From nobody Wed May 03 01:14:43 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q9zWg1Gcsz48gbw for ; Wed, 3 May 2023 01:14:55 +0000 (UTC) (envelope-from bofh@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q9zWg0mDBz42q5; Wed, 3 May 2023 01:14:55 +0000 (UTC) (envelope-from bofh@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1683076495; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=fIjxs3/ivJXqGM/5QxaWhC60V9qUZRYZ6yW0qWQNcBk=; b=vRgAYBQTpBdtOMeyHSvfnTwVyWu4Rxyuc/m7sNi9Kcgs5TN3lNulqknsZz7RDnEqjUiDP2 UJ0PO86GXjbGaYCl3B02nmvbniA8yItYsK00Gao5iY865tV9sKro7pUwaxrngb7YDH24li Ou66ATk8ddZhhvK4OeVWvlS9c/OhhXInjM4UDWdNqziYYMETjUcq++JSc1e14XnAxGevyd II6oAYd1InLlNzzoxkgJK3m8ZyRdAQHPcISYHp3sRaYQbco8v69VrUAx8uFEEXnyqYaPHP tSmepaDNNgn8gNDYAtRBKr9It7JTkca9IZ4XkPooO+OS+f/uteRNg72T0ACcsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1683076495; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=fIjxs3/ivJXqGM/5QxaWhC60V9qUZRYZ6yW0qWQNcBk=; b=fD+RP+haV1xF25y7Wiuk45wJ66UaRe+5g8Vg6giezBeNXpYs3wLHH1z3By/rYuWPiRyHLx Vofd6w7kYeWS1yyUGP12RRlAVwjXnsUoKIkvibfyzU6Jw577hdqF4s9x/ax/sspU64lnsz LupQu3zewvUlX0s3a037lOtBIAz94QGmTBybt4Rc7O/ybBpu4/droxK3NcWcoz8PoFpMFW 8/3IOlb/XuEkGqGD+K5yJPO5/v8KyObGCCbzNiNgMbryoCIvUV0nbgdDE7Hsw9LtAUrAAS P8q7XaLvE3hOAdO4WImarFHhKZhKHAXD4g4chiWPoZnPwydNzerVJ7qo3/rvxg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1683076495; a=rsa-sha256; cv=none; b=PBZ2bbJsO8l+vNdKJrpdziryOtkl1IYrBomlnJUL1y5Ot4HmMDboi+iA8Hu6ajxsz4gh0A UTh/qgMjq0t/Q4wCksv15ZQxGIn8K8ioBwzvRGqdOWpdsCESZPiP7GzL5gAldlVJwh43MI 49PIfTTZ8zSYnPasZ5S+bvOAp7g9u77Df9djodTcXMtvGD0rkWIbA75DgjFoigCV4Gzgb3 12qZJeJ0E0ZpuCyBmzVFVPeMCbTbY3p6WX+E7YRD2t8Atc+d/yTHwnZKk+Tx46j3dVznrc tWwUGFykRj5YgSmPVugVvwHxwGKpr2TV6lpXBJhU8X54hjkqyt0/Uc/i98uoiw== Received: from mx.bofh.network (mx.bofh.network [IPv6:2a01:4f8:261:25de::227]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mx.bofh.network", Issuer "R3" (verified OK)) (Authenticated sender: bofh/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4Q9zWf2293zTX2; Wed, 3 May 2023 01:14:54 +0000 (UTC) (envelope-from bofh@freebsd.org) Received: from smtpclient.apple ( [80.113.232.31]) by mx.bofh.network (OpenSMTPD) with ESMTPSA id 9816bec5 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); Wed, 3 May 2023 01:14:48 +0000 (UTC) Content-Type: multipart/signed; boundary="Apple-Mail=_C81EE0DB-2FC8-45AD-815E-862B37AC12EB"; protocol="application/pgp-signature"; micalg=pgp-sha512 List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.3\)) Subject: Re: OpenSSL 3.0 for 14.0-RELEASE: issues with 1.x/3.x symbol clashing, ports linking against base OpenSSL, ports that don't compile/link against OpenSSL 3, etc From: Moin Rahman In-Reply-To: Date: Wed, 3 May 2023 03:14:43 +0200 Cc: FreeBSD-arch list , Bernard Spil , Cy Schubert , Ed Maste , vishwin@freebsd.org Message-Id: References: To: Enji Cooper X-Mailer: Apple Mail (2.3696.120.41.1.3) X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail=_C81EE0DB-2FC8-45AD-815E-862B37AC12EB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On May 2, 2023, at 3:55 AM, Enji Cooper wrote: >=20 > Hello, > One of the must-haves for 14.0-RELEASE is the introduction of = OpenSSL 3.0 into the base system. This is a must because, in short, = OpenSSL 1.1 is no longer supported as of 09/26/2023 [1]. >=20 > I am proposing OpenSSL be made private along with all dependent = libraries, for the following reasons: > 1. More than a handful of core ports, e.g., = security/py-cryptography [2] [3], still do not support OpenSSL 3.0. > i. If other dependent ports (like lang/python38, etc) = move to OpenSSL 3, the distributed modules would break on load due to = clashing symbols if the right mix of modules were dlopen=E2=80=99ed in a = specific order (importing ssl, then importing hazmat=E2=80=99s crypto = would fail). > ii. Such ports should be deprecated/marked broken as = I=E2=80=99ve recommended on the 3.0 exp-run PR [4]. > 2. OpenSSL 1.1 and 3.0 have clashing symbols, which makes = linking in both libraries at runtime impossible without resorting to a = number of linker tricks hiding the namespaces using symbol prefixing of = public symbols, etc. >=20 > The libraries which would need to be made private are as = follows: > - kerberos > - libarchive > - libbsnmp > - libfetch [5] > - libgeli > - libldns > - libmp > - libradius > - libunbound >=20 > I realize I=E2=80=99m jumping to a prescribed solution without = additional discussion, but I=E2=80=99ve been doing offline analysis = related to uplifting code from OpenSSL 1.x to 3.x over the last several = months and this is the general prescribed solution I=E2=80=99ve come to = which is needed for $work. My perspective might have some blind spots = and some of the discussion done over IRC and might need to be rehashed = here for historical reference/to widen the discussion for alternate = solutions that don=E2=80=99t have the degree of tunnel vision which the = solution I=E2=80=99m employing at $work requires. > I=E2=80=99ve tried to include some of the previously involved = parties so they can chime in. > Thank you, > -Enji >=20 > 1. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ > 2. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254853 . > 3. The reason why it hasn=E2=80=99t been upgraded is because newer = versions require rustc to build, which apparently doesn=E2=80=99t work = on QEMU builders due to missing emulation support: = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254853 . > 4. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258413#c15 > 5. If I remember correctly, some folks suggested that making libfetch = private wasn=E2=80=99t required since the only port that required it was = ports-mgmt/pkg, but I haven=E2=80=99t validated this claim. Hi Enji, I appreciate your work creating the bugs but please hold on a moment = before you create the bugs. It will slow me down. While you were wasting your time creating the ticket for nrpe3 I have = already updated the port to 4.1.0 to unbreak. So until I have the final = list which you will have by end of this week please do not create = tickets. And I have not exactly described the process too what I was doing. The = list you are getting in my poudriere might have two possible failure = reason. OpenSSL 3 or LLVM15; and some might be fixed with little = intervention and testing. And as it's not possible to ask poudriere not = to try BROKEN ports so I have marked some port as blacklisted which are = unfixable or broken for other reasons. If you really would like to = create tickets and chase upstream please do: find /usr/local/poudriere/ports/default -name Makefile -type f -d 3 = -exec grep -E '(BROKEN_SSL\=3D|IGNORE_SSL\=3D).*openssl3' {} \+ Thanks for your cooperation. --Apple-Mail=_C81EE0DB-2FC8-45AD-815E-862B37AC12EB Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEETfdREoUGjQZKBS+fvbm1phfAvJEFAmRRtYNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDRE Rjc1MTEyODUwNjhEMDY0QTA1MkY5RkJEQjlCNUE2MTdDMEJDOTEACgkQvbm1phfA vJEi3w//falgi9CZwY0MGWJbMBVDIueD1sI5FNtd4oP5f1PaPloUDjmxer9X53Os be3/nB/UH2v6Ns8mSMXVCPt70PtrN5eTzuU+eALdhiVVDEbfW3pdoqJll60QuuTe cqLYeShqrLAuB8ZbWFnCTLGumCAakO2bvXFOZgzxcHY3ZeK8OyFqF5F8n9zJLCTU 1XjwrpJ0V1AgGwNEsGJDXM96PATBZQoMgvv/Z3itMB5oLV0VjfGfi5gq3XRB6NtD kCmnuEo6wA7ZsO4NRJzofKc9CpRe6WaArbSjnmjl3bBP2GVhKtStPfvePhbDBrz3 5z566YJoSJcDFHglD9FocmOxrraKShu+p6wuA3yVw7BuRR8kWhXyBjpoYp0IXW2x SXQ5dU1Brr2vn85217QUCPy5SNxyWXiSXLjEzf15a8fPhmXeW+8h+dZSuJJA1Op4 i3027suWVCxOHaq50CR2IsRfNSUquYGmqtpm7rIT6prBA+BPE4Ji9zynFLTnCDfU VZguEfMhOC+M4+OTrXJvnH6hVIEM39fyYjmNlL8SnQ4VAk/4eP3y17sIYu9n7PyA EHPuJvzdvGcQ1QpNorP99sR5S3Aejte0Qg++P7A3hD0u+Uf+d1PIPMmhtC2vw8tm ZuMFv/W9CFFQZ+IyMAJ9ViWUVzWvEGxWMu5wiWu7CP6OkFD37XM= =p5dC -----END PGP SIGNATURE----- --Apple-Mail=_C81EE0DB-2FC8-45AD-815E-862B37AC12EB--