[Bug 279363] security/wazuh-manager does not support FreeBSD-14.x / OpenSSL-3.0

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 28 May 2024 12:25:44 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=279363

            Bug ID: 279363
           Summary: security/wazuh-manager does not support FreeBSD-14.x /
                    OpenSSL-3.0
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: acm@FreeBSD.org
          Reporter: girgen@FreeBSD.org
             Flags: maintainer-feedback?(acm@FreeBSD.org)
          Assignee: acm@FreeBSD.org

The wazuh-manager uses openssl in python module via _openssl.abi3.so (see
below)

This fails:

Traceback (most recent call last):
  File
"/var/ossec/framework/python/lib/python3.9/site-packages/jose/backends/cryptography_backend.py",
line 66, in __init__
    key = load_pem_public_key(key, self.cryptography_backend())
  File
"/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazmat/backends/__init__.py",
line 15, in default_backend
    from cryptography.hazmat.backends.openssl.backend import backend
  File
"/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/__init__.py",
line 7, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File
"/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/backend.py",
line 117, in <module>
    from cryptography.hazmat.bindings.openssl import binding
  File
"/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py",
line 14, in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError:
/var/ossec/framework/python/lib/python3.9/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so:
Undefined symbol "ERR_GET_FUNC"


and the main reason is that OpenSSL-3.0 is not yet supported by wazuh.

Here's where it is linked with libssl.so.3.0:

[root@hostname /var/ossec]# ldd
framework/python/lib/python3.9/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so
framework/python/lib/python3.9/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so:
        libssl.so.30 => /usr/lib/libssl.so.30 (0x3b61fc1b000)
        libcrypto.so.30 => /lib/libcrypto.so.30 (0x3b620f10000)
        libthr.so.3 => /lib/libthr.so.3 (0x3b620bba000)
        libc.so.7 => /lib/libc.so.7 (0x3b61d359000)


I made some feeble attempts to fix this by requiring the port to depend on
openssl111, but did not succeed:

diff --git a/security/wazuh-manager/Makefile b/security/wazuh-manager/Makefile
index 55f3be186f55..9da69b620cc8 100644
--- a/security/wazuh-manager/Makefile
+++ b/security/wazuh-manager/Makefile
@@ -1,6 +1,7 @@
 PORTNAME=      wazuh
 DISTVERSIONPREFIX=     v
 DISTVERSION=   4.7.3
+PORTREVISION=  1
 CATEGORIES=    security
 MASTER_SITES= 
https://packages.wazuh.com/deps/24/libraries/sources/:wazuh_sources \
                LOCAL/acm/${PORTNAME}/:wazuh_cache
@@ -26,7 +27,7 @@ LIB_DEPENDS+= libgdbm.so:databases/gdbm \
                libffi.so:devel/libffi \
                libarrow.so:databases/arrow

-USES=          cpe gmake perl5 python:3.9 readline shebangfix sqlite:3 uidfix
+USES=          cpe gmake perl5 python:3.9 readline shebangfix sqlite:3 uidfix
ssl

 USE_GITHUB=    yes
 GH_TUPLE=      alonsobsd:wazuh-freebsd:${WAZUH_EXTRAFILE_TAGNAME}:wazuh
@@ -144,6 +145,7 @@ ARCH_BASE=  ${ARCH:S/aarch64/arm64/g}
 UNAME_r=       ${_OSRELEASE:tl}
 FBSD_RELEASE=  freebsd_${UNAME_r:S/./_/g:S/-/_/g}

+#DEFAULT_VERSIONS+=    ssl=openssl111
 .include <bsd.port.pre.mk>

 .if ${OSVERSION} >= 1300139 && ${OSVERSION} < 1400000
@@ -162,6 +164,10 @@ DISTFILES+=    
${WAZUH_CACHENAME}${EXTRACT_SUFX}:wazuh_cache
 IGNORE=                FreeBSD ${OSVERSION} ${ARCH} is not supported
 .endif

+#.if ${OSVERSION} >= 1400092
+#DEFAULT_VERSIONS+=    ssl=openssl111
+#.endif
+
 post-extract:
 .for FILE in ${EXTERNAL_DISTFILES}
        @cd ${WRKSRC}/src/external && ${EXTRACT_CMD} ${EXTRACT_BEFORE_ARGS}
${_DISTDIR}/${FILE:S/:wazuh_sources//} ${EXTRACT_AFTER_ARGS}



The Wasuh team know about the dependency on the old OpenSSL and they are
apparently working on it. It will appear in 4.8. Is there a temporary fix or
workaround to get it working on FreeBSD-14.0? wazuh is broken now, other than
waiting for wazuh 4.8? The obvious solution would be to force the port to use
openssl111, but I failed to get that bit working. Using compat13x is perhaps
easier but that would probably require juggling with libmap.conf as well? Oterh
ideas?

Palle

-- 
You are receiving this mail because:
You are the assignee for the bug.