Created attachment 222657 [details] stack trace Hello, I am using certbot to manage Let's Encrypt certificates, but I noticed that, after upgrading py37-openssl to latest version in ports, that it is crashing with attached stacktrace. It looks like that 20.0 version requires py-cryptography at least 3.2 [1], while we only have 2.9.2 in the ports tree [2] [1] https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst [2] https://www.freshports.org/security/py-cryptography/ Please let me know if you need anything else. Thaak you
Before we can upgrade to this version we also need a recent py-cryptography package version (3.3.x or 3.4.y) so I feel this bug also depends on 252208 :)
For what it's worth: I'm also seeing this with various applications trying to use pyopenssl after upgrading. Some more related issues: * #252208 - security/py-cryptography: Update to 3.3.1 * #252209 - security/py-openssl: Update to 20.0.1 * #253730 - security/py-openssl: Revert back to 19.1.0
1. Since 20.0.0 pyOpenSSL requires cryptography 3.2 or later. 2. Since 3.2 cryptography dropped support of OpenSSL 1.0.2, meaning that it can't be built with FreeBSD 11. 3. Furthermore pyOpenSSL itself also dropped support of OpenSSL 1.0.2 since 20.0.0. 4. So the solution is to revert security/py-openssl back to 19.1.0 and wait for the EoL of FreeBSD 11 on September 30th. 5. I submitted bug #253730 for it.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253778 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253756
If the issue with py-cryptography becoming dependent on a rust toolchain is a blocker, then a compromise might be to update py-cryptography to version 3.3.2 (Released on 2021-02-07) which is the last version before the rust dependency was introduced. See: https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst Note that was also a security fix / workaround for CVE-2020-36242, CVE-2021-23840 -- but those could also be fixed by upgrading to openssl-1.1.1j
Fixed in https://svnweb.freebsd.org/changeset/ports/566534