Enviroment: make.conf: DEFAULT_VERSIONS+= ssl=openssl after upgrading matrix-synapse and its dependencies, server fails to start. Logfile: matrix pkg[26938]: py39-twisted upgraded: 22.4.0 -> 22.10.0 matrix root[37561]: /usr/local/etc/rc.d/synapse: WARNING: failed to start synapse Backtrace ... ends with AttributeError: module 'OpenSSL.SSL' has no attribute 'TLS_METHOD' Crude workaround, I changed 2 files to make synapse starting again. This maybe not well tested. vim /usr/local/lib/python3.9/site-packages/twisted/internet/_sslverify.py line 1492 -self.method = SSL.TLS_METHOD +self.method = SSL.TLSv1_2_METHOD line 1807 - SSL.TLS_METHOD, + SSL.TLSv1_2_METHOD, vim /usr/local/lib/python3.9/site-packages/twisted/internet/ssl.py" line 95 -sslmethod=SSL.TLS_METHOD, +sslmethod=SSL.TLSv1_2_METHOD, line 145 -method = SSL.TLS_METHOD +method = SSL.TLSv1_2_METHOD Aa alternate solution may be adding: ${REINPLACE_CMD} -e 's|TLS_METHOD|TLSv1_2_METHOD|' .... If you pick one of the ways, I will generate a build tested patch.
Created attachment 238467 [details] Fix Attached patch based on dinoex@ 's suggestion fixes the issue for me, and gets my synapse instance up, and running again. Thanks!
Related: https://github.com/twisted/twisted/issues/11778
Affects many consumers. @Wen If this cant be resolved quickly, please revert the recent twisted update. We'll use this issue to isolate the root cause(s) and propose the best path forward for the update.
Noting from upstream issue: "Use of TLS_METHOD forces requirement of pyOpenSSL >= 21.0" Our port is currently at 20.* It's unlikely we can update py-openssl across the board without extensive consumer port (including runtime) testing for version compatibility for that update first.
Noting also, upstream did the correct thing and updated their minimum openssl package dependency version spec [1], which wasn't verified/updated in the port, which would have failed during QA if it were. tls = pyopenssl >= 21.0.0 [1] https://github.com/twisted/twisted/blob/twisted-22.10.0/setup.cfg#L75
Please go ahead ! wen
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=e3f34f8a65e6aae0f177b5098b704ca1d0a62c4a commit e3f34f8a65e6aae0f177b5098b704ca1d0a62c4a Author: Ashish SHUKLA <ashish@FreeBSD.org> AuthorDate: 2022-12-12 14:58:20 +0000 Commit: Ashish SHUKLA <ashish@FreeBSD.org> CommitDate: 2022-12-12 14:58:20 +0000 devel/py-twisted: Unbreak OpenSSL support Thanks to dinoex@ for suggessting the workaround. PR: 268043 Reported by: dinoex Approved by: wen devel/py-twisted/Makefile | 5 +++++ 1 file changed, 5 insertions(+)
While this works as a quick-fix, this text replacement is ultimately incorrect. Hardcoding to TLSv1_2_method() locks the connection to TLSv1.2 mode only, which is problematic if higher protocol versions (ie TLSv1.3) are mutually available between client and server. The correct solution is to update security/py-openssl to 21.0.0, as TLS_method() was exposed then, and the minimum security/py-cryptography version is 3.3. This commit should then be reverted.
(In reply to Charlie Li from comment #8) Are there any potential failure cases the recent commit didn't take into consideration?
When one of the client or server's minimum configured protocol version is TLSv1.3, the connection fails. Hardcoding TLSv1.2 does not even provide an opportunity for the connection to succeed.