Author Topic: Workaround for OpenSSL 3 support (Read 4170 times)

lattera · « **on:** November 19, 2023, 10:55:20 pm »

The script that populates the pf alias tables needs a particular environment variable defined. This commit defines it system-wide: https://git.hardenedbsd.org/hbsdfw/HardenedBSD/-/commit/c71238a6229bdc0aa8ada9f627a5a898dd7f9184

I'm not entirely sure this is the best workaround. A more proper fix would be to migrate to newer OpenSSL APIs. This workaround seems to get aliases usable, at least.

franco · « **Reply #1 on:** November 20, 2023, 09:17:21 am »

Thanks, that appears to be the same issue reported for ddclient native backend, which is also Python... the library glue there seems to be more OpenSSL-unready than expected.

https://github.com/opnsense/core/issues/7011

I'll make a note there.

Cheers,
Franco

franco · « **Reply #2 on:** November 20, 2023, 01:25:18 pm »

Shawn, can you see if this https://github.com/opnsense/tools/commit/57711c6b makes it behave on your end?

I have a snapshot build here too but it will take a few days to confirm.

Cheers,
Franco

lattera · « **Reply #3 on:** November 20, 2023, 01:45:51 pm »

I'll give that a shot in m y next build. We just bought a new home and take possession of it this week, so life is about to get REAL busy. :-)

I'll report back when I have info to report. Thanks!

newsense · « **Reply #4 on:** November 20, 2023, 05:20:01 pm »

The patch fixes update_tables.py and list_tables.py and the Dynamic DNS plugin works again on native backend.

Thank you both for the quick fix.

franco · « **Reply #5 on:** November 20, 2023, 06:50:28 pm »

Thanks for confirming. Turns out easier than expected then. Not sure where this leaves FreeBSD ports at the moment as both base and ports OpenSSL 3 build without legacy.so apparently, but I placed a note over there.

Cheers,
Franco

lattera · « **Reply #6 on:** December 18, 2023, 12:46:49 am »

I ended up switching our ports tree back to OpenSSL 1.1.1. I'm wondering if the OPNsense dev team already knows what needs to be updated for proper OpenSSL 3 support . Perhaps we in the community can send some patches to you. :-)

To start with, I know OPNsense's use of Unbound does not work with OpenSSL 3. But I'm unsure why (the DNSBL Python scripts need to be updated, perhaps?)

franco · « **Reply #7 on:** December 19, 2023, 09:56:13 am »

I've been running it even before the LEGACY option fix without any particular issue... the only offender seemed to be py-cryptography and that works now with LEGACY option enabled.

Cheers,
Franco

lattera · « **Reply #8 on:** December 19, 2023, 05:31:22 pm »

Is there any desire to move towards removing the need for the LEGACY option?

franco · « **Reply #9 on:** December 20, 2023, 09:31:46 am »

I think you are asking a py-cryptography specific questions either them or FreeBSD ports should answer.

I raised the question in bugzilla, but nobody really cares:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273656

Cheers,
Franco

Author Topic: Workaround for OpenSSL 3 support (Read 4170 times)

lattera

Workaround for OpenSSL 3 support

franco

Re: Workaround for OpenSSL 3 support

franco

Re: Workaround for OpenSSL 3 support

lattera

Re: Workaround for OpenSSL 3 support

newsense

Re: Workaround for OpenSSL 3 support

franco

Re: Workaround for OpenSSL 3 support

lattera

Re: Workaround for OpenSSL 3 support

franco

Re: Workaround for OpenSSL 3 support

lattera

Re: Workaround for OpenSSL 3 support

franco

Re: Workaround for OpenSSL 3 support