Upgrade path from openssl111 to opensssl3

[Xavier]

Hi,

Now that OpenSSL 3.0 is mature, I plan to upgrade from OpenSSL 1.1.1, using portupgrade and removing DEFAULT_VERSIONS+=ssl=openssl111form make.conf

I intend to try these commands

# vi /etc/make.conf ==> remove DEFAULT_VERSIONS+=ssl=openssl111 # REBUILD=$(pkg query %ro openssl111) # portugrade -vf -o security/openssl security/openssl111 # portupgrade -vf $REBUILD

Is this the right way ?

Regards,

Xavier

 

[SirDice]

On FreeBSD 14.0 and higher OpenSSL in the base is at 3.0.x. So on 14.x I would suggest just using the base OpenSSL.

Don't need to do portugrade -vf -o security/openssl security/openssl111. Just rebuild everything that depended on openssl111. After that you can remove security/openssl111.

 

[Xavier]

Thanks SirDice
Unfortunately I'm stuck with 13-STABLE, my hardware experiments random panics with FreeBSD 14
Regards

 

[Erichans]

Unfortunately I'm stuck with 13-STABLE, my hardware experiments random panics with FreeBSD 14

Could you elaborate on that?
With what FreeBSD -RELEASE or -STABLE (14.0 or 14.1) did you experience panics and under what circumstances?
Was that perhaps in connection with a graphics driver?

 

[Xavier]

It was when 14-STABLE was branched, it panicked just after booting, vmm was involved iirc. I tend to blame faulty RAM (ECC, though), but not sure. COMPAT_13X was activated in kernel, obviously
I was able to rebuild a 13-STABLE source tree in single user mode, fortunately
No graphic driver involved, AFAIK, it is a cli only server. FWIW, here is my /boot/loader.conf

kern.geom.label.disk_ident.enable="0"
kern.geom.label.gptid.enable="0"
zfs_load="YES"
linux_load="NO"
accf_http_load="YES"
vmm_load="YES"
nmdm_load="YES"
if_bridge_load="YES"
if_tap_load="YES"
kldload accf_data_load="YES"
vfs.zfs.arc_max=4294967296
vfs.zfs.prefetch_disable=0
fuse_load="YES"
filemon_load="YES"
hint.ahcich.ada4.pm_level=5
ipmi_load="YES"
smbios_load="YES"
ums_enable="YES"
coretemp_load="YES"
screen.textmode="1"
pptdevs="10/0/0"
hw.vmm.amdvi.enable=1

 

[SirDice]

if_bridge_load="YES" 
if_tap_load="YES"

Don't need these.

kldload accf_data_load="YES"

That's an error.

Anyway, if you're on 13.x you should set DEFAULT_VERSIONS+= ssl=openssl. If you remove the ssl default_version the base OS version of OpenSSL will be used. On 13.x that's still at 1.1.1.

 

[Erichans]

It was when 14-STABLE was branched, it panicked just after booting, vmm was involved iirc. I tend to blame faulty RAM (ECC, though), but not sure.

14-STABLE was branched quite some time ago: 14-STABLE branch - 2023-08-24

It is of course your assessment of environment needs and your decision to stay on supported FreeBSD 13 or switch to 14; with ZFS on root you have the comfortable option of Boot Environments (BEs) for testing.

As for possible faulty ECC RAM: I don't know the specifics on FreeBSD's reporting, but AFAIK ECC errors should have been picked up by the OS and have shown up in the logs.

 

[Xavier]

kldload accf_data_load="YES"

Fixed, missed this, thanks