security/py-openssl: RuntimeError after security/openssl upgraded to 3.0.12_1,1

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: John W. O'Brien <john_freebsd-python_at_radioprosciutto.org>
Date: Fri, 10 Nov 2023 15:04:59 UTC
Hello FreeBSD Python,

I'm not sure if this is a bug, and if it is a bug, I'm not sure which 
port I should submit it against.

I completed the following pkg upgrades this morning and changed nothing 
else.

Nov 10 08:56:31 tizzy pkg[49703]: openssl upgraded: 3.0.12,1 -> 3.0.12_1,1
Nov 10 08:56:32 tizzy pkg[49703]: libuv upgraded: 1.46.0 -> 1.47.0
Nov 10 08:56:32 tizzy pkg[49703]: bash upgraded: 5.2.15 -> 5.2.21
Nov 10 08:56:33 tizzy pkg[49703]: py310-cryptography reinstalled: 
41.0.5,1 -> 41.0.5,1
Nov 10 08:56:33 tizzy pkg[49703]: libevent reinstalled: 2.1.12 -> 2.1.12
Nov 10 08:56:33 tizzy pkg[49703]: py310-outcome upgraded: 1.3.0 -> 1.3.0_1
Nov 10 08:56:36 tizzy pkg[49703]: postgresql15-client upgraded: 15.4 -> 15.5
Nov 10 08:56:37 tizzy pkg[49703]: sudo upgraded: 1.9.15 -> 1.9.15p2

Immediately, a cron job that imports dns.query from dns/py-dnspython 
started failing with a RuntimeError. Here is a slightly simpler 
demonstration:


% python -c 'import OpenSSL'
Traceback (most recent call last):
    File "<string>", line 1, in <module>
    File "/usr/local/lib/python3.10/site-packages/OpenSSL/__init__.py", 
line 8, in <module>
      from OpenSSL import SSL, crypto
    File "/usr/local/lib/python3.10/site-packages/OpenSSL/SSL.py", line 
9, in <module>
      from OpenSSL._util import (
    File "/usr/local/lib/python3.10/site-packages/OpenSSL/_util.py", 
line 6, in <module>
      from cryptography.hazmat.bindings.openssl.binding import Binding
    File 
"/usr/local/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", 
line 167, in <module>
      Binding.init_static_locks()
    File 
"/usr/local/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", 
line 134, in init_static_locks
      cls._ensure_ffi_initialized()
    File 
"/usr/local/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", 
line 123, in _ensure_ffi_initialized
      _legacy_provider_error(cls._legacy_provider_loaded)
    File 
"/usr/local/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", 
line 43, in _legacy_provider_error
      raise RuntimeError(
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a 
fatal error by default, but cryptography supports running without legacy 
algorithms by setting the environment variable 
CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you 
have likely made a mistake with your OpenSSL configuration.


I struggle to see how the recent change to security/openssl could have 
caused this to start happening.


commit e31577029401e1e328f0caaef837d613d98dd515
Author: Bernard Spil <brnrd@FreeBSD.org>
Date:   Wed Nov 8 17:14:28 2023 +0100

      security/openssl: Security fix for CVE-2023-5678

      Security:       a5956603-7e4f-11ee-9df6-84a93843eb75
      MFH:            2023Q4


Any advice?

Thank you,
John