From nobody Thu Jun 29 16:27:31 2023 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QsPFT2Pgxz4jsSQ for ; Thu, 29 Jun 2023 16:35:25 +0000 (UTC) (envelope-from freebsd-current@m.gmane-mx.org) Received: from ciao.gmane.io (ciao.gmane.io [116.202.254.214]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4QsPFS0RRNz3Blp for ; Thu, 29 Jun 2023 16:35:23 +0000 (UTC) (envelope-from freebsd-current@m.gmane-mx.org) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of freebsd-current@m.gmane-mx.org designates 116.202.254.214 as permitted sender) smtp.mailfrom=freebsd-current@m.gmane-mx.org; dmarc=none Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1qEubl-0002DX-R3 for freebsd-current@freebsd.org; Thu, 29 Jun 2023 18:35:01 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-current@freebsd.org From: Pierre Pronchery Subject: Re: OpenSSL 3.0 is in the tree Date: Thu, 29 Jun 2023 18:27:31 +0200 Organization: FreeBSD Foundation Message-ID: References: <203b3fed-6fdd-0a19-72ce-fa2eea891222@madpilot.net> List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 Content-Language: en-US In-Reply-To: <203b3fed-6fdd-0a19-72ce-fa2eea891222@madpilot.net> X-Spamd-Result: default: False [-2.50 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MV_CASE(0.50)[]; FORGED_SENDER(0.30)[pierre@freebsdfoundation.org,freebsd-current@m.gmane-mx.org]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; FROM_NEQ_ENVFROM(0.00)[pierre@freebsdfoundation.org,freebsd-current@m.gmane-mx.org]; MIME_TRACE(0.00)[0:+]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:24940, ipnet:116.202.0.0/16, country:DE]; BLOCKLISTDE_FAIL(0.00)[116.202.254.214:server fail]; RCVD_TLS_LAST(0.00)[]; HAS_ORG_HEADER(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[freebsdfoundation.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4QsPFS0RRNz3Blp X-Spamd-Bar: -- X-ThisMailContainsUnwantedMimeParts: N Hi Guido, freebsd-current@, On 6/29/23 15:14, Guido Falsi wrote: > On 24/06/23 16:22, Ed Maste wrote: >> Last night I merged OpenSSL 3.0 to main. This, along with the update >> to Clang 16 and other recent changes may result in some challenges >> over the next few days or weeks for folks following -CURRENT, such as >> ports that need to be updated or unanticipated issues in the base >> system. >> >> We need to get this work done so that we can continue moving on with >> FreeBSD 14; I apologize for the trouble it might cause in the short >> term. Please follow up to report any trouble you encounter. > > Not sure where to ask this, following up to this announcement looks like > a reasonable choice. > > After updating head to this version I have had some ports provided > software fail with messages including: "Unable to load legacy provider." > > Most of the time I am able to workaround it by forcing newer algorithms > via some configuration. Some other times I have no direct control of > what is being asked (like values hardcoded in npm modules)/ > > This is also happening to me with node, for example, has happened with > RDP (looks like windows by default prefers RC4 for RDP sessions), where > I was able to fix it though. > > Question is, does FreeBSD provide this legacy provider module? Or is it > available via ports or some other solution? Or maybe it can be provided > via a port? Would make the transition much easier! The legacy provider module is part of OpenSSL 3.0, it should be installed in /usr/lib/ossl-modules/legacy.so alongside fips.so as part of the base system. It's possible that some programs leveraging capsicum will fail to load it, if the initialization of legacy algorithms in OpenSSL is performed past entering capabilities mode (since it now requires a dlopen() to access the module). Let me know if you have any additional details regarding issues with the module. HTH, -- Pierre Pronchery