lang/python27 _ssl.so: Undefined symbol "SSLv3_method"

[sko]

lang/python27 failed today in my weekly poudriere builds on 12.4-RELEASE with latest *and* quarterly ports

I know this thing is ancient and should rot in hell, but some ports still depend on that cruft (in my case FreeCAD, bhyve-firmware and nexctcloud-client).

Here are the (i think) relevant parts of the logfile:

building '_ssl' extension
cc -fPIC -fno-strict-aliasing -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -DNDEBUG -I. -IInclude -I./Include -I/usr/local/include -I/wrkdirs/usr/ports/lang/python27/work/Python-2.7.18/Include -I/wrkdirs/usr/ports/lang/python27/work/Python-2.7.18 -c /wrkdirs/usr/ports/lang/python27/work/Python-2.7.18/Modules/_ssl.c -o build/temp.freebsd-12.4-RELEASE-p5-amd64-2.7/wrkdirs/usr/ports/lang/python27/work/Python-2.7.18/Modules/_ssl.o
In file included from /wrkdirs/usr/ports/lang/python27/work/Python-2.7.18/Modules/_ssl.c:47:
In file included from /wrkdirs/usr/ports/lang/python27/work/Python-2.7.18/Modules/socketmodule.h:59:
In file included from /usr/include/bluetooth.h:54:
/usr/include/netgraph/bluetooth/include/ng_btsocket.h:244:2: warning: "Make sure new member of socket address initialized" [-W#warnings]
#warning "Make sure new member of socket address initialized"
 ^
1 warning generated.
cc -shared -lpthread -L/usr/local/lib -Wl,-rpath,/usr/local/lib -fstack-protector-strong -lpthread -L/usr/local/lib -Wl,-rpath,/usr/local/lib -fstack-protector-strong -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -I/usr/local/include -I/usr/local/include build/temp.freebsd-12.4-RELEASE-p5-amd64-2.7/wrkdirs/usr/ports/lang/python27/work/Python-2.7.18/Modules/_ssl.o -L/usr/local/lib -L. -lssl -lcrypto -lpython2.7 -o build/lib.freebsd-12.4-RELEASE-p5-amd64-2.7/_ssl.so
*** WARNING: renaming "_ssl" since importing it failed: build/lib.freebsd-12.4-RELEASE-p5-amd64-2.7/_ssl.so: Undefined symbol "SSLv3_method"

[...]

===>  Building package for python27-2.7.18_2
pkg-static: Unable to access file /wrkdirs/usr/ports/lang/python27/work/stage/usr/local/lib/python2.7/lib-dynload/_ssl.so:No such file or directory
*** Error code 1

Looking back through the logs, python27 was last queued and built at july 24th with the same version (2.7.18_2), and since then there were no updates to the port. So most likely updates to OpenSSL might have caused this? The official packages for FreeBSD:12:amd64 were build on 5.9.2023, since then security/openssl was updated to 1.1.1w,1.

Wild guess: as 1.1.1w is the final version of 1.1.1 there have been some changes/additions to simplify the transition to OpenSSL v3 and the ancient python27 build process doesn't play well with that? (in other words, I *really* hope "SSLv3_method" is referring to something OpenSSLv3 related, not to SSLv3 which is thankfully dead and gone for several years now...)

 

[SirDice]

since then security/openssl was updated to 1.1.1w,1.

Irrelevant as ports are almost exclusively[*] linked to OpenSSL in the base, not the port. At least by default. So unless you've set DEFAULT_VERSIONS+= ssl=openssl, the security/openssl port is irrelevant.

[*] There are only a few ports that are hardcoded to use the openssl or libressl ports.

 

[sko]

Should have mentioned it: yes, I'm using OpenSSL from ports. Here's the full make.conf poudriere uses for one of the bulk jobs where python27 fails to build:

# cat latest-desktop-make.conf 
OPTIONS_UNSET+= DBUS PULSE PULSEAUDIO ATK_BRIDGE JACK ALSA AKONADI AVAHI TEST MYSQLI MYSQL BASH BASH_COMPLETION NLS THAI LDAP ZSH SAMBA SMB
OPTIONS_SET+=OPTIMIZED_CFLAGS CPUFLAGS PGSQL SNDIO WAYLAND
DEFAULT_VERSIONS+=ssl=openssl
DEFAULT_VERSIONS+=php=83
OSS=on
PULSEAUDIO=off
DBUS=off
PGSQL=on
MYSQL=off
MYSQLI=off

 

[sko]

I ran a bulk job on the company build host (13.2-RELEASE) yesterday and python27 was built successfully - with the same port options and makefile, on both jails (FreeBSD:12:amd64 and FreeBSD:13:amd64) and for both ports trees (quarterly and latest).

On my private build host running 12.4-RELEASE it consistently fails for both ports trees.
However, running the build job directly on the host within the poudriere ports tree (/usr/local/poudriere/ports/latest/lang/python27) and using the specific make.conf poudriere uses ( setenv __MAKE_CONF /usr/local/etc/poudriere.d/latest-desktop-make.conf && make package) succeeds.


build jail is up to date:

# poudriere jails -l
FreeBSD:12:amd64 12.4-RELEASE-p5 amd64 http   2023-09-12 16:16:09 /usr/local/poudriere/jails/FreeBSD_12_amd64

ports trees are up to date:

# poudriere ports -l
latest    git+https 2023-09-12 13:05:32 /usr/local/poudriere/ports/latest
quarterly git+https 2023-09-12 16:16:14 /usr/local/poudriere/ports/quarterly

but poudriere still won't build the port:

# poudriere bulk -C -j FreeBSD:12:amd64 -p latest -z desktop lang/python27
[00:00:00] Creating the reference jail... done
[00:00:00] Mounting system devices for FreeBSD:12:amd64-latest-desktop
[00:00:00] Mounting ports/packages/distfiles
[00:00:00] Stashing existing package repository
[00:00:00] Mounting ccache from: /usr/local/poudriere/data/cache/ccache
[00:00:00] Mounting packages from: /usr/local/poudriere/data/packages/FreeBSD:12:amd64-latest-desktop
[00:00:00] Copying /var/db/ports from: /usr/local/etc/poudriere.d/latest-desktop-options
[00:00:01] Appending to make.conf: /usr/local/etc/poudriere.d/make.conf
[00:00:01] Appending to make.conf: /usr/local/etc/poudriere.d/latest-desktop-make.conf
/etc/resolv.conf -> /usr/local/poudriere/data/.m/FreeBSD_12_amd64-latest-desktop/ref/etc/resolv.conf
[00:00:01] Starting jail FreeBSD:12:amd64-latest-desktop
[00:00:01] Will build as nobody: (65534:65534)
[00:00:02] Logs: /usr/local/poudriere/data/logs/bulk/FreeBSD:12:amd64-latest-desktop/2023-09-13_08h37m14s
[00:00:02] WWW: https://pkg.thu.de.rostwald.de/build.html?mastername=FreeBSD:12:amd64-latest-desktop&build=2023-09-13_08h37m14s
[00:00:02] Loading MOVED for /usr/local/poudriere/data/.m/FreeBSD_12_amd64-latest-desktop/ref/usr/ports
[00:00:03] Ports supports: FLAVORS SELECTED_OPTIONS
[00:00:03] Gathering ports metadata
[00:00:03] Calculating ports order and dependencies
[00:00:03] (-C) Cleaning specified packages to build
[00:00:03] (-C) Flushing package deletions
[00:00:04] Sanity checking the repository
[00:00:04] Checking packages for incremental rebuild needs
[00:00:06] Deleting stale symlinks... done
[00:00:06] Deleting empty directories... done
[00:00:06] Cleaning the build queue
[00:00:06] Sanity checking build queue
[00:00:06] Processing PRIORITY_BOOST
[00:00:06] Balancing pool
[00:00:06] Recording filesystem state for prepkg... done
[00:00:06] Building 1 packages using 1 builders
[00:00:06] Starting/Cloning builders
[00:00:06] Hit CTRL+t at any time to see build progress and stats
[00:00:06] [01] [00:00:00] Building lang/python27 | python27-2.7.18_2
[00:01:04] [01] [00:00:58] Saved lang/python27 | python27-2.7.18_2 wrkdir to: /usr/local/poudriere/data/wrkdirs/FreeBSD:12:amd64-latest-desktop/latest/python27-2.7.18_2.tbz
[00:01:04] [01] [00:00:58] Finished lang/python27 | python27-2.7.18_2: Failed: package
[00:01:04] Stopping 1 builders
[00:01:04] No package built, but repository needs to be created
[00:01:04] Creating pkg repository
Creating repository in /tmp/packages: 100%
Packing files for repository: 100%
[00:01:18] Committing packages to repository: /usr/local/poudriere/data/packages/FreeBSD:12:amd64-latest-desktop/.real_1694587112 via .latest symlink
[00:01:18] Removing old packages
[00:01:18] Failed ports: lang/python27:package
[FreeBSD:12:amd64-latest-desktop] [2023-09-13_08h37m14s] [committing:] Queued: 1  Built: 0  Failed: 1  Skipped: 0  Ignored: 0  Tobuild: 0   Time: 00:01:16
[00:01:18] Logs: /usr/local/poudriere/data/logs/bulk/FreeBSD:12:amd64-latest-desktop/2023-09-13_08h37m14s
[00:01:18] WWW: https://buildhost.lan/build.html?mastername=FreeBSD:12:amd64-latest-desktop&build=2023-09-13_08h37m14s
[00:01:18] Cleaning up
[00:01:18] Unmounting file systems

I also tried flushing and re-building security/openssl with the same results for lang/python27.

Those two poudriere installs use the same poudriere.conf and the individual <portstree>-<set>-make.conf files (pulled from a git repo). Jails and ports trees are on the same version/commit.
The only obvious difference is the host OS version, which *shouldn't* make a difference, *especially* because building the port on the host itself succeeds...


I currently have no Idea what else to try. As a temporary workaround I just copied the built packages from the 13.2 host to my private package repository.

 

[covacat]

in base openssl SSLv3_method is a function
in openssl 1.1.1w is a define/macro so no symbol is generated. so somehow it looks like _ssl.so is compiled with base includes and linked with ports libs

 

[sko]

in base openssl SSLv3_method is a function
in openssl 1.1.1w is a define/macro so no symbol is generated. so somehow it looks like _ssl.so is compiled with base includes and linked with ports libs

And how can this be resolved? From what I can get from the logs, the ssl module and _ssl.so comes from the python distfile - so it should be the same on both hosts (I also cleared out the distfiles at some point).

Or more importantly: why did this start to fail now? When searching for python and "Undefined symbol SSLv3_method" one gets *A LOT* of results (also for SSLv2), but mostly they are handled with by mocking around with pip. Overall it seems this has been a constant source of failures in python and several python modules, not only version 2.7... (one more reason to avoid python like the plague it is...)

 

[sko]

This problem still persists - that 12.4-RELEASE host is no longer able to build python27 from both ports trees (quarterly and latest) while on 13.2-RELEASE with the same makefile and port options it builds successful (for 13.2-RELEASE and 12.4-RELEASE).

 

[sko]

I did some more digging today and somehow I had the incorrect assumption that anything ssl related to the build comes with the distfiles. But at the start of the log there is actually some openssl stuff being copied from /usr/local after installing openssl from ports...

Long story short:
adding this to the <portstree>-<set>-make.conf solves it:

.if ${.CURDIR:M*/lang/python27}
DEFAULT_VERSIONS+=ssl=base
.endif

Altough I still don't know why this only affects the 12.4-RELEASE buildhost but not the one running 13.2-RELEASE, which is also building packages for 12.4-RELEASE...