Date: Mon, 3 Jul 2023 15:27:52 +0200 From: Rainer Hurling <rhurlin@gwdg.de> To: <freebsd-current@freebsd.org> Cc: <kde@FreeBSD.org> Subject: Re: OpenSSL 3.0 is in the tree Message-ID: <a6a3a56d-9176-a1ac-b1ea-a9590df3e0a4@gwdg.de> In-Reply-To: <cf5754b1-4a39-f24e-ff3a-93cde7f4a078@freebsdfoundation.org> References: <CAPyFy2CsxgfQh_Q7gjeDBjrNprfA_MMXgcnQfSmMSjx9-pRRUQ@mail.gmail.com> <203b3fed-6fdd-0a19-72ce-fa2eea891222@madpilot.net> <cf5754b1-4a39-f24e-ff3a-93cde7f4a078@freebsdfoundation.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 29.06.23 um 18:27 schrieb Pierre Pronchery: > Hi Guido, freebsd-current@, > > On 6/29/23 15:14, Guido Falsi wrote: >> On 24/06/23 16:22, Ed Maste wrote: >>> Last night I merged OpenSSL 3.0 to main. This, along with the update >>> to Clang 16 and other recent changes may result in some challenges >>> over the next few days or weeks for folks following -CURRENT, such as >>> ports that need to be updated or unanticipated issues in the base >>> system. >>> >>> We need to get this work done so that we can continue moving on with >>> FreeBSD 14; I apologize for the trouble it might cause in the short >>> term. Please follow up to report any trouble you encounter. >> >> Not sure where to ask this, following up to this announcement looks >> like a reasonable choice. >> >> After updating head to this version I have had some ports provided >> software fail with messages including: "Unable to load legacy provider." >> >> Most of the time I am able to workaround it by forcing newer >> algorithms via some configuration. Some other times I have no direct >> control of what is being asked (like values hardcoded in npm modules)/ >> >> This is also happening to me with node, for example, has happened with >> RDP (looks like windows by default prefers RC4 for RDP sessions), >> where I was able to fix it though. >> >> Question is, does FreeBSD provide this legacy provider module? Or is >> it available via ports or some other solution? Or maybe it can be >> provided via a port? Would make the transition much easier! > > The legacy provider module is part of OpenSSL 3.0, it should be > installed in /usr/lib/ossl-modules/legacy.so alongside fips.so as part Iddd > of the base system. > > It's possible that some programs leveraging capsicum will fail to load > it, if the initialization of legacy algorithms in OpenSSL is performed > past entering capabilities mode (since it now requires a dlopen() to > access the module). > > Let me know if you have any additional details regarding issues with the > module. > > HTH, If this thread is not the appropriate one for my problem, I apologize. I am the maintainer of the graphics/qgis port. Now that my system 14.0-CURRENT is updated to clang16 and OpenSSL-3.0, I get the following abort message when starting qgis: #qgis Failed to load Legacy provider Apparently there is now also a problem with the legacy provider here. As I understand it, QGIS uses the port devel/qca for authorization and encryption, so it is also possible that devel/qca is not able to provide the legacy provider. Therefore I have taken kde@ into CC. Please let me know, if you need more information or some testing. Thanks for your work, Rainer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a6a3a56d-9176-a1ac-b1ea-a9590df3e0a4>