I noticed my lets encrypt certificate was about to expire and didn't renew and after investigating I saw certbot was not running because of py-cryptography. It's looking for ERR_GET_FUNC symbol and it was deprecated and retired from openssl. ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: Undefined symbol "ERR_GET_FUNC"
Even with https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254853 ?
(In reply to Mikael Urankar from comment #1) Version 41.0.2 is not affected by this bug. There is no call to ERR_GET_FUNC on it. But anyway, current version was copied to py-cryptography-legacy and it will be affected by that.
Reopening because py-cryptography-legacy is still broken at run-time, which is still broken as of today's ports tree.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=403f201a1461fd26f026f2c8d3e67f1481908362 commit 403f201a1461fd26f026f2c8d3e67f1481908362 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2024-05-30 09:48:22 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2024-05-30 09:53:54 +0000 security/py-cryptography-legacy: fix OpenSSL >= 3.0 compat py-cryptography-legacy still references functions that have been removed in OpenSSL 3.0, and fails to load openssl.abi3.so at run-time because it lacks ERR_GET_FUNC (reported) and FIPS_mode (masked by first error), and later because py-openssl feeds our utils/deprecated() an unsupported name=<some string> keyword argument. https://www.openssl.org/docs/man3.0/man7/migration_guide.html is the basis for fixes #1 and #2 removed, because OpenSSL 3.0 removed function codes from the error. In our own binding, leave the err_func attribute in, but set it to a constant 0. (patch-src___cffi* and patch-*binding.py) and FIPS_mode_set, which need rework. (patch-libressl) our utils/deprecated() function does not support, so steal the utils function from py-cryptography 42.0.7,1, drop the argument and return type annotations for consistency. (patch-src_cryptography_utils.py) This is sufficient to fix run-time errors for py-certbot on my FreeBSD 14.0-RELEASE-p6 amd64 server with Python 3.11, which I set to default to py-cryptography-legacy. PR: 272935 (and bug linkage will reflect changes in PRs 273770, 272885) Approved by: portmgr@ (just-fix-it blanket approval) MFH: 2024Q2 security/py-cryptography-legacy/Makefile | 2 +- .../py-cryptography-legacy/files/patch-libressl | 21 +++++++++------- .../patch-src___cffi__src_openssl_err.py (new) | 13 ++++++++++ ...graphy_hazmat_bindings_openssl_binding.py (new) | 15 ++++++++++++ .../files/patch-src_cryptography_utils.py (new) | 28 ++++++++++++++++++++++ 5 files changed, 70 insertions(+), 9 deletions(-)
A commit in branch 2024Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=c8638b8c2df4eeb2d94d195931794bdb1e3d8e3c commit c8638b8c2df4eeb2d94d195931794bdb1e3d8e3c Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2024-05-30 09:48:22 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2024-05-30 10:08:29 +0000 security/py-cryptography-legacy: fix OpenSSL >= 3.0 compat [The main branch commit log was misformatted, sorry for that.] py-cryptography-legacy still references functions that have been removed in OpenSSL 3.0, and fails to load openssl.abi3.so at run-time because it lacks ERR_GET_FUNC (reported) and FIPS_mode (masked by first error), both removed with OpenSSL 3.0, and later because py-openssl feeds our utils/deprecated() an unsupported name=<some string> keyword argument causing Python to raise an exception at call. https://www.openssl.org/docs/man3.0/man7/migration_guide.html is the basis for fixes #1 and #2 Drop reference to ERR_GET_FUNC, OpenSSL 3.0 removed function codes from the error. In our own binding, leave the err_func attribute in, but set it to a constant 0. (patch-src___cffi* and patch-*binding.py) Drop reference to FIPS_mode and FIPS_mode_set, and stop claiming FIPS support, which would need a more thorough rework. (patch-libressl) Also, backport utils/deprecated() from from py-cryptography 42.0.7,1, to support the new name=... kwarg, drop the annotations for argument and return types (for consistency). (patch-src_cryptography_utils.py) This is sufficient to fix run-time errors for py-certbot on my FreeBSD 14.0-RELEASE-p6 amd64 server with Python 3.11, which I set to default to py-cryptography-legacy. PR: 272935 (and bug linkage will reflect changes in PRs 273770, 272885) Approved by: portmgr@ (just-fix-it blanket approval) MFH: 2024Q2 (cherry picked from commit 403f201a1461fd26f026f2c8d3e67f1481908362) (with different PORTREVISION=2 so we don't get in the way of port rebuild/upgrade for next quarterly) security/py-cryptography-legacy/Makefile | 2 +- .../py-cryptography-legacy/files/patch-libressl | 21 +++++++++------- .../patch-src___cffi__src_openssl_err.py (new) | 13 ++++++++++ ...graphy_hazmat_bindings_openssl_binding.py (new) | 15 ++++++++++++ .../files/patch-src_cryptography_utils.py (new) | 28 ++++++++++++++++++++++ 5 files changed, 70 insertions(+), 9 deletions(-)