Bug 253711 - security/py-openssl issues while running certbot after 20.0.1 upgrade
Summary: security/py-openssl issues while running certbot after 20.0.1 upgrade
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-ports-bugs (Nobody)
Depends on: 252208 253730
  Show dependency treegraph
Reported: 2021-02-20 05:11 UTC by Alessandro Sagratini
Modified: 2021-02-25 13:52 UTC (History)
9 users (show)

See Also:

stack trace (1.84 KB, text/plain)
2021-02-20 05:11 UTC, Alessandro Sagratini
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alessandro Sagratini 2021-02-20 05:11:24 UTC
Created attachment 222657 [details]
stack trace

I am using certbot to manage Let's Encrypt certificates, but I noticed that, after upgrading py37-openssl to latest version in ports, that it is crashing with attached stacktrace.

It looks like that 20.0 version requires py-cryptography at least 3.2 [1], while we only have 2.9.2 in the ports tree [2]

[1] https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst
[2] https://www.freshports.org/security/py-cryptography/

Please let me know if you need anything else.
Thaak you
Comment 1 Alessandro Sagratini 2021-02-21 05:37:38 UTC
Before we can upgrade to this version we also need a recent py-cryptography package version (3.3.x or 3.4.y) so I feel this bug also depends on 252208 :)
Comment 2 Fredrik Eriksson 2021-02-21 10:03:32 UTC
For what it's worth: I'm also seeing this with various applications trying to use pyopenssl after upgrading.

Some more related issues:
 * #252208 - security/py-cryptography: Update to 3.3.1 
 * #252209 - security/py-openssl: Update to 20.0.1 
 * #253730 - security/py-openssl: Revert back to 19.1.0
Comment 3 Yasuhiro Kimura 2021-02-21 11:36:02 UTC
1. Since 20.0.0 pyOpenSSL requires cryptography 3.2 or later.
2. Since 3.2 cryptography dropped support of OpenSSL 1.0.2, meaning that it can't be built with FreeBSD 11.
3. Furthermore pyOpenSSL itself also dropped support of OpenSSL 1.0.2 since 20.0.0.
4. So the solution is to revert security/py-openssl back to 19.1.0 and wait for the EoL of FreeBSD 11 on September 30th.
5. I submitted bug #253730 for it.
Comment 5 Matthew Seaman freebsd_committer 2021-02-23 10:40:52 UTC
If the issue with py-cryptography becoming dependent on a rust toolchain is a  blocker, then a compromise might be to update py-cryptography to version 3.3.2 (Released on 2021-02-07) which is the  last version before the  rust dependency was introduced.  See: https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst

Note that was also a security fix / workaround for CVE-2020-36242, CVE-2021-23840 -- but those could also be fixed by upgrading to openssl-1.1.1j
Comment 6 Dima Panov freebsd_committer 2021-02-25 13:52:13 UTC
Fixed in https://svnweb.freebsd.org/changeset/ports/566534