Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Development and Code Review
(Moderator:
fabian
) »
Workaround for OpenSSL 3 support
« previous
next »
Print
Pages: [
1
]
Author
Topic: Workaround for OpenSSL 3 support (Read 4152 times)
lattera
Full Member
Posts: 207
Karma: 82
Workaround for OpenSSL 3 support
«
on:
November 19, 2023, 10:55:20 pm »
The script that populates the pf alias tables needs a particular environment variable defined. This commit defines it system-wide:
https://git.hardenedbsd.org/hbsdfw/HardenedBSD/-/commit/c71238a6229bdc0aa8ada9f627a5a898dd7f9184
I'm not entirely sure this is the best workaround. A more proper fix would be to migrate to newer OpenSSL APIs. This workaround seems to get aliases usable, at least.
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: Workaround for OpenSSL 3 support
«
Reply #1 on:
November 20, 2023, 09:17:21 am »
Thanks, that appears to be the same issue reported for ddclient native backend, which is also Python... the library glue there seems to be more OpenSSL-
un
ready than expected.
https://github.com/opnsense/core/issues/7011
I'll make a note there.
Cheers,
Franco
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: Workaround for OpenSSL 3 support
«
Reply #2 on:
November 20, 2023, 01:25:18 pm »
Shawn, can you see if this
https://github.com/opnsense/tools/commit/57711c6b
makes it behave on your end?
I have a snapshot build here too but it will take a few days to confirm.
Cheers,
Franco
Logged
lattera
Full Member
Posts: 207
Karma: 82
Re: Workaround for OpenSSL 3 support
«
Reply #3 on:
November 20, 2023, 01:45:51 pm »
I'll give that a shot in m y next build. We just bought a new home and take possession of it this week, so life is about to get REAL busy. :-)
I'll report back when I have info to report. Thanks!
Logged
newsense
Hero Member
Posts: 1037
Karma: 77
Re: Workaround for OpenSSL 3 support
«
Reply #4 on:
November 20, 2023, 05:20:01 pm »
The patch fixes update_tables.py and list_tables.py and the Dynamic DNS plugin works again on native backend.
Thank you both for the quick fix.
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: Workaround for OpenSSL 3 support
«
Reply #5 on:
November 20, 2023, 06:50:28 pm »
Thanks for confirming. Turns out easier than expected then. Not sure where this leaves FreeBSD ports at the moment as both base and ports OpenSSL 3 build without legacy.so apparently, but I placed a note over there.
Cheers,
Franco
Logged
lattera
Full Member
Posts: 207
Karma: 82
Re: Workaround for OpenSSL 3 support
«
Reply #6 on:
December 18, 2023, 12:46:49 am »
I ended up switching our ports tree back to OpenSSL 1.1.1. I'm wondering if the OPNsense dev team already knows what needs to be updated for proper OpenSSL 3 support . Perhaps we in the community can send some patches to you. :-)
To start with, I know OPNsense's use of Unbound does not work with OpenSSL 3. But I'm unsure why (the DNSBL Python scripts need to be updated, perhaps?)
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: Workaround for OpenSSL 3 support
«
Reply #7 on:
December 19, 2023, 09:56:13 am »
I've been running it even before the LEGACY option fix without any particular issue... the only offender seemed to be py-cryptography and that works now with LEGACY option enabled.
Cheers,
Franco
Logged
lattera
Full Member
Posts: 207
Karma: 82
Re: Workaround for OpenSSL 3 support
«
Reply #8 on:
December 19, 2023, 05:31:22 pm »
Is there any desire to move towards removing the need for the LEGACY option?
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: Workaround for OpenSSL 3 support
«
Reply #9 on:
December 20, 2023, 09:31:46 am »
I think you are asking a py-cryptography specific questions either them or FreeBSD ports should answer.
I raised the question in bugzilla, but nobody really cares:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273656
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Development and Code Review
(Moderator:
fabian
) »
Workaround for OpenSSL 3 support