Bug 273770

Summary: security/py-cryptography: Run-time error with OpenSSL 3.0
Product: Ports & Packages Reporter: Yasuhiro Kimura <yasu>
Component: Individual Port(s)Assignee: Po-Chuan Hsieh <sunpoet>
Status: Open ---    
Severity: Affects Only Me CC: apevnev, bdrewery, bretislav.kubesa, d.valerevich, danielmrossberg, filis, grahamperrin, kib, mandree, mikael, rozhuk.im, sgs, t.m.guymer
Priority: --- Flags: bugzilla: maintainer-feedback? (sunpoet)
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://www.freshports.org/security/py-cryptography/
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254853
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272935
Bug Depends on: 273961    
Bug Blocks:    

Description Yasuhiro Kimura freebsd_committer freebsd_triage 2023-09-14 02:59:36 UTC 
If I run certbot on 15-CURRENT amd64, run-time error happens as following.

yasu@rolling-vm-freebsd5[1004]% uname -a
FreeBSD rolling-vm-freebsd5.home.utahime.org 15.0-CURRENT FreeBSD 15.0-CURRENT amd64 1500000 #0 main-n265240-16218618101: Tue Sep 12 05:16:41 JST 2023     rootz@rolling-vm-freebsd5.home.utahime.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
yasu@rolling-vm-freebsd5[1005]% certbot
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')())
  File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
    return next(matches).load()
  File "/usr/local/lib/python3.9/importlib/metadata.py", line 86, in load
    module = import_module(match.group('module'))
  File "/usr/local/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 850, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 6, in <module>
    from certbot._internal import main as internal_main
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 21, in <module>
    import josepy as jose
  File "/usr/local/lib/python3.9/site-packages/josepy/__init__.py", line 40, in <module>
    from josepy.json_util import (
  File "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line 14, in <module>
    from OpenSSL import crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import SSL, crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in <module>
    from OpenSSL._util import (
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 167, in <module>
    Binding.init_static_locks()
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 134, in init_static_locks
    cls._ensure_ffi_initialized()
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 123, in _ensure_ffi_initialized
    _legacy_provider_error(cls._legacy_provider_loaded)
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 43, in _legacy_provider_error
    raise RuntimeError(
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.
yasu@rolling-vm-freebsd5[1006]%

And different run-time error happens if I install certbot with 'DEFAULT_VERSIONS+=ssl=openssl30' and run it on 13.2-RELEASE amd64.

yasu@rolling-vm-freebsd6[1002]% uname -a
FreeBSD rolling-vm-freebsd6.home.utahime.org 13.2-RELEASE-p3 FreeBSD 13.2-RELEASE-p3 GENERIC amd64
yasu@rolling-vm-freebsd6[1003]% certbot
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')())
  File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
    return next(matches).load()
  File "/usr/local/lib/python3.9/importlib/metadata.py", line 86, in load
    module = import_module(match.group('module'))
  File "/usr/local/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 850, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 6, in <module>
    from certbot._internal import main as internal_main
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 21, in <module>
    import josepy as jose
  File "/usr/local/lib/python3.9/site-packages/josepy/__init__.py", line 40, in <module>
    from josepy.json_util import (
  File "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line 14, in <module>
    from OpenSSL import crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import SSL, crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in <module>
    from OpenSSL._util import (
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 15, in <module>
    from cryptography.exceptions import InternalError
  File "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py", line 9, in <module>
    from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: Undefined symbol "EVP_default_properties_is_fips_enabled"
yasu@rolling-vm-freebsd6[1004]%
Comment 1 Mikael Urankar freebsd_committer freebsd_triage 2023-09-14 08:03:43 UTC 
See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254853#c98
Comment 2 Andrey Pevnev 2023-09-23 17:55:52 UTC 
I have this issue too while running certbot
  File "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py", line 9, in <module>
    from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: Undefined symbol "EVP_default_properties_is_fips_enabled"

$ ldd /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so
/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so:
        libssl.so.111 => /usr/lib/libssl.so.111 (0x16975c81e000)
        libcrypto.so.111 => /lib/libcrypto.so.111 (0x16975cbc1000)
        libthr.so.3 => /lib/libthr.so.3 (0x16975cff9000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x16975da66000)
        libc.so.7 => /lib/libc.so.7 (0x16975a111000)

Even though
$ cat /etc/make.conf
DEFAULT_VERSIONS+=ssl=openssl31
Comment 3 Yasuhiro Kimura freebsd_committer freebsd_triage 2023-09-23 22:44:02 UTC 
(In reply to Yasuhiro Kimura from comment #0)

On 15-CURRENT the error is fixed fix base 1a18383a52bc.

(In reply to Andrey Pevnev from comment #2)

I applied attachment 245049 [details] of bug #273961 to ports tree and now
_rust.abi3.so is correctly linked with libcrypto.so and libssl.so from security/openssl30 port.


yasu@rolling-vm-freebsd5[1009]% ldd /usr0/freebsd/ports/work/usr/ports/security/py-cryptography/work-py39/stage/usr/local/lib
/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so 
/usr0/freebsd/ports/work/usr/ports/security/py-cryptography/work-py39/stage/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so:
        libssl.so.12 => /usr/local/lib/libssl.so.12 (0x288ee7fb5000)
        libcrypto.so.12 => /usr/local/lib/libcrypto.so.12 (0x288ee8b8a000)
        libthr.so.3 => /lib/libthr.so.3 (0x288eea308000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x288ee9f88000)
        libc.so.7 => /lib/libc.so.7 (0x288ee3a23000)
yasu@rolling-vm-freebsd5[1010]% 


But runtime error still happens and it changes to the one that is same as 15-CURRENT before base 1a18383a52bc.
Comment 4 B.K. 2023-10-26 08:41:04 UTC 
On 13.2-RELEASE-p4 FreeBSD seems facing this issue as well.
Does the base needs to be fixed as well for 13.2 ?
Thank you.
Comment 5 Konstantin Belousov freebsd_committer freebsd_triage 2023-10-28 05:01:11 UTC 
(In reply to B.K. from comment #4)
13.2 needs to link to the right libraries, for start.  I see
solo% ldd /usr/local/lib/python3.11/site-packages/cryptography/hazmat/bindings/_rust.abi3.so      
/usr/local/lib/python3.11/site-packages/cryptography/hazmat/bindings/_rust.abi3.so:
        libssl.so.111 => /usr/local/lib/compat/libssl.so.111 (0x801484000)
        libcrypto.so.111 => /usr/local/lib/compat/libcrypto.so.111 (0x8020b6000)
        libthr.so.3 => /lib/libthr.so.3 (0x80151b000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x801549000)
        libc.so.7 => /lib/libc.so.7 (0x801083000)
while EVP_default_properties_is_fips_enabled is 3.0 symbol.

I have ssl=openssl in make.conf for pourdriere.
Comment 6 Dmitry 2023-11-05 10:57:09 UTC 
Now at this time - FreeBSD 13.2. everything is installed from the latest ports.

# certbot
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.7.4', 'console_scripts', 'certbot')())
  File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point
    return next(matches).load()
  File "/usr/local/lib/python3.9/importlib/metadata.py", line 86, in load
    module = import_module(match.group('module'))
  File "/usr/local/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 850, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 6, in <module>
    from certbot._internal import main as internal_main
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 21, in <module>
    import josepy as jose
  File "/usr/local/lib/python3.9/site-packages/josepy/__init__.py", line 40, in <module>
    from josepy.json_util import (
  File "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line 14, in <module>
    from OpenSSL import crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import SSL, crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in <module>
    from OpenSSL._util import (
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 15, in <module>
    from cryptography.exceptions import InternalError
  File "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py", line 9, in <module>
    from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: Undefined symbol "EVP_default_properties_is_fips_enabled"
Comment 7 Konstantin Belousov freebsd_committer freebsd_triage 2023-11-05 11:05:29 UTC 
ssl=openssl does not work for many important ports. Short list from my w/s

gstreamer1-plugins-bad is missing a required shared library: libcrypto.so.111
gstreamer1-plugins-good is missing a required shared library: libcrypto.so.111
hexchat is missing a required shared library: libssl.so.111
libevent is missing a required shared library: libssl.so.111
libevent is missing a required shared library: libcrypto.so.111
libnice is missing a required shared library: libcrypto.so.111
pkg is missing a required shared library: libssl.so.111
pkg is missing a required shared library: libcrypto.so.111
poudriere is missing a required shared library: libcrypto.so.111
pulseaudio is missing a required shared library: libcrypto.so.111
py311-cryptography is missing a required shared library: libssl.so.111
py311-cryptography is missing a required shared library: libcrypto.so.111
wavpack is missing a required shared library: libcrypto.so.111
Comment 8 Dmitry 2023-11-06 09:45:54 UTC 
Temporary...

# cd /usr/ports/devel/py-pip/ && make install clean
# pip install "cryptography==40.0.2"

if you roll back cryptography lo 40.0.2 - then cerbot works - perhaps something was done in the fips check
Comment 9 Dmitry 2023-11-06 10:40:55 UTC 
(In reply to Konstantin Belousov from comment #7)

I have so:
make.conf
DEFAULT_VERSIONS+=ssl=openssl
DEFAULT_VERSIONS+=perl5=5.36
DEFAULT_VERSIONS+=python=3.9 python3=3.9

Doesn't it work if you rebuild with the latest fresh ports?
Comment 10 Ivan Rozhuk 2023-11-07 13:42:14 UTC 
Use this workaround: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273961#c58
Or this patch: https://bz-attachments.freebsd.org/attachment.cgi?id=245049
Or both :)

But for me it does not link with libressl 3.8.2 - need changes from upstream (py-cryptography) to support 3.8x.
With libressl 3.7 - ok.
Comment 11 Daniel_R 2023-11-10 09:29:51 UTC 
Certbot works now for me on FreeBSD 13.2 with today's ports.  However, I had to manually rebuild security/py-cryptography.
Comment 12 B.K. 2023-12-09 21:11:11 UTC 
@c(In reply to Dmitry from comment #8)

Thank you, reverting back to cryptography-40.0.2 works. I was hoping that latest  cryptography 41.0.7 would help but it did not.
Comment 13 Bryan Drewery freebsd_committer freebsd_triage 2024-01-29 17:52:54 UTC 
With py39-cryptography-41.0.4,1 on 14.0-RELEASE-p4 With "DEFAULT_VERSIONS+=ssl=openssl":

--- <exception caught here> ---
  File "/usr/local/lib/python3.9/site-packages/twisted/application/app.py", line 446, in getApplication
    application = service.loadApplication(filename, style, passphrase)
  File "/usr/local/lib/python3.9/site-packages/twisted/application/service.py", line 404, in loadApplication
    application = sob.loadValueFromFile(filename, "application")
  File "/usr/local/lib/python3.9/site-packages/twisted/persisted/sob.py", line 177, in loadValueFromFile
    eval(codeObj, d, d)
  File "<private>", line 2, in <module>
    from twisted.internet import protocol, ssl
  File "/usr/local/lib/python3.9/site-packages/twisted/internet/ssl.py", line 60, in <module>
    from OpenSSL import SSL
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import SSL, crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in <module>
    from OpenSSL._util import (
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 15, in <module>
    from cryptography.exceptions import InternalError
  File "/usr/local/lib/python3.9/site-packages/cryptography/exceptions.py", line 9, in <module>
    from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
builtins.ImportError: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: Undefined symbol "FIPS_mode"


Failed to load application: /usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so: Undefined symbol "FIPS_mode"
Comment 14 Bryan Drewery freebsd_committer freebsd_triage 2024-01-29 18:00:19 UTC 
(In reply to Yasuhiro Kimura from comment #3)

I have the referenced base change and it doesn't help me.
Comment 15 Bryan Drewery freebsd_committer freebsd_triage 2024-01-29 18:42:03 UTC 
When I switch from openssl111 to openssl30 then it works as expected. Is a fix to openssl111 missing?

/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_rust.abi3.so:
        libssl.so.12 => /usr/local/lib/libssl.so.12 (0xc907a9b5000)
        libcrypto.so.12 => /usr/local/lib/libcrypto.so.12 (0xc907c90f000)
Comment 16 Bryan Drewery freebsd_committer freebsd_triage 2024-01-29 19:56:10 UTC 
I think my problem (on 2023Q4) is actually https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273961

# pkg-config openssl --libs --path
/usr/libdata/pkgconfig/openssl.pc

Comparing the logs of a working py39-cryptography the working one has a proper `-L native=/usr/local/lib` in the openssl_sys crate build lines.

So ignore my updates.