From nobody Mon Jul 03 17:01:17 2023 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qvsdf4Y20z4mG1q for ; Mon, 3 Jul 2023 17:01:26 +0000 (UTC) (envelope-from rhurlin@gwdg.de) Received: from mailer.gwdg.de (mailer.gwdg.de [134.76.10.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qvsdd5Jx8z3Cfr; Mon, 3 Jul 2023 17:01:25 +0000 (UTC) (envelope-from rhurlin@gwdg.de) Authentication-Results: mx1.freebsd.org; none Received: from excmbx-05.um.gwdg.de ([134.76.9.209] helo=email.gwdg.de) by mailer.gwdg.de with esmtp (GWDG Mailer) (envelope-from ) id 1qGMvT-00058a-2q; Mon, 03 Jul 2023 19:01:23 +0200 Received: from MBX19-GWD-03.um.gwdg.de (10.108.142.56) by excmbx-05.um.gwdg.de (134.76.9.209) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.2507.27; Mon, 3 Jul 2023 19:01:22 +0200 Received: from [192.168.178.23] (10.250.9.199) by MBX19-GWD-03.um.gwdg.de (10.108.142.56) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.1118.30; Mon, 3 Jul 2023 19:01:22 +0200 Message-ID: <3f288972-1a30-4642-285c-470e6be1902b@gwdg.de> Date: Mon, 3 Jul 2023 19:01:17 +0200 List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Subject: Re: OpenSSL 3.0 is in the tree To: Guido Falsi , CC: References: <203b3fed-6fdd-0a19-72ce-fa2eea891222@madpilot.net> Content-Language: en-US Reply-To: Rainer Hurling From: Rainer Hurling In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.250.9.199] X-ClientProxiedBy: EXCMBX-19.um.gwdg.de (134.76.9.203) To MBX19-GWD-03.um.gwdg.de (10.108.142.56) X-Virus-Scanned: (clean) by clamav X-Rspamd-Queue-Id: 4Qvsdd5Jx8z3Cfr X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:680, ipnet:134.76.0.0/16, country:DE] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N Am 03.07.23 um 16:53 schrieb Guido Falsi: > On 03/07/23 15:27, Rainer Hurling wrote: >> Am 29.06.23 um 18:27 schrieb Pierre Pronchery: >>>          Hi Guido, freebsd-current@, >>> >>> On 6/29/23 15:14, Guido Falsi wrote: >>>> On 24/06/23 16:22, Ed Maste wrote: >>>>> Last night I merged OpenSSL 3.0 to main. This, along with the update >>>>> to Clang 16 and other recent changes may result in some challenges >>>>> over the next few days or weeks for folks following -CURRENT, such as >>>>> ports that need to be updated or unanticipated issues in the base >>>>> system. >>>>> >>>>> We need to get this work done so that we can continue moving on with >>>>> FreeBSD 14; I apologize for the trouble it might cause in the short >>>>> term. Please follow up to report any trouble you encounter. >>>> >>>> Not sure where to ask this, following up to this announcement looks >>>> like a reasonable choice. >>>> >>>> After updating head to this version I have had some ports provided >>>> software fail with messages including: "Unable to load legacy >>>> provider." >>>> >>>> Most of the time I am able to workaround it by forcing newer >>>> algorithms via some configuration. Some other times I have no direct >>>> control of what is being asked (like values hardcoded in npm modules)/ >>>> >>>> This is also happening to me with node, for example, has happened >>>> with RDP (looks like windows by default prefers RC4 for RDP >>>> sessions), where I was able to fix it though. >>>> >>>> Question is, does FreeBSD provide this legacy provider module? Or is >>>> it available via ports or some other solution? Or maybe it can be >>>> provided via a port? Would make the transition much easier! >>> >>> The legacy provider module is part of OpenSSL 3.0, it should be >>> installed in /usr/lib/ossl-modules/legacy.so alongside fips.so as >>> part Iddd >>> of the base system. >>> >>> It's possible that some programs leveraging capsicum will fail to >>> load it, if the initialization of legacy algorithms in OpenSSL is >>> performed past entering capabilities mode (since it now requires a >>> dlopen() to access the module). >>> >>> Let me know if you have any additional details regarding issues with >>> the module. >>> >>> HTH, >> >> If this thread is not the appropriate one for my problem, I apologize. >> >> I am the maintainer of the graphics/qgis port. Now that my system >> 14.0-CURRENT is updated to clang16 and OpenSSL-3.0, I get the >> following abort message when starting qgis: >> >> #qgis >> Failed to load Legacy provider >> >> Apparently there is now also a problem with the legacy provider here. >> As I understand it, QGIS uses the port devel/qca for authorization and >> encryption, so it is also possible that devel/qca is not able to >> provide the legacy provider. Therefore I have taken kde@ into CC. >> >> Please let me know, if you need more information or some testing. > > This is being worked on by Pierre. > > He pointed me to a patch from him, which I tested successfully: > > https://github.com/freebsd/freebsd-src/pull/787 > > I'm now running head with this patch and the legacy provider works fine. > > Hope this helps. > I applied the patch. After rebuilding my system, now the legacy provider also works fine for me. graphics/qgis starts again and seems to work as expected. Interestingly, when I start QGIS, I now get the following warnings: Warning: Incompatible version of OpenSSL (built with OpenSSL 1.x, runtime version is >= 3.x) Warning: QSslSocket: cannot call unresolved function d2i_X509 Warning: QSslSocket::connectToHostEncrypted: TLS initialization failed These warnings disappeared after rebuilding net/qt5-network and net/qt5-networkauth :) Many thanks for the link with the patch! Best wishes, Rainer