Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#63461 closed defect (fixed)

openssl @1.1.1l: update to 3.0.0

Reported by: l2dy (Zero King) Owned by: larryv (Lawrence Velázquez)
Priority: Normal Milestone:
Component: ports Version:
Keywords: Cc: neverpanic (Clemens Lang), reneeotten (Renee Otten), danchr (Dan Villiom Podlaski Christiansen)
Port: openssl

Description

Finally we can change its license to Apache-2 and resolve some license conflicts.

This is a major release and requires revbump of dependent ports. https://github.com/openssl/openssl/blob/openssl-3.0.0/doc/man7/migration_guide.pod

Change History (22)

comment:1 Changed 3 years ago by kencu (Ken)

Well, WHOO HOO! A LOT of pointless headaches with non-distributable software are about to disappear.

Last edited 3 years ago by kencu (Ken) (previous) (diff)

comment:2 Changed 3 years ago by mascguy (Christopher Nielsen)

Cc: mascguy added

comment:3 Changed 3 years ago by neverpanic (Clemens Lang)

Unfortunately this will probably mean providing a copy of openssl 1.1 in a separate subfolder for a while, even though OpenSSL 3.0 is really careful in not removing anything. I have a local Portfile of this that seems to work and have tested that curl builds fine against it, but no further steps than that at the moment.

comment:4 Changed 3 years ago by kencu (Ken)

luckily there is already a process in place for a separate openssl 1.0 so that can hopefully be leveraged to to support 1.1 easily.

comment:5 Changed 3 years ago by reneeotten (Renee Otten)

is anyone working on this and/or what's the plan moving forward?

I suppose a similar approach as with the boost ports can be taken here? In other words, copy the current openssl port to openssl11 and have it install in a separate location (just as is done in the openssl10 port; have the new openssl3 do the same. (I would think we probably don't need to have openssl3Y ports for every new version, so probably naming the new port openssl3 would be okay?) Then create an openssl PortGroup starting from the old_openssl PG to allow for selecting a certain version and setup things automatically as is done in the boost PG.

Once that is in place ports can be transitioned to use the openssl PortGroup, which should probably default to version 1.1.1. After that I guess maintainers can check whether the port builds with the latest openssl and move to that version? Anything missing in that proposal or concerns? Clemens: if you have a working port for openssl3 that installs in a separate location you could already add that to the tree or attach to this ticket?

comment:6 Changed 3 years ago by kencu (Ken)

I don't think we have to do anything so complicated!

make an openssl11 port from our current port and install it in the right subdir. The current old_openssl PG is all we need to support it.

then update openssl to 3.x, and we are done. 10 minutes max.

I would have done it, but Clemens said he already did the 3.x update.

Last edited 3 years ago by kencu (Ken) (previous) (diff)

comment:7 in reply to:  6 Changed 3 years ago by reneeotten (Renee Otten)

Replying to kencu:

I don't think we have to do anything so complicated!

make an openssl11 port from our current port and install it in the right subdir. The current old_openssl PG is all we need to support it.

then update openssl to 3.x, and we are done. 10 minutes max.

I would have done it, but Clemens said he already did the 3.x update.

Even better!

It would be really nice to have this updated so that things like the py-pyqt5-related stuff I've been fiddling around with can be distributed; and I don't need to feel bad that with every change a user has to build it locally again ;)

comment:8 Changed 3 years ago by reneeotten (Renee Otten)

Cc: reneeotten added

comment:9 Changed 3 years ago by kencu (Ken)

I will get the openssl11 port going then, and once we have that, we should be able to just update openssl to current. PR shortly.

comment:10 Changed 3 years ago by reneeotten (Renee Otten)

great, but updating the openssl port to the latest version will require all dependents to be rebuild - should that just be done en masse or for subsets of ports at a time?

comment:11 Changed 3 years ago by ken-cunningham-webuse

In 939497411387692d03939323f0e626b728946a4c/macports-ports (master):

openssl11: older version of openssl

similar to openssl10, this port provides openssl 1.1.1,
for ports that may not be compatible with openssl 3.x

to use it, you add the following to the Portfile of
the port you want to force to openssl 1.1 (using botan as an example):

% cat botan-use-openssl1.1.diff
diff --git a/security/botan/Portfile b/security/botan/Portfile
index a6862250901..9f6ab677987 100644
--- a/security/botan/Portfile
+++ b/security/botan/Portfile
@@ -2,6 +2,7 @@

PortSystem 1.0
PortGroup muniversal 1.0

+PortGroup old_openssl 1.0

PortGroup legacysupport 1.0
# for arc4random_buf(), which is missing on 10.6 (Darwin 10)
legacysupport.newest_darwin_requires_legacy 10

@@ -32,6 +33,9 @@ checksums rmd160 f3a4c1b963b47d543430f8705d7db87c64e013b9 \

depends_build port:python27
depends_lib path:lib/libssl.dylib:openssl port:zlib port:bzip2

+openssl.branch 1.1
+openssl.configure build_flags
+

# respect MacPorts configure values
patchfiles-append patch-compiler_flags.diff \

patch-fix-install-with-destdir.diff \

NB: the openssl.branch and openssl.configure options need to be
placed after depends_lib to be properly picked up. That may
be fixed with adding a callback function to the old_openssl PG.

see: #63461

comment:12 Changed 3 years ago by kencu (Ken)

That should do it. Almost identical to openssl10, only minor changes.I tried it out with a couple of builds, and it seems right to me.

Please give a try.

The livecheck is not registering right, but it looks like it should once they settle into the move to openssl 3.0, so I'm leaving it like it is for now.

Once we confirm that this reliably supports ports like it did for openssl 1.0, we can the update openssl to 3.0, and use openssl11 as a fallback for those that fail.

At least -- sounds good on paper :>

comment:13 Changed 3 years ago by kencu (Ken)

Clemens will update this when he chooses, but if you want to try out openssl 3.0 and see if your various ports build against it, there is a PR here you can try:

https://github.com/macports/macports-ports/pull/12410

I count a little over 750 ports that will need to be revbumped (some might be doubles, in the python and perl crowd).

comment:14 Changed 3 years ago by kencu (Ken)

It didn't take too long to run into some troubles. ruby26 is being a bit of a headache #63550.

and then there is the libressl issue to make sure we consider too.

comment:15 Changed 3 years ago by danchr (Dan Villiom Podlaski Christiansen)

Cc: danchr added

comment:16 Changed 3 years ago by mascguy (Christopher Nielsen)

comment:17 Changed 3 years ago by mascguy (Christopher Nielsen)

Cc: mascguy removed

comment:18 Changed 3 years ago by ostefano (Stefano Ortolani)

I think mysql57 might be affected as well:

:info:configure -- suffixes <.a;.so;.dylib;.tbd>
:info:configure -- OPENSSL_INCLUDE_DIR = /opt/local/libexec/openssl3/include
:info:configure -- OPENSSL_LIBRARY = /opt/local/libexec/openssl3/lib/libssl.a
:info:configure -- CRYPTO_LIBRARY = /opt/local/libexec/openssl3/lib/libcrypto.a
:info:configure -- OPENSSL_MAJOR_VERSION =
:info:configure -- OPENSSL_MINOR_VERSION =
:info:configure -- OPENSSL_FIX_VERSION =
:info:configure CMake Error at cmake/ssl.cmake:247 (MESSAGE):
:info:configure   SSL version must be at least 1.1.1
:info:configure Call Stack (most recent call first):
:info:configure   CMakeLists.txt:568 (MYSQL_CHECK_SSL)
:info:configure -- Configuring incomplete, errors occurred!

Any workaround? Current setup here is:

  openssl @3_0 (active)
  openssl3 @3.0.0_2 (active)
  openssl11 @1.1.1l_5 (active)

comment:19 in reply to:  18 Changed 3 years ago by reneeotten (Renee Otten)

Resolution: fixed
Status: assignedclosed

openssl3 changes committed here.

Replying to ostefano:

I think mysql57 might be affected as well:

please open a separate ticket for that.

comment:20 Changed 3 years ago by conradwt (Conrad Taylor)

How is this fixed because everything that I attempt to build outside of MacPorts breaks with OpenSSL3 and depends on OpenSSL1.1? I cannot locate openssl_select or any such port at this time. What's the fix for this?

comment:21 Changed 3 years ago by reneeotten (Renee Otten)

if you want to compile things outside of MacPorts you'll probably have to specify where it should look for the libraries/includes. You can check where the files are installed with port contents <portname>, where portname is for example openssl11 or openssl3.

Last edited 3 years ago by reneeotten (Renee Otten) (previous) (diff)

comment:22 Changed 3 years ago by conradwt (Conrad Taylor)

I'll just set a symlink to use OpenSSL 1.1 until all sources and applications are upgraded to use OpenSSL 3.0

Note: See TracTickets for help on using tickets.