Re: OpenSSL 3.0 for 14.0-RELEASE: issues with 1.x/3.x symbol clashing, ports linking against base OpenSSL, ports that don't compile/link against OpenSSL 3, etc

In reply to: Enji Cooper : "OpenSSL 3.0 for 14.0-RELEASE: issues with 1.x/3.x symbol clashing, ports linking against base OpenSSL, ports that don't compile/link against OpenSSL 3, etc"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Jan Bramkamp <crest_at_rlwinm.de>
Date: Tue, 02 May 2023 13:42:22 UTC

On 02.05.23 03:55, Enji Cooper wrote:
> Hello,
> One of the must-haves for 14.0-RELEASE is the introduction of OpenSSL 
> 3.0 into the base system. This is a must because, in short, OpenSSL 
> 1.1 is no longer supported as of 09/26/2023 [1].
>
> I am proposing OpenSSL be made private along with all dependent 
> libraries, for the following reasons:
> 1. More than a handful of core ports, e.g., security/py-cryptography 
> [2] [3], still do not support OpenSSL 3.0.
> i. If other dependent ports (like lang/python38, etc) move to OpenSSL 
> 3, the distributed modules would break on load due to clashing symbols 
> if the right mix of modules were dlopen’ed in a specific order 
> (importing ssl, then importing hazmat’s crypto would fail).
> ii. Such ports should be deprecated/marked broken as I’ve recommended 
> on the 3.0 exp-run PR [4].
> 2. OpenSSL 1.1 and 3.0 have clashing symbols, which makes linking in 
> both libraries at runtime impossible without resorting to a number of 
> linker tricks hiding the namespaces using symbol prefixing of public 
> symbols, etc.
>
> The libraries which would need to be made private are as follows:
> - kerberos
> - libarchive
> - libbsnmp
> - libfetch [5]
> - libgeli
> - libldns
> - libmp
> - libradius
> - libunbound

How does this interact with PAM and NSS? According to my understanding 
both PAM and NSS work by loading modules as shared libs into the process 
using them.

As a quick test I ran ldd against the PAM modules included in the 
FreeBSD 13.2 base system and found a lot of them (pam_krb5, pam_ksu, 
pam_passwdqc, pam_radius, pam_ssh, pam_unix and pam_zfs_key) depend on 
the base system OpenSSL. Almost all PAM configurations will (try to) 
used at least one of these modules. As far as I can tell the NSS 
"modules" available in base are all implemented by libc and don't load 
the base OpenSSL (at runtime).

The same problem would also apply in the reverse direction with PAM and 
NSS modules loading OpenSSL from ports into services included in base 
using the base OpenSSL (e.g. sshd).

Are there other mechanisms to watch out for that combine shared libs 
from base and ports at runtime? Are there maintainable solutions in both 
directions?