Re: OpenSSL legacy provider is broken

Reply: Ian FREISLICH : "Re: OpenSSL legacy provider is broken"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Ian FREISLICH <ianfreislich_at_gmail.com>
Date: Thu, 14 Aug 2025 01:26:26 UTC
On 2025-08-10 06:53, Pierre Pronchery wrote:
> 			Hey,
> 
>> On 10 Aug 2025, at 04:32, Enji Cooper (yaneurabeya) <yaneurabeya@gmail.com> wrote:
>>
>>
>>> On Aug 9, 2025, at 7:08 AM, Ian FREISLICH <ianfreislich@gmail.com> wrote:
>>>
>>> Previously this worked
>>>
>>> [brane] /usr/ports # openssl list -providers -provider legacy
>>> Providers:
>>> legacy
>>>    name: OpenSSL Legacy Provider
>>>    version: 3.0.16
>>>    status: active
>>>
>>> Since the build last night,
>>>
>>> [router] /usr/ports/net/freeradius3 # openssl list -providers -provider legacy
>>> list: unable to load provider legacy
>>> Hint: use -provider-path option or OPENSSL_MODULES environment variable.
>>> 10B045DBE7340000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:/usr/src/crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/legacy.so): /usr/lib/ossl-modules/legacy.so: Undefined symbol "ossl_kdf_pvk_functions"
>>> 10B045DBE7340000:error:12800067:DSO support routines:DSO_load:could not load the shared library:/usr/src/crypto/openssl/crypto/dso/dso_lib.c:147:
>>> 10B045DBE7340000:error:07880025:common libcrypto routines:provider_init:reason(37):/usr/src/crypto/openssl/crypto/provider_core.c:1019:name=legacy
>>>
>>> and freeradius doesn't start because of this:
>>>
>>> [router] /usr/ports/net/freeradius3 # radiusd -fX
>>> FreeRADIUS Version 3.2.7
>>> ...
>>> (TLS) Failed loading legacy provider
>>>
>>> I haven't yet figured out what part of my EAP configuration needs the legacy provider. It may be that EAP just needs a working legacy provider because it looks like the EAP module unconditionally attempts to load the provider and fails.
> 
> It could well be that it does.
> 
> Regardless I didn’t mean to break the legacy provider, but it’s
> certainly because of the OpenSSL 3.5.1 import. Sorry!
> 
> I have pushed a partial fix here, and will keep pushing to that
> branch until I get it to work fully again:
> https://github.com/khorben/freebsd-src/tree/khorben/openssl-3.5.1-legacy

That fixes this missing symbol, but here's the next error:

[router] ~ # openssl list -providers -provider legacy
list: unable to load provider legacy
Hint: use -provider-path option or OPENSSL_MODULES environment variable.
10B0E52D30440000:error:12800067:DSO support routines:dlfcn_load:could 
not load the shared 
library:/usr/src/crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/legacy.so): 
/usr/lib/ossl-modules/legacy.so: Undefined symbol "ossl_param_find_pidx"
10B0E52D30440000:error:12800067:DSO support routines:DSO_load:could not 
load the shared library:/usr/src/crypto/openssl/crypto/dso/dso_lib.c:147:
10B0E52D30440000:error:07880025:common libcrypto 
routines:provider_init:reason(37):/usr/src/crypto/openssl/crypto/provider_core.c:1019:name=legacy

Is there a target/directory I can make in that compile will compile just 
this? The no clean default on buildworld doesn't seem to work and 
compiling everything takes forever.

Ian