OPNsense Forum

English Forums => Development and Code Review => Topic started by: lattera on November 19, 2023, 10:55:20 pm

Title: Workaround for OpenSSL 3 support
Post by: lattera on November 19, 2023, 10:55:20 pm

The script that populates the pf alias tables needs a particular environment variable defined. This commit defines it system-wide: https://git.hardenedbsd.org/hbsdfw/HardenedBSD/-/commit/c71238a6229bdc0aa8ada9f627a5a898dd7f9184

I'm not entirely sure this is the best workaround. A more proper fix would be to migrate to newer OpenSSL APIs. This workaround seems to get aliases usable, at least.

Title: Re: Workaround for OpenSSL 3 support
Post by: franco on November 20, 2023, 09:17:21 am

Thanks, that appears to be the same issue reported for ddclient native backend, which is also Python... the library glue there seems to be more OpenSSL-unready than expected.

https://github.com/opnsense/core/issues/7011

I'll make a note there.


Cheers,
Franco

Title: Re: Workaround for OpenSSL 3 support
Post by: franco on November 20, 2023, 01:25:18 pm

Shawn, can you see if this https://github.com/opnsense/tools/commit/57711c6b makes it behave on your end?

I have a snapshot build here too but it will take a few days to confirm.


Cheers,
Franco

Title: Re: Workaround for OpenSSL 3 support
Post by: lattera on November 20, 2023, 01:45:51 pm

I'll give that a shot in m y next build. We just bought a new home and take possession of it this week, so life is about to get REAL busy. :-)

I'll report back when I have info to report. Thanks!

Title: Re: Workaround for OpenSSL 3 support
Post by: newsense on November 20, 2023, 05:20:01 pm

The patch fixes update_tables.py and list_tables.py and the Dynamic DNS plugin works again on native backend.

Thank you both for the quick fix.

Title: Re: Workaround for OpenSSL 3 support
Post by: franco on November 20, 2023, 06:50:28 pm

Thanks for confirming. Turns out easier than expected then. Not sure where this leaves FreeBSD ports at the moment as both base and ports OpenSSL 3 build without legacy.so apparently, but I placed a note over there.


Cheers,
Franco

Title: Re: Workaround for OpenSSL 3 support
Post by: lattera on December 18, 2023, 12:46:49 am

I ended up switching our ports tree back to OpenSSL 1.1.1. I'm wondering if the OPNsense dev team already knows what needs to be updated for proper OpenSSL 3 support . Perhaps we in the community can send some patches to you. :-)

To start with, I know OPNsense's use of Unbound does not work with OpenSSL 3. But I'm unsure why (the DNSBL Python scripts need to be updated, perhaps?)

Title: Re: Workaround for OpenSSL 3 support
Post by: franco on December 19, 2023, 09:56:13 am

I've been running it even before the LEGACY option fix without any particular issue... the only offender seemed to be py-cryptography and that works now with LEGACY option enabled.


Cheers,
Franco

Title: Re: Workaround for OpenSSL 3 support
Post by: lattera on December 19, 2023, 05:31:22 pm

Is there any desire to move towards removing the need for the LEGACY option?

Title: Re: Workaround for OpenSSL 3 support
Post by: franco on December 20, 2023, 09:31:46 am

I think you are asking a py-cryptography specific questions either them or FreeBSD ports should answer.

I raised the question in bugzilla, but nobody really cares:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273656


Cheers,
Franco