OpenSSL 3.0 is in the tree

Mon Jul 3 15:53:10 BST 2023

On 03/07/23 15:27, Rainer Hurling wrote:
> Am 29.06.23 um 18:27 schrieb Pierre Pronchery:
>>          Hi Guido, freebsd-current@,
>>
>> On 6/29/23 15:14, Guido Falsi wrote:
>>> On 24/06/23 16:22, Ed Maste wrote:
>>>> Last night I merged OpenSSL 3.0 to main. This, along with the update
>>>> to Clang 16 and other recent changes may result in some challenges
>>>> over the next few days or weeks for folks following -CURRENT, such as
>>>> ports that need to be updated or unanticipated issues in the base
>>>> system.
>>>>
>>>> We need to get this work done so that we can continue moving on with
>>>> FreeBSD 14; I apologize for the trouble it might cause in the short
>>>> term. Please follow up to report any trouble you encounter.
>>>
>>> Not sure where to ask this, following up to this announcement looks 
>>> like a reasonable choice.
>>>
>>> After updating head to this version I have had some ports provided 
>>> software fail with messages including: "Unable to load legacy provider."
>>>
>>> Most of the time I am able to workaround it by forcing newer 
>>> algorithms via some configuration. Some other times I have no direct 
>>> control of what is being asked (like values hardcoded in npm modules)/
>>>
>>> This is also happening to me with node, for example, has happened 
>>> with RDP (looks like windows by default prefers RC4 for RDP 
>>> sessions), where I was able to fix it though.
>>>
>>> Question is, does FreeBSD provide this legacy provider module? Or is 
>>> it available via ports or some other solution? Or maybe it can be 
>>> provided via a port? Would make the transition much easier!
>>
>> The legacy provider module is part of OpenSSL 3.0, it should be 
>> installed in /usr/lib/ossl-modules/legacy.so alongside fips.so as part 
>> Iddd
>> of the base system.
>>
>> It's possible that some programs leveraging capsicum will fail to load 
>> it, if the initialization of legacy algorithms in OpenSSL is performed 
>> past entering capabilities mode (since it now requires a dlopen() to 
>> access the module).
>>
>> Let me know if you have any additional details regarding issues with 
>> the module.
>>
>> HTH,
> 
> If this thread is not the appropriate one for my problem, I apologize.
> 
> I am the maintainer of the graphics/qgis port. Now that my system 
> 14.0-CURRENT is updated to clang16 and OpenSSL-3.0, I get the following 
> abort message when starting qgis:
> 
> #qgis
> Failed to load Legacy provider
> 
> Apparently there is now also a problem with the legacy provider here. As 
> I understand it, QGIS uses the port devel/qca for authorization and 
> encryption, so it is also possible that devel/qca is not able to provide 
> the legacy provider. Therefore I have taken kde@ into CC.
> 
> Please let me know, if you need more information or some testing.

This is being worked on by Pierre.

He pointed me to a patch from him, which I tested successfully:

https://github.com/freebsd/freebsd-src/pull/787

I'm now running head with this patch and the legacy provider works fine.

Hope this helps.

-- 
Guido Falsi <mad at madpilot.net>