Date: Thu, 29 Jun 2023 18:27:31 +0200 From: Pierre Pronchery <pierre@freebsdfoundation.org> To: freebsd-current@freebsd.org Subject: Re: OpenSSL 3.0 is in the tree Message-ID: <cf5754b1-4a39-f24e-ff3a-93cde7f4a078@freebsdfoundation.org> In-Reply-To: <203b3fed-6fdd-0a19-72ce-fa2eea891222@madpilot.net> References: <CAPyFy2CsxgfQh_Q7gjeDBjrNprfA_MMXgcnQfSmMSjx9-pRRUQ@mail.gmail.com> <203b3fed-6fdd-0a19-72ce-fa2eea891222@madpilot.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Guido, freebsd-current@, On 6/29/23 15:14, Guido Falsi wrote: > On 24/06/23 16:22, Ed Maste wrote: >> Last night I merged OpenSSL 3.0 to main. This, along with the update >> to Clang 16 and other recent changes may result in some challenges >> over the next few days or weeks for folks following -CURRENT, such as >> ports that need to be updated or unanticipated issues in the base >> system. >> >> We need to get this work done so that we can continue moving on with >> FreeBSD 14; I apologize for the trouble it might cause in the short >> term. Please follow up to report any trouble you encounter. > > Not sure where to ask this, following up to this announcement looks like > a reasonable choice. > > After updating head to this version I have had some ports provided > software fail with messages including: "Unable to load legacy provider." > > Most of the time I am able to workaround it by forcing newer algorithms > via some configuration. Some other times I have no direct control of > what is being asked (like values hardcoded in npm modules)/ > > This is also happening to me with node, for example, has happened with > RDP (looks like windows by default prefers RC4 for RDP sessions), where > I was able to fix it though. > > Question is, does FreeBSD provide this legacy provider module? Or is it > available via ports or some other solution? Or maybe it can be provided > via a port? Would make the transition much easier! The legacy provider module is part of OpenSSL 3.0, it should be installed in /usr/lib/ossl-modules/legacy.so alongside fips.so as part of the base system. It's possible that some programs leveraging capsicum will fail to load it, if the initialization of legacy algorithms in OpenSSL is performed past entering capabilities mode (since it now requires a dlopen() to access the module). Let me know if you have any additional details regarding issues with the module. HTH, -- Pierre Pronchery
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cf5754b1-4a39-f24e-ff3a-93cde7f4a078>