Date: Mon, 1 May 2023 18:55:09 -0700 From: Enji Cooper <yaneurabeya@gmail.com> To: FreeBSD-arch list <freebsd-arch@freebsd.org> Cc: bofh@freebsd.org, brnrd@freebsd.org, Cy Schubert <cy@FreeBSD.org>, Ed Maste <emaste@FreeBSD.org>, vishwin@freebsd.org Subject: OpenSSL 3.0 for 14.0-RELEASE: issues with 1.x/3.x symbol clashing, ports linking against base OpenSSL, ports that don't compile/link against OpenSSL 3, etc Message-ID: <C6F8DD52-348E-42D8-84DE-B3A399D2606F@gmail.com>
next in thread | raw e-mail | index | archive | help
--Apple-Mail=_9881111A-489D-436B-924D-4A8CB3A4030F Content-Type: multipart/alternative; boundary="Apple-Mail=_59A391A5-ABC1-4FE9-A7EE-086D06A8BF3D" --Apple-Mail=_59A391A5-ABC1-4FE9-A7EE-086D06A8BF3D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hello, One of the must-haves for 14.0-RELEASE is the introduction of = OpenSSL 3.0 into the base system. This is a must because, in short, = OpenSSL 1.1 is no longer supported as of 09/26/2023 [1]. I am proposing OpenSSL be made private along with all dependent = libraries, for the following reasons: 1. More than a handful of core ports, e.g., = security/py-cryptography [2] [3], still do not support OpenSSL 3.0. i. If other dependent ports (like lang/python38, etc) = move to OpenSSL 3, the distributed modules would break on load due to = clashing symbols if the right mix of modules were dlopen=E2=80=99ed in a = specific order (importing ssl, then importing hazmat=E2=80=99s crypto = would fail). ii. Such ports should be deprecated/marked broken as = I=E2=80=99ve recommended on the 3.0 exp-run PR [4]. 2. OpenSSL 1.1 and 3.0 have clashing symbols, which makes = linking in both libraries at runtime impossible without resorting to a = number of linker tricks hiding the namespaces using symbol prefixing of = public symbols, etc. The libraries which would need to be made private are as = follows: - kerberos - libarchive - libbsnmp - libfetch [5] - libgeli - libldns - libmp - libradius - libunbound I realize I=E2=80=99m jumping to a prescribed solution without = additional discussion, but I=E2=80=99ve been doing offline analysis = related to uplifting code from OpenSSL 1.x to 3.x over the last several = months and this is the general prescribed solution I=E2=80=99ve come to = which is needed for $work. My perspective might have some blind spots = and some of the discussion done over IRC and might need to be rehashed = here for historical reference/to widen the discussion for alternate = solutions that don=E2=80=99t have the degree of tunnel vision which the = solution I=E2=80=99m employing at $work requires. I=E2=80=99ve tried to include some of the previously involved = parties so they can chime in. Thank you, -Enji 1. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ = <https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/>; 2. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254853 = <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254853>; . 3. The reason why it hasn=E2=80=99t been upgraded is because newer = versions require rustc to build, which apparently doesn=E2=80=99t work = on QEMU builders due to missing emulation support: = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254853 = <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254853>; . 4. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258413#c15 = <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258413#c15>; 5. If I remember correctly, some folks suggested that making libfetch = private wasn=E2=80=99t required since the only port that required it was = ports-mgmt/pkg, but I haven=E2=80=99t validated this claim. --Apple-Mail=_59A391A5-ABC1-4FE9-A7EE-086D06A8BF3D Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; = charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; line-break: after-white-space;" = class=3D""><div>Hello,<br class=3D""><div = class=3D"content-isolator__container"><div style=3D"word-wrap: = break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" = class=3D""><div class=3D""><span class=3D"Apple-tab-span" = style=3D"white-space:pre"> </span>One of the must-haves for = 14.0-RELEASE is the introduction of OpenSSL 3.0 into the base system. = This is a must because, in short, OpenSSL 1.1 is no longer supported as = of 09/26/2023 [1].</div><div class=3D""><br class=3D""></div><div = class=3D""><span class=3D"Apple-tab-span" style=3D"white-space:pre"> = </span>I am proposing OpenSSL be made private along with all dependent = libraries, for the following reasons:</div><div class=3D""><span = class=3D"Apple-tab-span" style=3D"white-space:pre"> </span>1. More = than a handful of core ports, e.g., security/py-cryptography [2] = [3], still do not support OpenSSL 3.0.</div><div class=3D""><span = class=3D"Apple-tab-span" style=3D"white-space:pre"> = </span>i. If other dependent ports (like lang/python38, etc) move = to OpenSSL 3, the distributed modules would break on load due to = clashing symbols if the right mix of modules were dlopen=E2=80=99ed in a = specific order (importing ssl, then importing hazmat=E2=80=99s crypto = would fail).</div><div class=3D""><span class=3D"Apple-tab-span" = style=3D"white-space:pre"> </span>i<font class=3D""><span = style=3D"caret-color: rgb(0, 0, 0);" class=3D"">i. Such ports should be = deprecated/marked broken as I=E2=80=99ve recommended on the 3.0 exp-run = PR [4].</span></font></div><div class=3D""><span class=3D"Apple-tab-span" = style=3D"white-space:pre"> </span>2. OpenSSL 1.1 and 3.0 have = clashing symbols, which makes linking in both libraries at runtime = impossible without resorting to a number of linker tricks hiding the = namespaces using symbol prefixing of public symbols, etc.</div><div = class=3D""><br class=3D""></div><div class=3D""><span = class=3D"Apple-tab-span" style=3D"white-space:pre"> </span>The = libraries which would need to be made private are as follows:</div><div = class=3D""><span class=3D"Apple-tab-span" style=3D"white-space:pre"> = </span>- kerberos</div><div class=3D""><span class=3D"Apple-tab-span" = style=3D"caret-color: rgb(0, 0, 0); white-space: pre;"> </span><span = style=3D"caret-color: rgb(0, 0, 0);" class=3D"">- = libarchive</span></div><div class=3D""><span style=3D"caret-color: = rgb(0, 0, 0);" class=3D""><span class=3D"Apple-tab-span" = style=3D"white-space:pre"> </span>- libbsnmp</span></div><div = class=3D""><span class=3D"Apple-tab-span" style=3D"caret-color: rgb(0, = 0, 0); white-space: pre;"> </span><span style=3D"caret-color: = rgb(0, 0, 0);" class=3D"">- </span><font class=3D""><span = style=3D"caret-color: rgb(0, 0, 0);" class=3D"">libfetch = [5]</span></font></div><div class=3D""><span class=3D"Apple-tab-span" = style=3D"caret-color: rgb(0, 0, 0); white-space: pre;"> </span><span = style=3D"caret-color: rgb(0, 0, 0);" class=3D"">- = libgeli</span></div><div class=3D""><span class=3D"Apple-tab-span" = style=3D"caret-color: rgb(0, 0, 0); white-space: pre;"> </span><span = style=3D"caret-color: rgb(0, 0, 0);" class=3D"">- = libldns</span></div><div class=3D""><span style=3D"caret-color: rgb(0, = 0, 0);" class=3D""><span class=3D"Apple-tab-span" = style=3D"white-space:pre"> </span>- libmp</span></div><div = class=3D""><span class=3D"Apple-tab-span" style=3D"white-space:pre"> = </span>- libradius</div><div class=3D""><span class=3D"Apple-tab-span" = style=3D"white-space:pre"> </span>- libunbound</div><div = class=3D""><br class=3D""></div><div class=3D""><span = class=3D"Apple-tab-span" style=3D"white-space:pre"> </span>I realize = I=E2=80=99m jumping to a prescribed solution without additional = discussion, but I=E2=80=99ve been doing offline analysis related to = uplifting code from OpenSSL 1.x to 3.x over the last several months and = this is the general prescribed solution I=E2=80=99ve come to which is = needed for $work. My perspective might have some blind spots and some of = the discussion done over IRC and might need to be rehashed here for = historical reference/to widen the discussion for alternate solutions = that don=E2=80=99t have the degree of tunnel vision which the solution = I=E2=80=99m employing at $work requires.</div><div class=3D""><span = class=3D"Apple-tab-span" style=3D"white-space:pre"> </span>I=E2=80=99v= e tried to include some of the previously involved parties so they can = chime in.</div><div class=3D"">Thank you,</div><div = class=3D"">-Enji</div><div class=3D""><br class=3D""></div><div = class=3D"">1. <a = href=3D"https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/" = class=3D"">https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/</a></di= v><div class=3D"">2. <a = href=3D"https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254853" = class=3D"">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254853</a>&= nbsp;.</div><div class=3D"">3. The reason why it hasn=E2=80=99t been = upgraded is because newer versions require rustc to build, which = apparently doesn=E2=80=99t work on QEMU builders due to missing = emulation support: <a = href=3D"https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254853" = class=3D"">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254853</a>&= nbsp;. </div><div class=3D"">4. <a = href=3D"https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258413#c15" = class=3D"">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258413#c15<= /a></div><div class=3D"">5. If I remember correctly, some folks = suggested that making libfetch private wasn=E2=80=99t required since the = only port that required it was ports-mgmt/pkg, but I haven=E2=80=99t = validated this claim.</div></div></div></div></body></html>= --Apple-Mail=_59A391A5-ABC1-4FE9-A7EE-086D06A8BF3D-- --Apple-Mail=_9881111A-489D-436B-924D-4A8CB3A4030F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEtvtxN6kOllEF3nmX5JFNMZeDGN4FAmRQbX0ACgkQ5JFNMZeD GN6MrxAAmOcqzk3sqazcyIvBXjtV5vvTlvtxeR0LQEd5HP+vfkAf3rJphx52PMuW eVJcRJZTaFJ4L5Zpb6b/FS++gwsJkhGOMpm7iqZG9N0ppCzX02wgCLK1u/iHzcNI W6ZeyT5RbyA9tHIRmsgNcyIeEBrloZmOG6lTE/u+Vmk9rg6TH87qAsUv/0LiqwRn JP4Go03ZiNIQ5FXoAxBEEIiwtaIQ/UNjBO7HKO/+4dTELjVPclbEomijFaIibCxF iSyP3XAxykBI7gm/9njZuQq1aSXRUjsuPhOrdJ4h05WM02uGW3k+U1ObA8kSGMvG Plroh1YxaTOCqcdfgbaYuun5aXMG4O7mOVlPCV7SyddrbyQD/hsvevHf1A3n9mD5 YA25xcCxQVccNubolxrvj/Wx0OhzbXAkXg0f1YQ3yO0xldMT4HJhL5w0gOYFNlvF G3T1TOAt1XWamTqgz1+oP0uys5KsjIPI9c+RVw3C5nhCCwUQw74d8QhQgVso2gvU oKcXFWIdv//f4JbrSMxhXkMmSbTSks7d0120BiNtQcXeh834xWWmgAxiSwoY4s1l OtA7QyG2f64hL/GpOhJ+InxAveoGIU1O1IS+tZDF6LjW9OD+bmyE0JSg8dsNG+8B ynL5wr2UVpeKY9xDZ9WBLg5FmdSYkNJh47BT0mSdd+t7NC/1YG0= =vi49 -----END PGP SIGNATURE----- --Apple-Mail=_9881111A-489D-436B-924D-4A8CB3A4030F--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C6F8DD52-348E-42D8-84DE-B3A399D2606F>