kitchener-Waterloo Hackathon 202305 Sponsored by: The FreeBSD Foundation usr.bin/factor/Makefile | 1 + 1 file changed, 1 insertion(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b01c10d25d06047e45c3d5dc6a4e757a9b35ab78 commit b01c10d25d06047e45c3d5dc6a4e757a9b35ab78 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2023-05-25 19:17:13 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-05-26 13:15:25 +0000 auditdistd: Avoid calling deprecated OpenSSL functions As of OpenSSL 1.1 SSL_library_init() and SSL_load_error_strings() are deprecated. There are replacement initialization functions but they do not need to be called: "As of version 1.1.0 OpenSSL will automatically allocate all resources that it needs so no explicit initialisation is required." Wrap both calls in an OPENSSL_VERSION_NUMBER block. Upstream pull request submitted at https://github.com/openbsm/openbsm/pull/82 PR: 271615 Reviewed by: ngie Event: Kitchener-Waterloo Hackathon 202305 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D40273 contrib/openbsm/bin/auditdistd/proto_tls.c | 4 ++++ 1 file changed, 4 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=7409d45ed4c515b80d75491492808b6b284a207b commit 7409d45ed4c515b80d75491492808b6b284a207b Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2023-05-25 17:44:36 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-05-26 13:20:27 +0000 auditdistd: Request the OpenSSL 1.1 API OPENSSL_API_COMPAT can be used to specify the OpenSSL API version in use for the purpose of hiding deprecated interfaces and enabling the appropriate deprecation notices. This change is a NFC while we're still using OpenSSL 1.1.1 but will avoid deprecation warnings upon the switch to OpenSSL 3.0. A future change should migrate to use the OpenSSL 3.0 APIs. PR: 271615 Reviewed by: emaste Event: Kitchener-Waterloo Hackathon 202305 Sponsored by: The FreeBSD Foundation usr.sbin/auditdistd/Makefile | 2 ++ 1 file changed, 2 insertions(+)
For reference, in Pierre's openssl-3.0 branch the Makefiles listed below have changes to support OpenSSL 3 (mostly adding -DOPENSSL_API_COMPAT=0x10100000L). These are libraries or binaries that fail to build with OpenSSL 1.1, with the change. kerberos5/lib/libgssapi_krb5/Makefile | 1 + kerberos5/lib/libgssapi_ntlm/Makefile | 1 + kerberos5/lib/libheimntlm/Makefile | 1 + kerberos5/lib/libhx509/Makefile | 1 + kerberos5/lib/libkdc/Makefile | 1 + kerberos5/lib/libkrb5/Makefile | 1 + kerberos5/usr.bin/hxtool/Makefile | 1 + lib/libarchive/Makefile.inc | 2 ++ lib/libunbound/Makefile | 1 + sbin/decryptcore/Makefile | 2 ++ sbin/dumpon/Makefile | 1 + (libarchive is the exception to OPENSSL_API_COMPAT - it needs a warning change)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=aa4cf5647cdc9f19c356414e67350ced3334a609 commit aa4cf5647cdc9f19c356414e67350ced3334a609 Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2023-05-25 05:34:44 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-05-31 14:05:07 +0000 libunbound: Request the OpenSSL 1.1 API OPENSSL_API_COMPAT can be used to specify the OpenSSL API version in use for the purpose of hiding deprecated interfaces and enabling the appropriate deprecation notices. This change is a NFC while we're still using OpenSSL 1.1.1 but will avoid deprecation warnings upon the switch to OpenSSL 3.0. A future update may migrate to use the OpenSSL 3.0 APIs. PR: 271615 Reviewed by: emaste Sponsored by: The FreeBSD Foundation lib/libunbound/Makefile | 1 + 1 file changed, 1 insertion(+)
Created attachment 242520 [details] 0001-dumpon-Request-the-OpenSSL-1.1-API.patch The patch attached takes care of dumpon in a more resilient way, by avoiding an API call to a function deprecated in OpenSSL 1.1.
I have created a new pull-up request candidate in GitHub for this issue, this time targeting the release of OpenSSL 3.0.9: https://github.com/freebsd/freebsd-src/pull/760
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=caf98b9d13b68f2c41aba263fada63dbe1ed197e commit caf98b9d13b68f2c41aba263fada63dbe1ed197e Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2023-05-25 17:09:27 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-06-02 14:00:48 +0000 dumpon: Request the OpenSSL 1.1 API OPENSSL_API_COMPAT can be used to specify the OpenSSL API version in use for the purpose of hiding deprecated interfaces and enabling the appropriate deprecation notices. This change is a NFC while we're still using OpenSSL 1.1.1 but will avoid deprecation warnings upon the switch to OpenSSL 3.0. A future update may migrate to use the OpenSSL 3.0 APIs. PR: 271615 Pull request: https://github.com/freebsd/freebsd-src/pull/757 Sponsored by: The FreeBSD Foundation sbin/dumpon/Makefile | 1 + 1 file changed, 1 insertion(+)
(In reply to Pierre Pronchery from comment #15) This is now also in Phabricator at https://reviews.freebsd.org/D40417.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=e730066a64e60b3ba39b7143aa40b5ba1e9c3949 commit e730066a64e60b3ba39b7143aa40b5ba1e9c3949 Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2023-06-01 19:07:23 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-06-05 17:48:05 +0000 decryptcore: Request the OpenSSL 1.1 API OPENSSL_API_COMPAT can be used to specify the OpenSSL API version in use for the purpose of hiding deprecated interfaces and enabling the appropriate deprecation notices. This change is a NFC while we're still using OpenSSL 1.1.1 but will avoid deprecation warnings upon the switch to OpenSSL 3.0. A future update may migrate to use the OpenSSL 3.0 APIs. PR: 271615 Reviewed by: emaste Sponsored by: The FreeBSD Foundation sbin/decryptcore/Makefile | 1 + 1 file changed, 1 insertion(+)
commit b077aed33b7b6aefca7b17ddb250cf521f938613 Merge: b08ee10c0646 b84c4564effd Author: Pierre Pronchery <pierre@freebsdfoundation.org> Date: Fri Jun 23 18:53:35 2023 -0400 Merge OpenSSL 3.0.9
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3a9dd387057c5df7981e6b0fc8354b3ae305d182 commit 3a9dd387057c5df7981e6b0fc8354b3ae305d182 Author: Dimitry Andric <dim@FreeBSD.org> AuthorDate: 2023-07-03 16:58:11 +0000 Commit: Dimitry Andric <dim@FreeBSD.org> CommitDate: 2023-07-03 16:58:24 +0000 Stop removing OpenSSL man pages that were revived in 3.0.9 PR: 271615 Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9") ObsoleteFiles.inc | 6 ------ 1 file changed, 6 deletions(-)
I noticed that the imported library has # ifndef OPENSSL_NO_SM3 # define OPENSSL_NO_SM3 # endif in configuration.h What's ther ationale for this? I now bumped into a port that calls EVP_sm3 functions and it is impossible to build on FreeBSD 14-15.
(In reply to Gleb Popov from comment #21) When importing OpenSSL 3 in the base system, I used the same options as the security/openssl-devel port (now security/openssl) did at the time, where I believe SM3 was disabled by default. From what I can tell, the security/openssl31 port also defaults to disabling the SM2, SM3, and SM4 algorithms. We can revisit this if some algorithms should really be available but are disabled by default. FWIW, judging from https://en.wikipedia.org/wiki/SM3_(hash_function) it seems SM3 is "considered similar to SHA-256 in security and efficiency," and originating from China's National Cryptography Administration in 2010.
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=9377240725d2d04dbbfa4758828982d25782c923 commit 9377240725d2d04dbbfa4758828982d25782c923 Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2023-05-25 07:26:58 +0000 Commit: Martin Matuska <mm@FreeBSD.org> CommitDate: 2024-05-04 11:53:07 +0000 libarchive: Request the OpenSSL 1.1 API OPENSSL_API_COMPAT can be used to specify the OpenSSL API version in use for the purpose of hiding deprecated interfaces and enabling the appropriate deprecation notices. This change is a NFC while we're still using OpenSSL 1.1.1 but will avoid deprecation warnings upon the switch to OpenSSL 3.0. A future update should migrate to use the OpenSSL 3.0 APIs. PR: 271615 Reviewed by: emaste Event: Kitchener-Waterloo Hackathon 202305 Sponsored by: The FreeBSD Foundation (cherry picked from commit 5a7500dab9b8480dacd5a9b70bad1541391342e4) lib/libarchive/Makefile.inc | 1 + 1 file changed, 1 insertion(+)