From nobody Tue May 02 21:24:05 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q9tPN13tLz48BYX for ; Tue, 2 May 2023 21:24:08 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q9tPM5K2zz4PJG; Tue, 2 May 2023 21:24:07 +0000 (UTC) (envelope-from jhb@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1683062647; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nEBaBeqyasa3tD3w3Szi25vmRSaZUqg4BJ2qXpzckKA=; b=eiK9cQSdAAghOZjr7m5r85jNdZv2eUZIxhrBaJg3RwM7UmwKU/NlZcHyHwU6wv28ILFi5D 25YqKeBa3I494Ve1AxCb4VqW94kqRiULVQn53WDUVfbKK6YfY6MZ/MzEnW0qUErFz9dFA1 0Qu8OeAxK+nYYTYJbkX8H30WIti/rWT+BsSv+HrNDFdNj5WUD6X09QN4yeoZ37N8SUxQJL j1jAK92MuQUX83o9TL4T2NOCwwJXNlfdSJj0xz2ffFDWIVVl2qLGWA2R+kLZWAJFdmTzuh SzjjM964RtxJEpgXU+3p2lKHdWHCfBN06x/ZXSFpGuEv6VMFRYWJzon94vS3AA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1683062647; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nEBaBeqyasa3tD3w3Szi25vmRSaZUqg4BJ2qXpzckKA=; b=OgMvuOIIt65f3jS7sGQYtTMUh9Fl31USk702DoBMw8tuSW2Ep4YLezNuyYGd57FUu0JKU6 sZmCDdSm6fvS7gdeKKT9hcSXRGDCH+WUW5e3UZbtQm4NHWFLEHHWRDk5BgOMru9Nd9b6A4 oGK8lv5xw9AD60r6tsR7hHC23I1yfpTsYt6HDRuJ7+26Po14VC+SwZGfWoKhhyrNhhm+Z/ E1fX5fa9b3tAN/eglsMVymjgl/tJycoq3BEoO9cKrNnglaGUSBDINMuR/60Tl7lvUlxBYS Hv3ShCW1QbTIWcmQ/RE77UHvLXQR3FfFZqXpYOAg3SQ+EKGradBnCjUDMJ/0xA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1683062647; a=rsa-sha256; cv=none; b=xXbi42DrkGWVE2jZYoifS49R/BOehHQOJdJzQEVGCt+gB6tG9HDJqj546bhNhnqEK97bC6 3sgbJuCYgDmver4f049af3YMtTL5Ib8Pn/birpb8I/6If8j4xviyS5BZZEg7YLZRrYLUTL LdVnzRmSQ8GGCQVGf5rsgkU/vkQyuvnLgAhcNWQhat2KU2Se2JM7Q3ojKEoh5POunD/Gp8 RiLF+sIRM4gD6A8f1n093mRtgimE+FrvZFiMP097tZ2zi9czfSz8EtKOCw+y1kHW/l540Q yzEycvOolERRtE5qnxKrXRczNDhZMALxUuNxcY4qnXNSiGR+nyCGQaPs1Amy1Q== Received: from [IPV6:2601:648:8680:16b0:56:ddb:b895:f1c1] (unknown [IPv6:2601:648:8680:16b0:56:ddb:b895:f1c1]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: jhb) by smtp.freebsd.org (Postfix) with ESMTPSA id 4Q9tPL5yPHzNjS; Tue, 2 May 2023 21:24:06 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Message-ID: <12f8559c-d696-5344-98d5-1751d04088af@FreeBSD.org> Date: Tue, 2 May 2023 14:24:05 -0700 List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.10.1 Subject: Re: OpenSSL 3.0 for 14.0-RELEASE: issues with 1.x/3.x symbol clashing, ports linking against base OpenSSL, ports that don't compile/link against OpenSSL 3, etc Content-Language: en-US To: Antoine Brodin , Enji Cooper Cc: FreeBSD-arch list , bofh@freebsd.org, brnrd@freebsd.org, Cy Schubert , Ed Maste , vishwin@freebsd.org References: From: John Baldwin In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-ThisMailContainsUnwantedMimeParts: N On 5/2/23 2:59 AM, Antoine Brodin wrote: > On Tue, May 2, 2023 at 1:55 AM Enji Cooper wrote: >> >> Hello, >> One of the must-haves for 14.0-RELEASE is the introduction of OpenSSL 3.0 into the base system. This is a must because, in short, OpenSSL 1.1 is no longer supported as of 09/26/2023 [1]. >> >> I am proposing OpenSSL be made private along with all dependent libraries, for the following reasons: >> 1. More than a handful of core ports, e.g., security/py-cryptography [2] [3], still do not support OpenSSL 3.0. >> i. If other dependent ports (like lang/python38, etc) move to OpenSSL 3, the distributed modules would break on load due to clashing symbols if the right mix of modules were dlopen’ed in a specific order (importing ssl, then importing hazmat’s crypto would fail). >> ii. Such ports should be deprecated/marked broken as I’ve recommended on the 3.0 exp-run PR [4]. >> 2. OpenSSL 1.1 and 3.0 have clashing symbols, which makes linking in both libraries at runtime impossible without resorting to a number of linker tricks hiding the namespaces using symbol prefixing of public symbols, etc. >> >> The libraries which would need to be made private are as follows: >> - kerberos >> - libarchive >> - libbsnmp >> - libfetch [5] >> - libgeli >> - libldns >> - libmp >> - libradius >> - libunbound > > In my opinion this is a huge amount of work a few weeks before the > release. Focusing on updating OpenSSL and those core ports may be > simpler. This is my view. I think making OpenSSL private is a very huge task, and fraught with peril in ways that haven't been thought about yet (e.g. PAM) and that we can't hold up OpenSSL 3 while we wait for this. Instead, I think we need to be moving forward with OpenSSL 3 in base as-is. We will have to fix ports to work with OpenSSL 3 regardless (though this does make that pain in ports happen sooner). Moving libraries private can happen orthogonally with getting base to work with OpensSL 3. -- John Baldwin