Re: OpenSSL legacy provider is broken

Reply: Lexi Winter : "Re: OpenSSL legacy provider is broken"
In reply to: Enji Cooper (yaneurabeya): "Re: OpenSSL legacy provider is broken"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Sun, 10 Aug 2025 06:06:06 UTC

In message <B43DA54A-0017-42CA-A1FE-15F28048FEF0@gmail.com>, "Enji Cooper 
(yane
urabeya)" writes:
> 
> --Apple-Mail=_5B6A4863-E7AA-415B-BCF7-22A067F7F7C6
> Content-Transfer-Encoding: quoted-printable
> Content-Type: text/plain;
> 	charset=utf-8
>
>
> > On Aug 9, 2025, at 7:08=E2=80=AFAM, Ian FREISLICH =
> <ianfreislich@gmail.com> wrote:
> >=20
> > Hi
> >=20
> > Previously this worked
> >=20
> > [brane] /usr/ports # openssl list -providers -provider legacy
> > Providers:
> >  legacy
> >    name: OpenSSL Legacy Provider
> >    version: 3.0.16
> >    status: active
> >=20
> > Since the build last night,
> >=20
> > [router] /usr/ports/net/freeradius3 # openssl list -providers =
> -provider legacy
> > list: unable to load provider legacy
> > Hint: use -provider-path option or OPENSSL_MODULES environment =
> variable.
> > 10B045DBE7340000:error:12800067:DSO support routines:dlfcn_load:could =
> not load the shared =
> library:/usr/src/crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/l=
> ib/ossl-modules/legacy.so): /usr/lib/ossl-modules/legacy.so: Undefined =
> symbol "ossl_kdf_pvk_functions"
> > 10B045DBE7340000:error:12800067:DSO support routines:DSO_load:could =
> not load the shared =
> library:/usr/src/crypto/openssl/crypto/dso/dso_lib.c:147:
> > 10B045DBE7340000:error:07880025:common libcrypto =
> routines:provider_init:reason(37):/usr/src/crypto/openssl/crypto/provider_=
> core.c:1019:name=3Dlegacy
> >=20
> > and freeradius doesn't start because of this:
> >=20
> > [router] /usr/ports/net/freeradius3 # radiusd -fX
> > FreeRADIUS Version 3.2.7
> > ...
> > (TLS) Failed loading legacy provider
> >=20
> > I haven't yet figured out what part of my EAP configuration needs the =
> legacy provider. It may be that EAP just needs a working legacy provider =
> because it looks like the EAP module unconditionally attempts to load =
> the provider and fails.

This looks like it's due to MIT KRB5 in 15. The HEIMDAL option needs to be 
replaced with a BASE option and BASE should test for MIT KRB5 or HEIMDAL by 
looking at which kdc (kdc for Heimdal or krb5kdc for MIT) is installed.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e**(i*pi)+1=0