HEADS UP: security/openssl default is now openssl30

G

getopt

-20231014:
- AFFECTS: users of security/openssl and security/openssl30
- AUTHOR: brnrd@FreeBSD.org
-
- The openssl port was renamed to openssl111 and subsequently the
- openssl30 port was renamed to openssl.
-
- The shared library version of OpenSSL has been bumped.
-
- Users of DEFAULT_VERSIONS= ssl=openssl30 must update this to
- ssl=openssl.
- Users of DEFAULT_VERSIONS= ssl=openssl should not change this unless
- they use ports that require the deprecated OpenSSL 1.1.1 version.
-
- You must rebuild all ports that depend on OpenSSL if you use OpenSSL
- from ports.
Click to expand...
 
This compiles fine,
Code: 
mariadb1011-client-10.11.4     Multithreaded SQL database (client)
mariadb1011-server-10.11.4     Multithreaded SQL database (server)
 
I upgrade OpenSSL to 3.0 and then it was not possible to upgrade ftp/curl.

I had to:

portmaster -o security/openssl111 security/openssl

add to /etc/make.conf:

DEFAULT_VERSIONS+=ssl=openssl111

and then I upgrade ftp/curl
 
Now I will try the follow commands to see if curl, php, etc works:


portmaster -o security/openssl security/openssl111

sed -i "" -e "s/ssl=openssl111/ssl=openssl/g" /etc/make.conf

portmaster --no-confirm -f -D openssl
 
MySQL 5.7 is the only thing so far that I need to “fix” (almost past time to upgrade to 8 anyway) out of what I usually have on servers - not seen any problems with PHP or Apache or curl but YMMV.
 
My installation of Apache httpd went down after restart. New installation of httpd-2.4.57 from source breaks at the make.
Code: 
/usr/local/share/apr/build-1/libtool --silent --mode=link cc         -L/usr/lib -L/usr/local/lib -L/usr/local/lib/db18   -o ab  ab.lo       -L/usr/local/lib -R/usr/local/lib -laprutil-1 -ldb-18.1 -lgdbm -lexpat -L/usr/local/lib -R/usr/local/lib -lapr-1 -lcrypt -lpthread -lm -L/usr/local/lib -lssl -lcrypto -lcrypt -lpthread
ld: error: undefined symbol: EVP_PKEY_get_bits
>>> referenced by ab.c
>>>               ab.o:(ssl_proceed_handshake)
>>> referenced by ab.c
>>>               ab.o:(ssl_proceed_handshake)
>>> referenced by ab.c
>>>               ab.o:(ssl_proceed_handshake)
>>> referenced 3 more times

ld: error: undefined symbol: EVP_PKEY_get_id
>>> referenced by ab.c
>>>               ab.o:(ssl_proceed_handshake)
>>> referenced by ab.c
>>>               ab.o:(ssl_proceed_handshake)
cc: error: linker command failed with exit code 1 (use -v to see invocation)
*** Error code 1

Stop.
 
That's missing quite a bit of information.

Anything in /etc/make.conf related to OpenSSL?

How are you building it?

What did you do recently? Any upgrades?

Did you read the bit from the first post about rebuilding all ports?
 
O yeah sorry. I did a curl reinstall the other day from ports and that had the latest openssl as a dependency so I'm on 30 now. In /etc/make.conf it states DEFAULT_VERSIONS+=ssl=openssl. I manually removed all remaining references to libssl.so.111.

My configuration of httpd-2.4.57 ran smoothly.
Code: 
./configure --prefix=/usr/local/apache --enable-rewrite --enable-so --with-expat=builtin --with-ssl=/usr/local/lib

The make produced the abovementioned error.
 
I don't think you can pick and choose to have a bit of OpenSSL here and there - you've got to rebuild ALL ports that rely on OpenSSL. With Apache you might have to rebuild apr but rapidly getting out of my depth!
 
Installed packages to be REMOVED:
libchk: 1.10.3
mariadb106-server: 10.6.14
openssl: 3.0.11,1
rsync: 3.2.7
ruby: 3.1.4_1,1

libchk is deinstalled, the other ports are reinstalled. Tried to configure without the --with-ssl=/usr/local/lib option, but the make-error in httpd-2.4.57 persists.
 
Certbot stopped working and reinstall went havoc:

pycertbot freebsd RuntimeError: OpenSSL 3.0's legacy provider failed to load.

Did some searching and ran
Code: 
export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
and ran into the next error:

AttributeError: module 'lib' has no attribute 'OpenSSL_add_all_algorithms'

Re-reinstallation of python39 from ports helped on this one.

Now running certbot after a successful reinstall results in

File "/usr/local/lib/python3.9/site-packages/OpenSSL/crypto.py", line 3279, in <module>
_lib.OpenSSL_add_all_algorithms()
AttributeError: module 'lib' has no attribute 'OpenSSL_add_all_algorithms'

Any suggestions (other than "use pkg") warmly welcomed.
 
Think there are issues with Python and certbot quite often; this error was reported a few months ago:

forums.freebsd.org

certbot error module 'lib' has no attribute 'OpenSSL_add_all_algorithms'

Hello. start certificate renewal. # certbot -q renew --allow-subset-of-names Traceback (most recent call last): File "/usr/local/bin/certbot", line 33, in sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')()) File "/usr/local/bin/certbot", line 25, in...
forums.freebsd.org forums.freebsd.org

I don't use certbot so can't say if the above will help or not.
 
You may also want to look at this:

forums.freebsd.org

What port does rust install?

As soon as I saw this recent update wanting to build and install cargo I knew rust wasn't far behind so I stopped the update and changed the config options for gd. But it seems more and more is being re-built with rust so at some point I'll have a critical dependancy on rust and be forced to do...
forums.freebsd.org forums.freebsd.org

(But getting a bit off-topic now for OpenSSL upgrade information).
 
Thanks for your suggestions! Reinstallation of rust did not help; I guess it's more of a python-issue than an OpenSSL-upgrade-issue too, but all this is triggered by the OpenSSL update so I guess it won't harm things to mention it here. I'm currently looking into acme.sh because to be honest py-certbot has been couter-intuitive and annoying since day 1. I have till december 23 until my certs expire... ;)

FFR: A reinstall of security/py-openssl/ & security/py-cryptography happens to solve this issue.
 
Last edited:
You must log in or register to reply here.
Back
Top