From nobody Tue May 28 12:25:44 2024 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VpWvF2ny0z5M9fq for ; Tue, 28 May 2024 12:25:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VpWvD6wZzz4hSF for ; Tue, 28 May 2024 12:25:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1716899145; a=rsa-sha256; cv=none; b=F/gaSXHvBARQodnZ9hFxOTq5HfPoirreE4PgiGu33Pv3rJUjHj4hQTYcvi/QKKzaW/9OOM Oew0QYZHCNH4Q9F+UIgGfIJZP7lNgG5BxJS+CcsB5J5V6mfMJD848JmVPj9wYOp7LfkmEM 0aQgdjroT1oN+OutXY8H3Id5QQ+BXsxGj/g6D1cxfQIUY/a/sGG7zxWro1vVXAfZZSog77 gtxb6khQ4NU63lvDB2RF35kR5NqqavTXKayMT+m9chgGnvY3sme32SSfVfGwSGdrnltG8t 8wq/QTTp8B3GDqUcAAnOENueW0a0qhyYKq/jHfuBLM4oS5re4FYeghAjKNYKhQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1716899145; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3/m88JpH1144t3DKUvK5bYXeY1fiRiogdTtms/OTP68=; b=fy1LzJb/nKUvvJr9WVKF9AOhO3vy44hhqHf0y8cJH+wdDSpOFP6p1DT/nXPhGVlhSWfoIu 2HnCAd7MbRMfQEE8tW+nPvMig0ZNF5og/Skn+zZ3ZQCmM6CKEdzZbTyMYMzb4LpWMdSqAe eq0Y39cjYdadyGgu7TOXHzK7goX7LS8Fv9tcS4g6OH1/TB/70t3KquOr5XSqrLGuwlvCDH jiTqDR+Acs1QZfiHsUoVnGkSi1QLBM6rDfayxBWOV+qA+OgPmtIi/XMxawriMYy0NpqJkc G4sA3+1bB/8kMH9/grMkNa3WVVfV8ZRppBPlFMXTKxHmMsL4yeU6uyIt1FXEpw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VpWvD6H4bz1RYZ for ; Tue, 28 May 2024 12:25:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 44SCPitu068173 for ; Tue, 28 May 2024 12:25:44 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 44SCPi6p068168 for ports-bugs@FreeBSD.org; Tue, 28 May 2024 12:25:44 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 279363] security/wazuh-manager does not support FreeBSD-14.x / OpenSSL-3.0 Date: Tue, 28 May 2024 12:25:44 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: girgen@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: acm@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-ports-bugs@freebsd.org Sender: owner-freebsd-ports-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D279363 Bug ID: 279363 Summary: security/wazuh-manager does not support FreeBSD-14.x / OpenSSL-3.0 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: acm@FreeBSD.org Reporter: girgen@FreeBSD.org Flags: maintainer-feedback?(acm@FreeBSD.org) Assignee: acm@FreeBSD.org The wazuh-manager uses openssl in python module via _openssl.abi3.so (see below) This fails: Traceback (most recent call last): File "/var/ossec/framework/python/lib/python3.9/site-packages/jose/backends/cryp= tography_backend.py", line 66, in __init__ key =3D load_pem_public_key(key, self.cryptography_backend()) File "/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazma= t/backends/__init__.py", line 15, in default_backend from cryptography.hazmat.backends.openssl.backend import backend File "/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazma= t/backends/openssl/__init__.py", line 7, in from cryptography.hazmat.backends.openssl.backend import backend File "/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazma= t/backends/openssl/backend.py", line 117, in from cryptography.hazmat.bindings.openssl import binding File "/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazma= t/bindings/openssl/binding.py", line 14, in from cryptography.hazmat.bindings._openssl import ffi, lib ImportError: /var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazmat= /bindings/_openssl.abi3.so: Undefined symbol "ERR_GET_FUNC" and the main reason is that OpenSSL-3.0 is not yet supported by wazuh. Here's where it is linked with libssl.so.3.0: [root@hostname /var/ossec]# ldd framework/python/lib/python3.9/site-packages/cryptography/hazmat/bindings/_= openssl.abi3.so framework/python/lib/python3.9/site-packages/cryptography/hazmat/bindings/_= openssl.abi3.so: libssl.so.30 =3D> /usr/lib/libssl.so.30 (0x3b61fc1b000) libcrypto.so.30 =3D> /lib/libcrypto.so.30 (0x3b620f10000) libthr.so.3 =3D> /lib/libthr.so.3 (0x3b620bba000) libc.so.7 =3D> /lib/libc.so.7 (0x3b61d359000) I made some feeble attempts to fix this by requiring the port to depend on openssl111, but did not succeed: diff --git a/security/wazuh-manager/Makefile b/security/wazuh-manager/Makef= ile index 55f3be186f55..9da69b620cc8 100644 --- a/security/wazuh-manager/Makefile +++ b/security/wazuh-manager/Makefile @@ -1,6 +1,7 @@ PORTNAME=3D wazuh DISTVERSIONPREFIX=3D v DISTVERSION=3D 4.7.3 +PORTREVISION=3D 1 CATEGORIES=3D security MASTER_SITES=3D=20 https://packages.wazuh.com/deps/24/libraries/sources/:wazuh_sources \ LOCAL/acm/${PORTNAME}/:wazuh_cache @@ -26,7 +27,7 @@ LIB_DEPENDS+=3D libgdbm.so:databases/gdbm \ libffi.so:devel/libffi \ libarrow.so:databases/arrow -USES=3D cpe gmake perl5 python:3.9 readline shebangfix sqlite:3 u= idfix +USES=3D cpe gmake perl5 python:3.9 readline shebangfix sqlite:3 u= idfix ssl USE_GITHUB=3D yes GH_TUPLE=3D alonsobsd:wazuh-freebsd:${WAZUH_EXTRAFILE_TAGNAME}:wazuh @@ -144,6 +145,7 @@ ARCH_BASE=3D ${ARCH:S/aarch64/arm64/g} UNAME_r=3D ${_OSRELEASE:tl} FBSD_RELEASE=3D freebsd_${UNAME_r:S/./_/g:S/-/_/g} +#DEFAULT_VERSIONS+=3D ssl=3Dopenssl111 .include .if ${OSVERSION} >=3D 1300139 && ${OSVERSION} < 1400000 @@ -162,6 +164,10 @@ DISTFILES+=3D=20=20=20=20 ${WAZUH_CACHENAME}${EXTRACT_SUFX}:wazuh_cache IGNORE=3D FreeBSD ${OSVERSION} ${ARCH} is not supported .endif +#.if ${OSVERSION} >=3D 1400092 +#DEFAULT_VERSIONS+=3D ssl=3Dopenssl111 +#.endif + post-extract: .for FILE in ${EXTERNAL_DISTFILES} @cd ${WRKSRC}/src/external && ${EXTRACT_CMD} ${EXTRACT_BEFORE_ARGS} ${_DISTDIR}/${FILE:S/:wazuh_sources//} ${EXTRACT_AFTER_ARGS} The Wasuh team know about the dependency on the old OpenSSL and they are apparently working on it. It will appear in 4.8. Is there a temporary fix or workaround to get it working on FreeBSD-14.0? wazuh is broken now, other th= an waiting for wazuh 4.8? The obvious solution would be to force the port to u= se openssl111, but I failed to get that bit working. Using compat13x is perhaps easier but that would probably require juggling with libmap.conf as well? O= terh ideas? Palle --=20 You are receiving this mail because: You are the assignee for the bug.=