From nobody Fri Nov 10 15:04:59 2023
X-Original-To: freebsd-python@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SRhvJ5xhdz4yg6W
	for <freebsd-python@mlmmj.nyi.freebsd.org>; Fri, 10 Nov 2023 15:05:00 +0000 (UTC)
	(envelope-from john_freebsd-python@radioprosciutto.org)
Received: from twaddle.saltant.net (twaddle.saltant.net [IPv6:2001:470:8d6f:1001::2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SRhvJ2rBZz3F2g
	for <freebsd-python@freebsd.org>; Fri, 10 Nov 2023 15:05:00 +0000 (UTC)
	(envelope-from john_freebsd-python@radioprosciutto.org)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=radioprosciutto.org header.s=twaddle2021 header.b="NWS/I6Ro";
	spf=pass (mx1.freebsd.org: domain of john_freebsd-python@radioprosciutto.org designates 2001:470:8d6f:1001::2 as permitted sender) smtp.mailfrom=john_freebsd-python@radioprosciutto.org;
	dmarc=pass (policy=reject) header.from=radioprosciutto.org
Received: from [IPV6:2602:fed2:7126:6000:886:d94a:39fe:d792] (unknown [IPv6:2602:fed2:7126:6000:886:d94a:39fe:d792])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by twaddle.saltant.net (Postfix) with ESMTPSA id C2B9D6DD7
	for <freebsd-python@freebsd.org>; Fri, 10 Nov 2023 10:04:59 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=radioprosciutto.org;
	s=twaddle2021; t=1699628699;
	bh=51BJmOGYXYQaokcbjHvV68SebpbpF5jaKN45BOrxILo=;
	h=Date:From:Subject:Reply-To:To;
	b=NWS/I6Ron+zB0q8iUCfY7DYOadJl3hM7wcFTJ3DcrNX/Ds2A6IIya+/fTBGHgSYoI
	 LO0AvTbjtPdqvhBSigYmU8cLwBlG5xmsOqGnEFNoG5tlxY2JKMP5BzHpFL4gs8R8pw
	 qr0KnzFFyDmCz3w2lVPG5LaAKbOCrl3NC/CGU0s7jHS6h+Otybfmu5n6rRBWJuBXGR
	 +M6U0QtL/85FUwRnyb8PsZUQMmPWtD4814EtlWISZ/S/W2a0Dwrir8D5jDbhxK8DJO
	 n1Y7TvPdJCF1U0nlRGbmEaim1c/Ps9GIa5MP5RA8GUYJyoivd/0cxqFRfp0pdZ9DU1
	 cXRSEtwYKgtew==
Message-ID: <8cb4c1ac-87a4-45d7-9345-8a9ce7f9dd15@radioprosciutto.org>
Date: Fri, 10 Nov 2023 10:04:59 -0500
List-Id: FreeBSD-specific Python issues <freebsd-python.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-python
List-Help: <mailto:python+help@freebsd.org>
List-Post: <mailto:python@freebsd.org>
List-Subscribe: <mailto:python+subscribe@freebsd.org>
List-Unsubscribe: <mailto:python+unsubscribe@freebsd.org>
Sender: owner-freebsd-python@freebsd.org
X-BeenThere: freebsd-python@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: "John W. O'Brien" <john_freebsd-python@radioprosciutto.org>
Subject: security/py-openssl: RuntimeError after security/openssl upgraded to
 3.0.12_1,1
Reply-To: "John W. O'Brien" <john@saltant.com>
To: FreeBSD Python <freebsd-python@freebsd.org>
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spamd-Result: default: False [-3.87 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-0.998];
	NEURAL_HAM_SHORT(-0.98)[-0.984];
	DMARC_POLICY_ALLOW(-0.50)[radioprosciutto.org,reject];
	R_DKIM_ALLOW(-0.20)[radioprosciutto.org:s=twaddle2021];
	R_SPF_ALLOW(-0.20)[+ip6:2001:470:8d6f::/48:c];
	MIME_GOOD(-0.10)[text/plain];
	ONCE_RECEIVED(0.10)[];
	XM_UA_NO_VERSION(0.01)[];
	FROM_HAS_DN(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	HAS_REPLYTO(0.00)[john@saltant.com];
	REPLYTO_DOM_NEQ_FROM_DOM(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-python@freebsd.org];
	RCPT_COUNT_ONE(0.00)[1];
	ARC_NA(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US];
	TO_DN_ALL(0.00)[];
	REPLYTO_DN_EQ_FROM_DN(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-python@freebsd.org];
	DKIM_TRACE(0.00)[radioprosciutto.org:+];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_COUNT_ONE(0.00)[1];
	MIME_TRACE(0.00)[0:+];
	RCVD_TLS_ALL(0.00)[]
X-Rspamd-Queue-Id: 4SRhvJ2rBZz3F2g
X-Spamd-Bar: ---

Hello FreeBSD Python,

I'm not sure if this is a bug, and if it is a bug, I'm not sure which 
port I should submit it against.

I completed the following pkg upgrades this morning and changed nothing 
else.

Nov 10 08:56:31 tizzy pkg[49703]: openssl upgraded: 3.0.12,1 -> 3.0.12_1,1
Nov 10 08:56:32 tizzy pkg[49703]: libuv upgraded: 1.46.0 -> 1.47.0
Nov 10 08:56:32 tizzy pkg[49703]: bash upgraded: 5.2.15 -> 5.2.21
Nov 10 08:56:33 tizzy pkg[49703]: py310-cryptography reinstalled: 
41.0.5,1 -> 41.0.5,1
Nov 10 08:56:33 tizzy pkg[49703]: libevent reinstalled: 2.1.12 -> 2.1.12
Nov 10 08:56:33 tizzy pkg[49703]: py310-outcome upgraded: 1.3.0 -> 1.3.0_1
Nov 10 08:56:36 tizzy pkg[49703]: postgresql15-client upgraded: 15.4 -> 15.5
Nov 10 08:56:37 tizzy pkg[49703]: sudo upgraded: 1.9.15 -> 1.9.15p2

Immediately, a cron job that imports dns.query from dns/py-dnspython 
started failing with a RuntimeError. Here is a slightly simpler 
demonstration:


% python -c 'import OpenSSL'
Traceback (most recent call last):
    File "<string>", line 1, in <module>
    File "/usr/local/lib/python3.10/site-packages/OpenSSL/__init__.py", 
line 8, in <module>
      from OpenSSL import SSL, crypto
    File "/usr/local/lib/python3.10/site-packages/OpenSSL/SSL.py", line 
9, in <module>
      from OpenSSL._util import (
    File "/usr/local/lib/python3.10/site-packages/OpenSSL/_util.py", 
line 6, in <module>
      from cryptography.hazmat.bindings.openssl.binding import Binding
    File 
"/usr/local/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", 
line 167, in <module>
      Binding.init_static_locks()
    File 
"/usr/local/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", 
line 134, in init_static_locks
      cls._ensure_ffi_initialized()
    File 
"/usr/local/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", 
line 123, in _ensure_ffi_initialized
      _legacy_provider_error(cls._legacy_provider_loaded)
    File 
"/usr/local/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", 
line 43, in _legacy_provider_error
      raise RuntimeError(
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a 
fatal error by default, but cryptography supports running without legacy 
algorithms by setting the environment variable 
CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you 
have likely made a mistake with your OpenSSL configuration.


I struggle to see how the recent change to security/openssl could have 
caused this to start happening.


commit e31577029401e1e328f0caaef837d613d98dd515
Author: Bernard Spil <brnrd@FreeBSD.org>
Date:   Wed Nov 8 17:14:28 2023 +0100

      security/openssl: Security fix for CVE-2023-5678

      Security:       a5956603-7e4f-11ee-9df6-84a93843eb75
      MFH:            2023Q4


Any advice?

Thank you,
John