Solved OpenSSL 1.0.2 End-of-Life 2019-12-31 - openssl-1.0.2 (from distcache.FreeBSD.org) 404 not found. - Error code 1

Hey everyone.

I just attempted install of openssl to install a SSL apache/mail certificate (RapidSSL) and it had a vulnerability stop error. I updated the ports tree and attempted re-install to find the following error:

Code:
root@sharpenyoursword:/usr/ports/security/openssl # make install clean
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

OpenSSL 1.0.2 is End-of-Life 2019-12-31 at which  time this port will update to 1.1.1 branch.

It is scheduled to be removed on or after 2019-12-31.

===>  License OpenSSL accepted by the user
===>   openssl-1.0.2u,1 depends on file: /usr/local/sbin/pkg - found
=> openssl-1.0.2u.tar.gz doesn't seem to exist in /usr/ports/distfiles/openssl-1.0.2.
=> Attempting to fetch http://www.openssl.org/source/openssl-1.0.2u.tar.gz
openssl-1.0.2u.tar.gz                                 5229 kB 2841 kBps    01s
=> 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch doesn't seem to exist in /usr/ports/distfiles/openssl-1.0.2.
=> Attempting to fetch http://git.alpinelinux.org/cgit/aports/plain/main/openssl1.0/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
fetch: http://git.alpinelinux.org/cgit/aports/plain/main/openssl1.0/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch: Not Found
=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/openssl-1.0.2/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
fetch: http://distcache.FreeBSD.org/ports-distfiles/openssl-1.0.2/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch: Not Found
=> Couldn't fetch it - please try to retrieve this
=> port manually into /usr/ports/distfiles/openssl-1.0.2 and try again.
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/security/openssl
*** Error code 1

Stop.
make: stopped in /usr/ports/security/openssl
root@sharpenyoursword:/usr/ports/security/openssl #

I manually went to the URL to find 404 not found with NGINX splash.

Does anyone know how to resolve this?
 
This is from https://www.openssl.org/source/
Rich (BB code):
Note: The latest stable version is the 1.1.1 series. This is also our Long Term Support (LTS) version,
supported until 11th September 2023. Our previous LTS version (1.0.2 series) will continue to be supported
until 31st December 2019 (security fixes only during the last year of support). All users of 1.0.2 are
encouraged to upgrade to 1.1.1 as soon as possible. Extended support for 1.0.2 to gain access to security
fixes beyond 31st December 2019 is available. The 0.9.8, 1.0.0, 1.0.1 and 1.1.0 versions are now out of
support and should not be used.
Does anyone know how to resolve this?
Install security/openssl111 .
 
This is from https://www.openssl.org/source/
Rich (BB code):
Note: The latest stable version is the 1.1.1 series. This is also our Long Term Support (LTS) version,
supported until 11th September 2023. Our previous LTS version (1.0.2 series) will continue to be supported
until 31st December 2019 (security fixes only during the last year of support). All users of 1.0.2 are
encouraged to upgrade to 1.1.1 as soon as possible. Extended support for 1.0.2 to gain access to security
fixes beyond 31st December 2019 is available. The 0.9.8, 1.0.0, 1.0.1 and 1.1.0 versions are now out of
support and should not be used.

Install security/openssl111 .
T-Daemon,

Thank you for always being so helpful! This was a solve! :)

Best Regards and God Bless!
 
Note that 1.1.1d is in FreeBSD 12.1 base, so depending on what version of FreeBSD and how you are building things that require OpenSSL you may or may not require the port.

If you've built anything linked to 1.0.2t then you may need to rebuild with 1.1.1. And if using the ports version, you may need something like this in /etc/make.conf

Code:
DEFAULT_VERSIONS+=ssl=openssl111

On FreeBSD 12.1, the base openssl is

Code:
% /usr/bin/openssl version
OpenSSL 1.1.1d-freebsd  10 Sep 2019

And if you install the port, it's here:

Code:
% /usr/local/bin/openssl version
OpenSSL 1.1.1d  10 Sep 2019

So at the moment - both versions are the same, but as time goes on, the ports version might be newer (as happened with FreeBSD 11).
 
Note that 1.1.1d is in FreeBSD 12.1 base, so depending on what version of FreeBSD and how you are building things that require OpenSSL you may or may not require the port.

If you've built anything linked to 1.0.2t then you may need to rebuild with 1.1.1. And if using the ports version, you may need something like this in /etc/make.conf

Code:
DEFAULT_VERSIONS+=ssl=openssl111

On FreeBSD 12.1, the base openssl is

Code:
% /usr/bin/openssl version
OpenSSL 1.1.1d-freebsd  10 Sep 2019

And if you install the port, it's here:

Code:
% /usr/local/bin/openssl version
OpenSSL 1.1.1d  10 Sep 2019

So at the moment - both versions are the same, but as time goes on, the ports version might be newer (as happened with FreeBSD 11).

richardtoohey2,

Thank you for this detailed post. I have been building ports using "make install clean" and I had apache, nginx, php installed prior to realizing I had openSSL issues. I am using FreeBSD 12.1 and some examples include the following notice since I installed it:

Code:
root@sharpenyoursword:/usr/ports/sysutils/ezjail # make install clean
/!\ WARNING /!\

You have security/openssl111 installed but do not have
DEFAULT_VERSIONS+=ssl=openssl111 set in your make.conf

Does this mean that dovecot, postfix and ezjail needs re-installation?

Also, I also just learned today how to reset configuration options using the following commands:

Code:
make rmconfig-recursive
from this thread.

I also replied back to the other thread that you are helping me with here.

Regarding the setting options in make.conf (Is this a global make.conf) ? Still relatively new to FreeBSD and wasn't ever a Linux expert. I am unsure how to manually edit this file for port building since I do not know if it changes every port installation that I choose to build; or if this is a global for all installations with this specific flag "DEFAULT_VERSIONS+=ssl=openssl111"

Thank you again sir!
 
I edited /etc/make.conf and added the following code:

Code:
DEFAULT_VERSIONS+=ssl=openssl111

then ran the following commands:

Dovecot: /usr/ports/mail/dovecot:

Code:
make deinstall
make rmconfig-recursive
make install clean

Postfix: /usr/ports/mail/postfix:

Code:
make deinstall
make rmconfig-recursive
make install clean

Ezjail: /usr/ports/sysutils/ezjail

Code:
make deinstall
make rmconfig-recursive
make install clean

All without errors now! Thank you for that, richardtoohey2!
 
Great; you might want to restart the services or the machine to make sure everything is correctly loaded.

pkg info can tell you dependancies - e.g. on a test machine I can do this to see what depends on the openssl111 port:

Code:
% pkg info -r openssl111
openssl111-1.1.1d:
    python27-2.7.17_1
    python36-3.6.9_3
    php73-openssl-7.3.12
    php73-ftp-7.3.12
    postgresql11-client-11.6
    mysql56-server-5.6.45
    cyrus-sasl-2.1.27
    apache24-2.4.41
    mysql56-client-5.6.45
    libzip-1.5.2
    libevent-2.1.11
    apr-1.7.0.1.6.1
    curl-7.67.0
    libarchive-3.4.0,1
So from that you might want to also rebuild Apache and PHP (if you ticked the OPENSSL option.) And nginx as well.

You can use which and ldd to find out where the executable files are and which libraries they are linked to.

e.g.
Code:
% ldd /usr/local/lib/php/20180731/openssl.so
/usr/local/lib/php/20180731/openssl.so:
    libssl.so.11 => /usr/local/lib/libssl.so.11 (0x80069e000)
    libcrypto.so.11 => /usr/local/lib/libcrypto.so.11 (0x800e00000)
    libc.so.7 => /lib/libc.so.7 (0x80024a000)
    libthr.so.3 => /lib/libthr.so.3 (0x800733000)
So I can see my PHP's openssl module is linked to /usr/local/lib/libssl.so which is the port version. Anything linked to /usr/lib/libssl.so will be linked to the base OpenSSL binary (which is currently 1.1.1d as well.)
 
Great; you might want to restart the services or the machine to make sure everything is correctly loaded.

pkg info can tell you dependancies - e.g. on a test machine I can do this to see what depends on the openssl111 port:

Code:
% pkg info -r openssl111
openssl111-1.1.1d:
    python27-2.7.17_1
    python36-3.6.9_3
    php73-openssl-7.3.12
    php73-ftp-7.3.12
    postgresql11-client-11.6
    mysql56-server-5.6.45
    cyrus-sasl-2.1.27
    apache24-2.4.41
    mysql56-client-5.6.45
    libzip-1.5.2
    libevent-2.1.11
    apr-1.7.0.1.6.1
    curl-7.67.0
    libarchive-3.4.0,1
So from that you might want to also rebuild Apache and PHP (if you ticked the OPENSSL option.) And nginx as well.

You can use which and ldd to find out where the executable files are and which libraries they are linked to.

e.g.
Code:
% ldd /usr/local/lib/php/20180731/openssl.so
/usr/local/lib/php/20180731/openssl.so:
    libssl.so.11 => /usr/local/lib/libssl.so.11 (0x80069e000)
    libcrypto.so.11 => /usr/local/lib/libcrypto.so.11 (0x800e00000)
    libc.so.7 => /lib/libc.so.7 (0x80024a000)
    libthr.so.3 => /lib/libthr.so.3 (0x800733000)
So I can see my PHP's openssl module is linked to /usr/local/lib/libssl.so which is the port version. Anything linked to /usr/lib/libssl.so will be linked to the base OpenSSL binary (which is currently 1.1.1d as well.)
richardtoohey2,

Thank you so much for that valuable info!

I have now the proper packages reinstalled with openssl now! :)
 
Back
Top