Date: Tue, 28 May 2024 12:25:44 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 279363] security/wazuh-manager does not support FreeBSD-14.x / OpenSSL-3.0 Message-ID: <bug-279363-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D279363 Bug ID: 279363 Summary: security/wazuh-manager does not support FreeBSD-14.x / OpenSSL-3.0 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: acm@FreeBSD.org Reporter: girgen@FreeBSD.org Flags: maintainer-feedback?(acm@FreeBSD.org) Assignee: acm@FreeBSD.org The wazuh-manager uses openssl in python module via _openssl.abi3.so (see below) This fails: Traceback (most recent call last): File "/var/ossec/framework/python/lib/python3.9/site-packages/jose/backends/cryp= tography_backend.py", line 66, in __init__ key =3D load_pem_public_key(key, self.cryptography_backend()) File "/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazma= t/backends/__init__.py", line 15, in default_backend from cryptography.hazmat.backends.openssl.backend import backend File "/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazma= t/backends/openssl/__init__.py", line 7, in <module> from cryptography.hazmat.backends.openssl.backend import backend File "/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazma= t/backends/openssl/backend.py", line 117, in <module> from cryptography.hazmat.bindings.openssl import binding File "/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazma= t/bindings/openssl/binding.py", line 14, in <module> from cryptography.hazmat.bindings._openssl import ffi, lib ImportError: /var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazmat= /bindings/_openssl.abi3.so: Undefined symbol "ERR_GET_FUNC" and the main reason is that OpenSSL-3.0 is not yet supported by wazuh. Here's where it is linked with libssl.so.3.0: [root@hostname /var/ossec]# ldd framework/python/lib/python3.9/site-packages/cryptography/hazmat/bindings/_= openssl.abi3.so framework/python/lib/python3.9/site-packages/cryptography/hazmat/bindings/_= openssl.abi3.so: libssl.so.30 =3D> /usr/lib/libssl.so.30 (0x3b61fc1b000) libcrypto.so.30 =3D> /lib/libcrypto.so.30 (0x3b620f10000) libthr.so.3 =3D> /lib/libthr.so.3 (0x3b620bba000) libc.so.7 =3D> /lib/libc.so.7 (0x3b61d359000) I made some feeble attempts to fix this by requiring the port to depend on openssl111, but did not succeed: diff --git a/security/wazuh-manager/Makefile b/security/wazuh-manager/Makef= ile index 55f3be186f55..9da69b620cc8 100644 --- a/security/wazuh-manager/Makefile +++ b/security/wazuh-manager/Makefile @@ -1,6 +1,7 @@ PORTNAME=3D wazuh DISTVERSIONPREFIX=3D v DISTVERSION=3D 4.7.3 +PORTREVISION=3D 1 CATEGORIES=3D security MASTER_SITES=3D=20 https://packages.wazuh.com/deps/24/libraries/sources/:wazuh_sources \ LOCAL/acm/${PORTNAME}/:wazuh_cache @@ -26,7 +27,7 @@ LIB_DEPENDS+=3D libgdbm.so:databases/gdbm \ libffi.so:devel/libffi \ libarrow.so:databases/arrow -USES=3D cpe gmake perl5 python:3.9 readline shebangfix sqlite:3 u= idfix +USES=3D cpe gmake perl5 python:3.9 readline shebangfix sqlite:3 u= idfix ssl USE_GITHUB=3D yes GH_TUPLE=3D alonsobsd:wazuh-freebsd:${WAZUH_EXTRAFILE_TAGNAME}:wazuh @@ -144,6 +145,7 @@ ARCH_BASE=3D ${ARCH:S/aarch64/arm64/g} UNAME_r=3D ${_OSRELEASE:tl} FBSD_RELEASE=3D freebsd_${UNAME_r:S/./_/g:S/-/_/g} +#DEFAULT_VERSIONS+=3D ssl=3Dopenssl111 .include <bsd.port.pre.mk> .if ${OSVERSION} >=3D 1300139 && ${OSVERSION} < 1400000 @@ -162,6 +164,10 @@ DISTFILES+=3D=20=20=20=20 ${WAZUH_CACHENAME}${EXTRACT_SUFX}:wazuh_cache IGNORE=3D FreeBSD ${OSVERSION} ${ARCH} is not supported .endif +#.if ${OSVERSION} >=3D 1400092 +#DEFAULT_VERSIONS+=3D ssl=3Dopenssl111 +#.endif + post-extract: .for FILE in ${EXTERNAL_DISTFILES} @cd ${WRKSRC}/src/external && ${EXTRACT_CMD} ${EXTRACT_BEFORE_ARGS} ${_DISTDIR}/${FILE:S/:wazuh_sources//} ${EXTRACT_AFTER_ARGS} The Wasuh team know about the dependency on the old OpenSSL and they are apparently working on it. It will appear in 4.8. Is there a temporary fix or workaround to get it working on FreeBSD-14.0? wazuh is broken now, other th= an waiting for wazuh 4.8? The obvious solution would be to force the port to u= se openssl111, but I failed to get that bit working. Using compat13x is perhaps easier but that would probably require juggling with libmap.conf as well? O= terh ideas? Palle --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-279363-7788>