From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: Upgrading to OpenSSL 1.1.0 Date: Sun, 03 Dec 2017 08:34:03 +0100 Message-ID: <029666F0-07E0-4CF3-BAAF-4D94E1F29A1A@ipfire.org> In-Reply-To: <1511961125.2571.98.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7632345108309558515==" List-Id: --===============7632345108309558515== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi all, have tried to build IPFire with the new OpenSSL-1.1.0 and have had a couple o= f other packages (beneath Michaels already announced ones) which did not buil= d properly. Have had problems with: 1) wget: openssl.o: In function `ssl_init': openssl.c:(.text+0x72e): undefined reference to `ENGINE_load_builtin_engines' collect2: error: ld returned 1 exit status make[4]: *** [Makefile:1569: wget] Error 1 there is a patch for OpenSSL-1.1.0 --> https://git.savannah.gnu.org/cgit/wget= .git/commit/?h=3Dopenssl-1.1 available which do not fixes this problem. 2) openvmtools: ../lib/sslDirect/.libs/libSslDirect.a(libSslDirect_la-sslDirect.o): In functi= on `SSL_Init': sslDirect.c:(.text+0x25e): undefined reference to `ENGINE_register_all_cipher= s' sslDirect.c:(.text+0x263): undefined reference to `ENGINE_register_all_digest= s' collect2: error: ld returned 1 exit status make[2]: *** [Makefile:548: libvmtools.la] Error 1 make[2]: Leaving directory '/usr/src/open-vm-tools-10.0.5-3227872/libvmtools' make[1]: *** [Makefile:505: all-recursive] Error 1 make[1]: Leaving directory '/usr/src/open-vm-tools-10.0.5-3227872' make: *** [openvmtools:85: /usr/src/log/open-vm-tools-10.0.5-3227872] Error 2 3) Asterisk: which pointed Michael already out. 4) crda: Also with the new 3.18 version --> http://drvbp1.linux-foundation.org/~mcgrof= /rel-html/crda/ the building process do not work. make[1]: Entering directory '/usr/src/crda-3.13' GEN keys-gcrypt.c Trusted pubkeys: pubkeys/linville.key.pub.pem ERROR: Failed to import the "M2Crypto" module: No module named _m2crypto Please install the "M2Crypto" Python module. On Debian GNU/Linux the package is called "python-m2crypto". make[1]: *** [Makefile:114: keys-gcrypt.c] Error 1 make[1]: Leaving directory '/usr/src/crda-3.13' make: *** [crda:75: /usr/src/log/crda-3.13] Error 2 whereby python-m2crypt is presant also a newer M2Crypto version do not solves= this. 5) tor: src/common/crypto.c:3435:3: warning: nested extern declaration of 'ENGINE_cle= anup' [-Wnested-externs] make[2]: *** [Makefile:5213: src/common/crypto.o] Error 1 make[2]: *** Waiting for unfinished jobs.... make[2]: Leaving directory '/usr/src/tor-0.3.1.7' make[1]: *** [Makefile:3106: all] Error 2 make[1]: Leaving directory '/usr/src/tor-0.3.1.7' make: *** [tor:81: /usr/src/log/tor-0.3.1.7] Error 2 also updates to 0.3.1.9 but also 0.3.2.6_alpha do not solves this issue. 6) freeradius: build/objs/src/main/tls.o: In function `tls_global_cleanup': tls.c:(.text+0x4670): undefined reference to `ENGINE_cleanup' collect2: error: ld returned 1 exit status make[1]: *** [scripts/boiler.mk:629: build/bin/local/radiusd] Error 1 make[1]: *** Waiting for unfinished jobs.... build/objs/src/main/tls.o: In function `tls_global_cleanup': tls.c:(.text+0x4670): undefined reference to `ENGINE_cleanup' collect2: error: ld returned 1 exit status make[1]: *** [scripts/boiler.mk:630: build/bin/radiusd] Error 1 make[1]: Leaving directory '/usr/src/freeradius-server-3.0.14' make: *** [freeradius:81: /usr/src/log/freeradius-server-3.0.14] Error 2 Tried to find all packages which do not build with the new OpenSSL version, s= ince i haven=C2=B4t found fixes (fast search around) i commented them to get = a full picture of what works and what not. Some ROOTFILES seems to be also problematic. It was possible to build: 1) php-7.2.0 but haven=C2=B4t test it yet. 2) OpenVPN-2.4.4 But an installation of the ISO is currently not possible cause a problem with= the language cache "der sprachdateizwischenspeicher konnte nicht erstellt we= rden" . So i currently stuck here (make nevertheless currently again a clean = build). Some news from here. Greetings, Erik Am 29.11.2017 um 14:12 schrieb Michael Tremer: > Hello, >=20 > I have started working on upgrading the entire distribution to OpenSSL 1.1.= 0. > This is however not the easiest task since many packages are just incompati= ble > with the API changes of OpenSSL. >=20 > Therefore, I started this in an own branch, upgraded all sorts of packages = that > won't build and patched those who could be patched. However, this is still = quite > chaotic and I need some help of the maintainers of some of the packages to = do > this for their own packages. >=20 > I have already dropped some packages in this process that a) were incompati= ble > with OpenSSL 1.1.0, b) where no patches were available and c) that are not > maintained upstream any longer. I also cherry-picked those commits to the > current next tree. If someone disagrees, please open a separate discussion. >=20 > The packages dropped are: >=20 > * Pound > * vsftp > * sslscan >=20 > Packages which currently don't build and I could not patch very easily: >=20 > * php > * asterisk > * openvpn >=20 > I suppose Erik is best to upgrade to openvpn 2.4, Dirk upgrades asterisk an= d I > am quite sure that there is a few people out there who have been working on= php. > Please raise your hands. >=20 > I would like to have the openssl 1.1 branch ready for merge into next at th= e end > of December. Please make sure that any patches have been submitted until th= en. >=20 > Please work on top of this branch: >=20 > https://git.ipfire.org/pub/git/people/ms/ipfire-2.x.git openssl-11 >=20 > https://git.ipfire.org/?p=3Dpeople/ms/ipfire-2.x.git;a=3Dshortlog;h=3Drefs= /heads/openssl-11 >=20 > Please also submit improvements of other packages that we can make sure of = (i.e. > better cipher suites for Apache, etc.)... >=20 > Best, > -Michael --===============7632345108309558515==--