Date: Wed, 3 May 2023 03:14:43 +0200 From: Moin Rahman <bofh@freebsd.org> To: Enji Cooper <yaneurabeya@gmail.com> Cc: FreeBSD-arch list <freebsd-arch@freebsd.org>, Bernard Spil <brnrd@freebsd.org>, Cy Schubert <cy@FreeBSD.org>, Ed Maste <emaste@FreeBSD.org>, vishwin@freebsd.org Subject: Re: OpenSSL 3.0 for 14.0-RELEASE: issues with 1.x/3.x symbol clashing, ports linking against base OpenSSL, ports that don't compile/link against OpenSSL 3, etc Message-ID: <A8A165FF-1C53-40BE-88B8-D18D11F77DDD@freebsd.org> In-Reply-To: <C6F8DD52-348E-42D8-84DE-B3A399D2606F@gmail.com> References: <C6F8DD52-348E-42D8-84DE-B3A399D2606F@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_C81EE0DB-2FC8-45AD-815E-862B37AC12EB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On May 2, 2023, at 3:55 AM, Enji Cooper <yaneurabeya@gmail.com> wrote: >=20 > Hello, > One of the must-haves for 14.0-RELEASE is the introduction of = OpenSSL 3.0 into the base system. This is a must because, in short, = OpenSSL 1.1 is no longer supported as of 09/26/2023 [1]. >=20 > I am proposing OpenSSL be made private along with all dependent = libraries, for the following reasons: > 1. More than a handful of core ports, e.g., = security/py-cryptography [2] [3], still do not support OpenSSL 3.0. > i. If other dependent ports (like lang/python38, etc) = move to OpenSSL 3, the distributed modules would break on load due to = clashing symbols if the right mix of modules were dlopen=E2=80=99ed in a = specific order (importing ssl, then importing hazmat=E2=80=99s crypto = would fail). > ii. Such ports should be deprecated/marked broken as = I=E2=80=99ve recommended on the 3.0 exp-run PR [4]. > 2. OpenSSL 1.1 and 3.0 have clashing symbols, which makes = linking in both libraries at runtime impossible without resorting to a = number of linker tricks hiding the namespaces using symbol prefixing of = public symbols, etc. >=20 > The libraries which would need to be made private are as = follows: > - kerberos > - libarchive > - libbsnmp > - libfetch [5] > - libgeli > - libldns > - libmp > - libradius > - libunbound >=20 > I realize I=E2=80=99m jumping to a prescribed solution without = additional discussion, but I=E2=80=99ve been doing offline analysis = related to uplifting code from OpenSSL 1.x to 3.x over the last several = months and this is the general prescribed solution I=E2=80=99ve come to = which is needed for $work. My perspective might have some blind spots = and some of the discussion done over IRC and might need to be rehashed = here for historical reference/to widen the discussion for alternate = solutions that don=E2=80=99t have the degree of tunnel vision which the = solution I=E2=80=99m employing at $work requires. > I=E2=80=99ve tried to include some of the previously involved = parties so they can chime in. > Thank you, > -Enji >=20 > 1. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ > 2. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254853 . > 3. The reason why it hasn=E2=80=99t been upgraded is because newer = versions require rustc to build, which apparently doesn=E2=80=99t work = on QEMU builders due to missing emulation support: = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254853 . > 4. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258413#c15 > 5. If I remember correctly, some folks suggested that making libfetch = private wasn=E2=80=99t required since the only port that required it was = ports-mgmt/pkg, but I haven=E2=80=99t validated this claim. Hi Enji, I appreciate your work creating the bugs but please hold on a moment = before you create the bugs. It will slow me down. While you were wasting your time creating the ticket for nrpe3 I have = already updated the port to 4.1.0 to unbreak. So until I have the final = list which you will have by end of this week please do not create = tickets. And I have not exactly described the process too what I was doing. The = list you are getting in my poudriere might have two possible failure = reason. OpenSSL 3 or LLVM15; and some might be fixed with little = intervention and testing. And as it's not possible to ask poudriere not = to try BROKEN ports so I have marked some port as blacklisted which are = unfixable or broken for other reasons. If you really would like to = create tickets and chase upstream please do: find /usr/local/poudriere/ports/default -name Makefile -type f -d 3 = -exec grep -E '(BROKEN_SSL\=3D|IGNORE_SSL\=3D).*openssl3' {} \+ Thanks for your cooperation. --Apple-Mail=_C81EE0DB-2FC8-45AD-815E-862B37AC12EB Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEETfdREoUGjQZKBS+fvbm1phfAvJEFAmRRtYNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDRE Rjc1MTEyODUwNjhEMDY0QTA1MkY5RkJEQjlCNUE2MTdDMEJDOTEACgkQvbm1phfA vJEi3w//falgi9CZwY0MGWJbMBVDIueD1sI5FNtd4oP5f1PaPloUDjmxer9X53Os be3/nB/UH2v6Ns8mSMXVCPt70PtrN5eTzuU+eALdhiVVDEbfW3pdoqJll60QuuTe cqLYeShqrLAuB8ZbWFnCTLGumCAakO2bvXFOZgzxcHY3ZeK8OyFqF5F8n9zJLCTU 1XjwrpJ0V1AgGwNEsGJDXM96PATBZQoMgvv/Z3itMB5oLV0VjfGfi5gq3XRB6NtD kCmnuEo6wA7ZsO4NRJzofKc9CpRe6WaArbSjnmjl3bBP2GVhKtStPfvePhbDBrz3 5z566YJoSJcDFHglD9FocmOxrraKShu+p6wuA3yVw7BuRR8kWhXyBjpoYp0IXW2x SXQ5dU1Brr2vn85217QUCPy5SNxyWXiSXLjEzf15a8fPhmXeW+8h+dZSuJJA1Op4 i3027suWVCxOHaq50CR2IsRfNSUquYGmqtpm7rIT6prBA+BPE4Ji9zynFLTnCDfU VZguEfMhOC+M4+OTrXJvnH6hVIEM39fyYjmNlL8SnQ4VAk/4eP3y17sIYu9n7PyA EHPuJvzdvGcQ1QpNorP99sR5S3Aejte0Qg++P7A3hD0u+Uf+d1PIPMmhtC2vw8tm ZuMFv/W9CFFQZ+IyMAJ9ViWUVzWvEGxWMu5wiWu7CP6OkFD37XM= =p5dC -----END PGP SIGNATURE----- --Apple-Mail=_C81EE0DB-2FC8-45AD-815E-862B37AC12EB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A8A165FF-1C53-40BE-88B8-D18D11F77DDD>