From nobody Sun Mar 1 10:15:17 2026 X-Original-To: pkg@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fNycQ06SWz6TRbR for ; Sun, 01 Mar 2026 10:15:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fNycP6YpFz3lQ2 for ; Sun, 01 Mar 2026 10:15:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1772360117; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WfG8aKDzNyl7mqSYms2mX01g8zZj/pf7l9nGcAm9k9Q=; b=Otv5R2cMrtTDtViNp7D93ynEsFEBDlGONQYoP2ImmNVamupL71poKkXYtYhFmyUZlcU6Jo MldFXdXwt5zBrmvBaBGeADopKsJnkI//Bl4K85jU3limGGyZWU9THMVtlJMGri4/VjN/Ng qKez2PBCHJXWOZ/8pavIvROho7GiAFLWzmqdiGHpQFnpUh1Ub0zWwgKu2tMBTvPYzhaxP/ a+QexvimaAU+W7tHjcxABTqa0LDARbhfjCzeqTEfGiQm7PuoFtT/eHMYlcBH6TSyqgE0xv 2mcGJr16b7k2F7nchW1jbZltjuOBSYJoUgSkfxJ2GujBF3fv9bwtegXafhmy7A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1772360117; a=rsa-sha256; cv=none; b=KXfiDWrA494dB8lFh0uCspb9ej8nqSHjaDB3e0lJkDzgrqzr4ONm5jfgiz7QpIipgpbU0r rVX/ZfWC915ps7A3sN3g+xZ4pEZ+n/yq+nx5mmllHOfsPuxPynXjutSGTmPdTiyVwOrc1r xwgqhvWev7WSVrNuim4HRI4PeuDvg+pcDswWzdZdTmGSoMyxDquTcAdkUoC6z/FltGAqiQ 1CLV6AUpMrsVDgQzCZkcXuhUD9Z4w5naW7bjzehnDr+MWrUvIjFeQqTQ7agcXB4vLq42lQ Nfce7xRknBMwvYPovyWZRm1e8UVP0dzgzeVbIOKfACixtk8GxGpBiKORXElFqQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1772360117; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WfG8aKDzNyl7mqSYms2mX01g8zZj/pf7l9nGcAm9k9Q=; b=K/ygQPvrtW2nGnMcC2Vfq6UHMLhnA/SFe0PiqGpJq1FgdRtRXN0p/PJa1WP7vyrdiui/Gr +ljgQ8RW+EmQHBvWa090yy2cx3Yga6l8Xx3ikkkru6TmyRPoM/lwsuJumvYaHUlxd9qvmU dJb4LG1neqszxUORXgEIzEr0W6B69puM0TGbg926LnFlhB9JtZ1UurHVS5bq4/Qwnu255q EAEMw88uwM67AG9J8ARxtcOc7bbEgQYGKBrkwMwUAE1CJx04zxjOZBrNtM5LgTltDWz9RX Rv1oy9SYGFQS81hblud/eaiKpVfF4JGHtOMEstBpRPo5NIRIQdOnbOLLmXSleQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4fNycP5y5BzlSf for ; Sun, 01 Mar 2026 10:15:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 621AFHEh003075 for ; Sun, 1 Mar 2026 10:15:17 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 621AFHEN003074 for pkg@FreeBSD.org; Sun, 1 Mar 2026 10:15:17 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pkg@FreeBSD.org Subject: [Bug 280345] ports-mgmt/pkg: pkg segfault when OpenSSL legacy provider is enabled Date: Sun, 01 Mar 2026 10:15:17 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: tphilipp@potion-studios.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pkg@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Binary package management and package tools discussion List-Archive: https://lists.freebsd.org/archives/freebsd-pkg List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pkg@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280345 --- Comment #6 from Tassilo Philipp --- Some more info: - this only happens when the repo url uses scheme https:// or pkg+https:// - this does not depend on the pkg repo in use (e.g. same behaviour if I use= the freebsd pkg repo or an own, custom (poudriere) repo) - this happens when the openssl legacy provider is enabled, despite it not being required (without it it works fine, with only the non-legacy ciphers = and stuff) A pkg -ddd output ends like this (on 14.3 w/ pkg 2.5.1 using the freebsd pkg repo): --------------------- [...] DBG(1)[67534]> (fetch) =3D=3D Info: Reusing existing https: connection with= host pkgmir.geo.freebsd.org DBG(1)[67534]> (fetch) =3D> Send SSL data, 0000000000 bytes (0x00000000) DBG(1)[67534]> (fetch) =3D> Send SSL data, 0000000000 bytes (0x00000000) DBG(1)[67534]> (fetch) =3D> Send header, 0000000166 bytes (0x000000a6) DBG(1)[67534]> (fetch) GET /FreeBSD:14:amd64/latest/data.pkg HTTP/1.1 DBG(1)[67534]> (fetch) Host: pkgmir.geo.freebsd.org DBG(1)[67534]> (fetch) User-Agent: pkg/2.5.1 DBG(1)[67534]> (fetch) Accept: */* DBG(1)[67534]> (fetch) If-Modified-Since: Wed, 25 Feb 2026 10:36:57 GMT DBG(1)[67534]> (fetch) DBG(1)[67534]> (fetch) =3D=3D Info: Request completely sent off DBG(1)[67534]> (fetch) <=3D Recv SSL data, 0000000000 bytes (0x00000000) DBG(1)[67534]> (fetch) <=3D Recv SSL data, 0000000000 bytes (0x00000000) DBG(1)[67534]> (fetch) <=3D Recv header, 0000000027 bytes (0x0000001b) DBG(1)[67534]> (fetch) HTTP/1.1 304 Not Modified DBG(1)[67534]> (fetch) <=3D Recv header, 0000000015 bytes (0x0000000f) DBG(1)[67534]> (fetch) Server: nginx DBG(1)[67534]> (fetch) <=3D Recv header, 0000000037 bytes (0x00000025) DBG(1)[67534]> (fetch) Date: Sun, 01 Mar 2026 09:46:43 GMT DBG(1)[67534]> (fetch) <=3D Recv header, 0000000046 bytes (0x0000002e) DBG(1)[67534]> (fetch) Last-Modified: Wed, 25 Feb 2026 10:36:57 GMT DBG(1)[67534]> (fetch) <=3D Recv header, 0000000024 bytes (0x00000018) DBG(1)[67534]> (fetch) Connection: keep-alive DBG(1)[67534]> (fetch) <=3D Recv header, 0000000025 bytes (0x00000019) DBG(1)[67534]> (fetch) ETag: "699ed0c9-aa86b7" DBG(1)[67534]> (fetch) <=3D Recv header, 0000000033 bytes (0x00000021) DBG(1)[67534]> (fetch) X-Content-Type-Options: nosniff DBG(1)[67534]> (fetch) <=3D Recv header, 0000000033 bytes (0x00000021) DBG(1)[67534]> (fetch) X-XSS-Protection: 1; mode=3Dblock DBG(1)[67534]> (fetch) <=3D Recv header, 0000000029 bytes (0x0000001d) DBG(1)[67534]> (fetch) X-Frame-Options: SAMEORIGIN DBG(1)[67534]> (fetch) <=3D Recv header, 0000000002 bytes (0x00000002) DBG(1)[67534]> (fetch) DBG(1)[67534]> (fetch) =3D=3D Info: Connection #0 to host pkgmir.geo.freebsd.org:443 left intact DBG(1)[67534]> (fetch) CURL> connected to IP 2a02:80:0:3ffd::50:2 Segmentation fault --------------------- Increasing the debug level further does not show any additional connection specific details. A quick test w/ command line ftp/curl recreating the exact same *logged* request as in the debug output, works just fine: --------------------- $ which curl /usr/local/bin/curl $ pkg query %v curl 8.17.0 $ curl --http1.1 -H 'Host: pkgmir.geo.freebsd.org' -H 'User-Agent: pkg/2.5.= 1' -H 'Accept: */*' -H 'If-Modified-Since: Wed, 25 Feb 2026 10:36:57 GMT' --resolve 'pkgmir.geo.freebsd.org:443:[2a02:80:0:3ffd::50:2]' -v 'https://pkgmir < [...] * Established connection to pkgmir.geo.freebsd.org (2a02:80:0:3ffd::50:2 po= rt 443) from 2003:d9:1f4a:d804:7e22:30ff:fe98:aadd port 33538 * using HTTP/1.x > GET /FreeBSD:14:amd64/latest/data.pkg HTTP/1.1 > Host: pkgmir.geo.freebsd.org > User-Agent: pkg/2.5.1 > Accept: */* > If-Modified-Since: Wed, 25 Feb 2026 10:36:57 GMT > * Request completely sent off * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): < HTTP/1.1 304 Not Modified < Server: nginx < Date: Sun, 01 Mar 2026 10:00:39 GMT < Last-Modified: Wed, 25 Feb 2026 10:36:57 GMT < Connection: keep-alive < ETag: "699ed0c9-aa86b7" < X-Content-Type-Options: nosniff < X-XSS-Protection: 1; mode=3Dblock < X-Frame-Options: SAMEORIGIN < * Connection #0 to host pkgmir.geo.freebsd.org:443 left intact --------------------- However, that said: * pkg uses curl statically (deducing this from ldd(1)), whereas ftp uses the libcurl.so, so it's not the same * the request I replayed is the one that also works fine with pkg, whatever= it does after that causes the segfault; that however might not be curl-related, for comparison, a pkg -ddd output without the openssl legacy provider does = not segfault, but also does not provide any more debug output and ends with the same line about curl: --------------------- DBG(1)[77145]> (fetch) GET /FreeBSD:14:amd64/latest/data.pkg HTTP/1.1 DBG(1)[77145]> (fetch) Host: pkgmir.geo.freebsd.org DBG(1)[77145]> (fetch) User-Agent: pkg/2.5.1 DBG(1)[77145]> (fetch) Accept: */* DBG(1)[77145]> (fetch) If-Modified-Since: Wed, 25 Feb 2026 10:36:57 GMT DBG(1)[77145]> (fetch) DBG(1)[77145]> (fetch) =3D=3D Info: Request completely sent off DBG(1)[77145]> (fetch) <=3D Recv SSL data, 0000000000 bytes (0x00000000) DBG(1)[77145]> (fetch) <=3D Recv SSL data, 0000000000 bytes (0x00000000) DBG(1)[77145]> (fetch) <=3D Recv header, 0000000027 bytes (0x0000001b) DBG(1)[77145]> (fetch) HTTP/1.1 304 Not Modified DBG(1)[77145]> (fetch) <=3D Recv header, 0000000015 bytes (0x0000000f) DBG(1)[77145]> (fetch) Server: nginx DBG(1)[77145]> (fetch) <=3D Recv header, 0000000037 bytes (0x00000025) DBG(1)[77145]> (fetch) Date: Sun, 01 Mar 2026 10:07:51 GMT DBG(1)[77145]> (fetch) <=3D Recv header, 0000000046 bytes (0x0000002e) DBG(1)[77145]> (fetch) Last-Modified: Wed, 25 Feb 2026 10:36:57 GMT DBG(1)[77145]> (fetch) <=3D Recv header, 0000000024 bytes (0x00000018) DBG(1)[77145]> (fetch) Connection: keep-alive DBG(1)[77145]> (fetch) <=3D Recv header, 0000000025 bytes (0x00000019) DBG(1)[77145]> (fetch) ETag: "699ed0c9-aa86b7" DBG(1)[77145]> (fetch) <=3D Recv header, 0000000033 bytes (0x00000021) DBG(1)[77145]> (fetch) X-Content-Type-Options: nosniff DBG(1)[77145]> (fetch) <=3D Recv header, 0000000033 bytes (0x00000021) DBG(1)[77145]> (fetch) X-XSS-Protection: 1; mode=3Dblock DBG(1)[77145]> (fetch) <=3D Recv header, 0000000029 bytes (0x0000001d) DBG(1)[77145]> (fetch) X-Frame-Options: SAMEORIGIN DBG(1)[77145]> (fetch) <=3D Recv header, 0000000002 bytes (0x00000002) DBG(1)[77145]> (fetch) DBG(1)[77145]> (fetch) =3D=3D Info: Connection #0 to host pkgmir.geo.freebsd.org:443 left intact DBG(1)[77145]> (fetch) CURL> connected to IP 2a02:80:0:3ffd::50:2 --------------------- Under gdb, this is the backtrace: [...] (gdb) set follow-fork-mode child (gdb) r search blabla Starting program: /usr/local/sbin/pkg search blabla [Attaching after LWP 100953 of process 59697 fork to child LWP 109974 of process 71020] [New inferior 2 (process 71020)] [Detaching after fork from parent process 59697] [Inferior 1 (process 59697) detached] [New LWP 125945 of process 71020] [LWP 125945 of process 71020 exited] Thread 2.1 received signal SIGSEGV, Segmentation fault. Address not mapped to object. [Switching to LWP 109974 of process 71020] 0x0000000800c9b8da in ?? () from /lib/libthr.so.3 (gdb) bt #0 0x0000000800c9b8da in ?? () from /lib/libthr.so.3 #1 0x00000008009bdb69 in CRYPTO_THREAD_read_lock () from /lib/libcrypto.so= .30 #2 0x00000008009ac2bf in ?? () from /lib/libcrypto.so.30 #3 0x00000008009bc773 in ?? () from /lib/libcrypto.so.30 #4 0x00000008009abf52 in OSSL_LIB_CTX_free () from /lib/libcrypto.so.30 #5 0x000000080116f2c6 in ?? () from /usr/lib/ossl-modules/legacy.so #6 0x00000008009ba35d in ?? () from /lib/libcrypto.so.30 #7 0x0000000800b00420 in EVP_CIPHER_free () from /lib/libcrypto.so.30 #8 0x00000008007b9b2a in SSL_CTX_free () from /usr/lib/libssl.so.30 #9 0x000000000059f238 in ?? () #10 0x0000000000594b63 in ?? () #11 0x000000000055f243 in ?? () #12 0x0000000000556cea in ?? () #13 0x000000000055adca in Curl_conn_close () #14 0x00000000005ad0f6 in Curl_cshutdn_terminate () #15 0x00000000005ad620 in Curl_cshutdn_destroy () #16 0x0000000000577372 in curl_multi_cleanup () #17 0x0000000000551f7b in curl_cleanup () #18 0x0000000000519584 in ?? () #19 0x0000000000519463 in pkg_shutdown () #20 0x0000000800e16ec4 in __cxa_finalize () from /lib/libc.so.7 #21 0x0000000800e1746c in exit () from /lib/libc.so.7 #22 0x0000000800d36e3b in __libc_start1 () from /lib/libc.so.7 #23 0x0000000000312484 in _start () Hope this helps --=20 You are receiving this mail because: You are the assignee for the bug.=