From nobody Tue May 2 01:55:09 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q9NSh0X40z48HVL for ; Tue, 2 May 2023 01:55:16 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q9NSf0RsYz44mv; Tue, 2 May 2023 01:55:14 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20221208 header.b=P2FhMSn3; spf=pass (mx1.freebsd.org: domain of yaneurabeya@gmail.com designates 2607:f8b0:4864:20::435 as permitted sender) smtp.mailfrom=yaneurabeya@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-pf1-x435.google.com with SMTP id d2e1a72fcca58-63b4960b015so2268272b3a.3; Mon, 01 May 2023 18:55:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682992511; x=1685584511; h=to:cc:date:message-id:subject:mime-version:from:from:to:cc:subject :date:message-id:reply-to; bh=qVLE8njUoQPjNGR4y9gbx5nNbUTPd836XGnEe2bPq3Q=; b=P2FhMSn3+2Auw1ErzuZW56HogANIVy6mwh0utMQxVF5y/qpyhaMVzMZ/b6kAp5xkfO qoJhlYZptYgbWlv4uJHbG9iDXwQJRyYcaXDzoWrJSmLFbf5kia0Jt7dGbzUdyc+n+mEW hjM94m+DM1fAEGu3N44PNrwMGIiWpBrDHnNb+OEmZOh4Z/ZRxpAhDo7Hd/fk0IMuiafb CUCpY5wL/jyDWXZDHbkMLcdAhzAnPpQ8oEGmjb/w9Z2wOh1kji6jOuu8FuoQIEzWQMvA o3zNvSXdygO3R69CBlLFBsFvKaWuuFfhzrfe5TQM1QqspinUHj2pArIKyAuC3pzp/2T5 E04Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682992511; x=1685584511; h=to:cc:date:message-id:subject:mime-version:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=qVLE8njUoQPjNGR4y9gbx5nNbUTPd836XGnEe2bPq3Q=; b=XoMCi/fAiSj/Nlhtj3Dzgb+PsgRG4z/e/+AfhcShpYZvUI2/a+smNSAgtAZ814EHh3 P1BAvS0aWSq04qrJPpmntJrsigL/jOwTxb0Em7/wwvmlNDU2HBkUXHF6kxrTvXWL06S0 bJRfhPqHPEXQkmicNMscHifWVor8jHPlZZwnCpn5fbJ8HpRXCTuYRw0iER+JzfH4CdGd m8qffWNKj+YnVGae11zy5/hVt7Ljo+EpLhyTxFtQozqEkEQaBLoCxp0SAsmUWpmfHUfE JJZ/+ceJmCvukEUZzZdITuF2HrQcfTC+YCTriwvsVY4fWP28603q9ayYvJ9498P7mCH3 cPtA== X-Gm-Message-State: AC+VfDxDUhmwgr1MzHOYYcLEOgxSb1v+WTgH/hEPri3McBEXwDvLWr6W Z6bSnGrbspppefnqkDCSEpXUJ4kitrP2lQ== X-Google-Smtp-Source: ACHHUZ6p8bSeYK6X/4+ir7t8txrmQkhs9Tql/QyHuLIkR5TySK1+Uc5oOCyaWhwaPcO2P+enwcKzow== X-Received: by 2002:a05:6a21:3294:b0:f2:6fc6:9ca3 with SMTP id yt20-20020a056a21329400b000f26fc69ca3mr21513263pzb.43.1682992510890; Mon, 01 May 2023 18:55:10 -0700 (PDT) Received: from smtpclient.apple (c-73-19-52-228.hsd1.wa.comcast.net. [73.19.52.228]) by smtp.gmail.com with ESMTPSA id c9-20020a170902b68900b001ab016ea3f9sm1470402pls.21.2023.05.01.18.55.09 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 01 May 2023 18:55:10 -0700 (PDT) From: Enji Cooper Content-Type: multipart/signed; boundary="Apple-Mail=_9881111A-489D-436B-924D-4A8CB3A4030F"; protocol="application/pgp-signature"; micalg=pgp-sha256 List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.3\)) Subject: OpenSSL 3.0 for 14.0-RELEASE: issues with 1.x/3.x symbol clashing, ports linking against base OpenSSL, ports that don't compile/link against OpenSSL 3, etc Message-Id: Date: Mon, 1 May 2023 18:55:09 -0700 Cc: bofh@freebsd.org, brnrd@freebsd.org, Cy Schubert , Ed Maste , vishwin@freebsd.org To: FreeBSD-arch list X-Mailer: Apple Mail (2.3696.120.41.1.3) X-Spamd-Result: default: False [-5.59 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.987]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20221208]; MIME_GOOD(-0.20)[multipart/signed,multipart/alternative,text/plain]; ARC_NA(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; HAS_ATTACHMENT(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_SOME(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCPT_COUNT_FIVE(0.00)[6]; DKIM_TRACE(0.00)[gmail.com:+]; RCVD_COUNT_THREE(0.00)[3]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::435:from]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org] X-Rspamd-Queue-Id: 4Q9NSf0RsYz44mv X-Spamd-Bar: ----- X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail=_9881111A-489D-436B-924D-4A8CB3A4030F Content-Type: multipart/alternative; boundary="Apple-Mail=_59A391A5-ABC1-4FE9-A7EE-086D06A8BF3D" --Apple-Mail=_59A391A5-ABC1-4FE9-A7EE-086D06A8BF3D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hello, One of the must-haves for 14.0-RELEASE is the introduction of = OpenSSL 3.0 into the base system. This is a must because, in short, = OpenSSL 1.1 is no longer supported as of 09/26/2023 [1]. I am proposing OpenSSL be made private along with all dependent = libraries, for the following reasons: 1. More than a handful of core ports, e.g., = security/py-cryptography [2] [3], still do not support OpenSSL 3.0. i. If other dependent ports (like lang/python38, etc) = move to OpenSSL 3, the distributed modules would break on load due to = clashing symbols if the right mix of modules were dlopen=E2=80=99ed in a = specific order (importing ssl, then importing hazmat=E2=80=99s crypto = would fail). ii. Such ports should be deprecated/marked broken as = I=E2=80=99ve recommended on the 3.0 exp-run PR [4]. 2. OpenSSL 1.1 and 3.0 have clashing symbols, which makes = linking in both libraries at runtime impossible without resorting to a = number of linker tricks hiding the namespaces using symbol prefixing of = public symbols, etc. The libraries which would need to be made private are as = follows: - kerberos - libarchive - libbsnmp - libfetch [5] - libgeli - libldns - libmp - libradius - libunbound I realize I=E2=80=99m jumping to a prescribed solution without = additional discussion, but I=E2=80=99ve been doing offline analysis = related to uplifting code from OpenSSL 1.x to 3.x over the last several = months and this is the general prescribed solution I=E2=80=99ve come to = which is needed for $work. My perspective might have some blind spots = and some of the discussion done over IRC and might need to be rehashed = here for historical reference/to widen the discussion for alternate = solutions that don=E2=80=99t have the degree of tunnel vision which the = solution I=E2=80=99m employing at $work requires. I=E2=80=99ve tried to include some of the previously involved = parties so they can chime in. Thank you, -Enji 1. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ = 2. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254853 = . 3. The reason why it hasn=E2=80=99t been upgraded is because newer = versions require rustc to build, which apparently doesn=E2=80=99t work = on QEMU builders due to missing emulation support: = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254853 = . 4. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258413#c15 = 5. If I remember correctly, some folks suggested that making libfetch = private wasn=E2=80=99t required since the only port that required it was = ports-mgmt/pkg, but I haven=E2=80=99t validated this claim. --Apple-Mail=_59A391A5-ABC1-4FE9-A7EE-086D06A8BF3D Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
Hello,
One of the must-haves for = 14.0-RELEASE is the introduction of OpenSSL 3.0 into the base system. = This is a must because, in short, OpenSSL 1.1 is no longer supported as = of 09/26/2023 [1].

= I am proposing OpenSSL be made private along with all dependent = libraries, for the following reasons:
1. More = than a handful of core ports, e.g., security/py-cryptography [2] = [3], still do not support OpenSSL 3.0.
= i. If other dependent ports (like lang/python38, etc) move = to OpenSSL 3, the distributed modules would break on load due to = clashing symbols if the right mix of modules were dlopen=E2=80=99ed in a = specific order (importing ssl, then importing hazmat=E2=80=99s crypto = would fail).
ii. Such ports should be = deprecated/marked broken as I=E2=80=99ve recommended on the 3.0 exp-run = PR [4].
2. OpenSSL 1.1 and 3.0 have = clashing symbols, which makes linking in both libraries at runtime = impossible without resorting to a number of linker tricks hiding the = namespaces using symbol prefixing of public symbols, etc.

The = libraries which would need to be made private are as follows:
= - kerberos
- = libarchive
- libbsnmp
libfetch = [5]
- = libgeli
- = libldns
- libmp
= - libradius
- libunbound

I realize = I=E2=80=99m jumping to a prescribed solution without additional = discussion, but I=E2=80=99ve been doing offline analysis related to = uplifting code from OpenSSL 1.x to 3.x over the last several months and = this is the general prescribed solution I=E2=80=99ve come to which is = needed for $work. My perspective might have some blind spots and some of = the discussion done over IRC and might need to be rehashed here for = historical reference/to widen the discussion for alternate solutions = that don=E2=80=99t have the degree of tunnel vision which the solution = I=E2=80=99m employing at $work requires.
I=E2=80=99v= e tried to include some of the previously involved parties so they can = chime in.
Thank you,
-Enji

1. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/
2. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254853&= nbsp;.
3. The reason why it hasn=E2=80=99t been = upgraded is because newer versions require rustc to build, which = apparently doesn=E2=80=99t work on QEMU builders due to missing = emulation support: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254853&= nbsp;. 
4. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258413#c15<= /a>
5. If I remember correctly, some folks = suggested that making libfetch private wasn=E2=80=99t required since the = only port that required it was ports-mgmt/pkg, but I haven=E2=80=99t = validated this claim.
= --Apple-Mail=_59A391A5-ABC1-4FE9-A7EE-086D06A8BF3D-- --Apple-Mail=_9881111A-489D-436B-924D-4A8CB3A4030F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEtvtxN6kOllEF3nmX5JFNMZeDGN4FAmRQbX0ACgkQ5JFNMZeD GN6MrxAAmOcqzk3sqazcyIvBXjtV5vvTlvtxeR0LQEd5HP+vfkAf3rJphx52PMuW eVJcRJZTaFJ4L5Zpb6b/FS++gwsJkhGOMpm7iqZG9N0ppCzX02wgCLK1u/iHzcNI W6ZeyT5RbyA9tHIRmsgNcyIeEBrloZmOG6lTE/u+Vmk9rg6TH87qAsUv/0LiqwRn JP4Go03ZiNIQ5FXoAxBEEIiwtaIQ/UNjBO7HKO/+4dTELjVPclbEomijFaIibCxF iSyP3XAxykBI7gm/9njZuQq1aSXRUjsuPhOrdJ4h05WM02uGW3k+U1ObA8kSGMvG Plroh1YxaTOCqcdfgbaYuun5aXMG4O7mOVlPCV7SyddrbyQD/hsvevHf1A3n9mD5 YA25xcCxQVccNubolxrvj/Wx0OhzbXAkXg0f1YQ3yO0xldMT4HJhL5w0gOYFNlvF G3T1TOAt1XWamTqgz1+oP0uys5KsjIPI9c+RVw3C5nhCCwUQw74d8QhQgVso2gvU oKcXFWIdv//f4JbrSMxhXkMmSbTSks7d0120BiNtQcXeh834xWWmgAxiSwoY4s1l OtA7QyG2f64hL/GpOhJ+InxAveoGIU1O1IS+tZDF6LjW9OD+bmyE0JSg8dsNG+8B ynL5wr2UVpeKY9xDZ9WBLg5FmdSYkNJh47BT0mSdd+t7NC/1YG0= =vi49 -----END PGP SIGNATURE----- --Apple-Mail=_9881111A-489D-436B-924D-4A8CB3A4030F--