From nobody Mon Jul 03 14:53:10 2023 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qvpnr6Gmpz4m2gv for ; Mon, 3 Jul 2023 14:53:20 +0000 (UTC) (envelope-from mad@madpilot.net) Received: from mail.madpilot.net (vogon.madpilot.net [159.69.1.99]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qvpnr3cW5z3yhv; Mon, 3 Jul 2023 14:53:20 +0000 (UTC) (envelope-from mad@madpilot.net) Authentication-Results: mx1.freebsd.org; none Received: from mail (mail [IPv6:fd5c:5351:d272::3]) by mail.madpilot.net (Postfix) with ESMTP id 4Qvpnl6l7Wz6dfB; Mon, 3 Jul 2023 16:53:15 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=madpilot.net; h= content-transfer-encoding:content-type:content-type:in-reply-to :from:from:references:content-language:subject:subject:date:date :message-id:received; s=bjowvop61wgh; t=1688395988; x= 1690210389; bh=EApz5UxA/1XfmRjwankHU0dI/ldcAhoW8bgHt9eQFPE=; b=C oJNQy1lDR0HQbBUEpE/n7+4vaMES7j0VlF86ILdQXpxLEyFpKWGi3aKUHvgZNzPo iXdCjaL2YaBzFqnrbaAvReuXoNGvO2dNrqs3gCjFe7ogP2mTPpNNGIH8vHjDoOz4 SMqghMrvsz3dXW/W0GlAKC+KQoLHj7atKK0WGt/5tTPEKTgzMwB7CULnGq6hJiro +LZnDeRH4XERKIo24aIcXahtVLNE999eBj0kXiVPHgOIouCCHwhevscODFSanpfy cqJB3BdAVcargGaDQpiN0HMY1+rmoBp5gA1g2LsopL0jWPv6TzVOXtjcXKl0fYDl YhntcNX7UP+FuD+rVPXwg== Received: from mail.madpilot.net ([IPv6:fd5c:5351:d272::3]) by mail (mail.madpilot.net [IPv6:fd5c:5351:d272::3]) (amavisd-new, port 10026) with ESMTP id TLhpne0OXshR; Mon, 3 Jul 2023 16:53:08 +0200 (CEST) Message-ID: Date: Mon, 3 Jul 2023 16:53:10 +0200 Subject: Re: OpenSSL 3.0 is in the tree Content-Language: en-US To: Rainer Hurling , freebsd-current@freebsd.org Cc: kde@FreeBSD.org References: <203b3fed-6fdd-0a19-72ce-fa2eea891222@madpilot.net> From: Guido Falsi In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4Qvpnr3cW5z3yhv X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:24940, ipnet:159.69.0.0/16, country:DE] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org On 03/07/23 15:27, Rainer Hurling wrote: > Am 29.06.23 um 18:27 schrieb Pierre Pronchery: >>          Hi Guido, freebsd-current@, >> >> On 6/29/23 15:14, Guido Falsi wrote: >>> On 24/06/23 16:22, Ed Maste wrote: >>>> Last night I merged OpenSSL 3.0 to main. This, along with the update >>>> to Clang 16 and other recent changes may result in some challenges >>>> over the next few days or weeks for folks following -CURRENT, such as >>>> ports that need to be updated or unanticipated issues in the base >>>> system. >>>> >>>> We need to get this work done so that we can continue moving on with >>>> FreeBSD 14; I apologize for the trouble it might cause in the short >>>> term. Please follow up to report any trouble you encounter. >>> >>> Not sure where to ask this, following up to this announcement looks >>> like a reasonable choice. >>> >>> After updating head to this version I have had some ports provided >>> software fail with messages including: "Unable to load legacy provider." >>> >>> Most of the time I am able to workaround it by forcing newer >>> algorithms via some configuration. Some other times I have no direct >>> control of what is being asked (like values hardcoded in npm modules)/ >>> >>> This is also happening to me with node, for example, has happened >>> with RDP (looks like windows by default prefers RC4 for RDP >>> sessions), where I was able to fix it though. >>> >>> Question is, does FreeBSD provide this legacy provider module? Or is >>> it available via ports or some other solution? Or maybe it can be >>> provided via a port? Would make the transition much easier! >> >> The legacy provider module is part of OpenSSL 3.0, it should be >> installed in /usr/lib/ossl-modules/legacy.so alongside fips.so as part >> Iddd >> of the base system. >> >> It's possible that some programs leveraging capsicum will fail to load >> it, if the initialization of legacy algorithms in OpenSSL is performed >> past entering capabilities mode (since it now requires a dlopen() to >> access the module). >> >> Let me know if you have any additional details regarding issues with >> the module. >> >> HTH, > > If this thread is not the appropriate one for my problem, I apologize. > > I am the maintainer of the graphics/qgis port. Now that my system > 14.0-CURRENT is updated to clang16 and OpenSSL-3.0, I get the following > abort message when starting qgis: > > #qgis > Failed to load Legacy provider > > Apparently there is now also a problem with the legacy provider here. As > I understand it, QGIS uses the port devel/qca for authorization and > encryption, so it is also possible that devel/qca is not able to provide > the legacy provider. Therefore I have taken kde@ into CC. > > Please let me know, if you need more information or some testing. This is being worked on by Pierre. He pointed me to a patch from him, which I tested successfully: https://github.com/freebsd/freebsd-src/pull/787 I'm now running head with this patch and the legacy provider works fine. Hope this helps. -- Guido Falsi