[Bug 1172267] New: OpenSSL 3.0.0 upgrade tracker bug
http://bugzilla.suse.com/show_bug.cgi?id=1172267 Bug ID: 1172267 Summary: OpenSSL 3.0.0 upgrade tracker bug Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: vcizek@suse.com Reporter: vcizek@suse.com QA Contact: qa-bugs@suse.de CC: jsikes@suse.com, meissner@suse.com, pmonrealgonzalez@suse.com Found By: --- Blocker: --- This bug collects the challenges and packages that need to be adapted for OpenSSL 3.0.0 upgrade. Major changes in 3.0.0: * OpenSSL 3.0 is a major release and consequently any application that currently uses an older version of OpenSSL will at the very least need to be recompiled in order to work with the new version. * The OpenSSL versioning scheme has changed with the 3.0 release to format: MAJOR.MINOR.PATCH The patch level is indicated by the third number instead of a letter * Providers and FIPS support Providers collect together and make available algorithm implementations. * Use of the low level APIs have been deprecated. * Some cryptographic algorithms that were available via the EVP APIs are now considered legacy and their use is strongly discouraged. * Engines and "METHOD" APIs are deprecated and shall be transformed to providers Detailed list of changes since 1.1.1: https://www.openssl.org/news/changelog.html#openssl-30 The final release is planned for 2020 early Q4. https://www.openssl.org/policies/releasestrat.html OpenSSL 3.0.0 wiki: https://wiki.openssl.org/index.php/OpenSSL_3.0 Design changes in 3.0.0: https://www.openssl.org/docs/OpenSSL300Design.html -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1172267 http://bugzilla.suse.com/show_bug.cgi?id=1172267#c2 Vítězslav Čížek <vcizek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS CC| |vcizek@suse.com --- Comment #2 from Vítězslav Čížek <vcizek@suse.com> --- Preliminary scan of packages that failed to build with OpenSSL 3.0 in the staging: dd_rescue neon nodejs10 qpdf transmission -> All have various testsuite failures libssh rust -> cmake couldn't detect the new openssl, shall be fixed by the cmake update from comment 1. fipscheck freerdp nodejs8 openssh perl-Net-SSLeay -> FIPS_mode() is gone. FIPS_mode() and FIPS_mode_set() were removed and replaced by EVP_default_properties_is_fips_enabled() and EVP_default_properties_enable_fips(). As providers are per-context, the new functions take a library context (OPENSSL_CTX) parameter kmbox kubernetes1.18 -> Unknown failures libarchive -> RMD160 test fails, probably because the cipher has been moved to the legacy provider memcached qpid-proton -> SSL_CTX_load_verify_locations() was deprecated in 3.0 and these packages compile with -Werror, which causes a build failure. However, the deprecation was recently reverted in https://github.com/openssl/openssl/commit/c7f837cfcc5b2e5cd8eeeff82e0245323f..., so these packages should build fine as is. openssl-3 :-) -> Seems that 30-test_evp.t fails on occasions python python-cryptography python-ecdsa python-M2Crypto python-pycurl:test python-tornado6 python3 -> All failed in the tests Some failures are related to the problematic change of EOF handling from OpenSSL 1.1.1e, which at this time is left in 3.0.0, but the EOF error will be relaxed before 3.0.0 final (see the thread at https://mta.openssl.org/pipermail/openssl-project/2020-May/001975.html) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1172267 https://bugzilla.suse.com/show_bug.cgi?id=1172267#c3 --- Comment #3 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- Staging project for openssl-3: https://build.opensuse.org/project/show/openSUSE:Factory:Staging:O -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1172267 https://bugzilla.suse.com/show_bug.cgi?id=1172267#c4 --- Comment #4 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- Python upstream bug: Make Python compatible with OpenSSL 3.0.0: https://bugs.python.org/issue38820 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1172267 V��t��zslav ������ek <vcizek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|vcizek@suse.com |pmonrealgonzalez@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1172267 Bug 1172267 depends on bug 1187024, which changed state. Bug 1187024 Summary: OpenSSL 3.0 conflicts + obsoletes in packaging breaks creating Tumbleweed chroots https://bugzilla.suse.com/show_bug.cgi?id=1187024 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1172267 Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|OpenSSL 3.0.0 upgrade |[TRACKERBUG] OpenSSL 3.0.0 |tracker bug |upgrade tracker bug -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1172267 Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1186715 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1172267 https://bugzilla.suse.com/show_bug.cgi?id=1172267#c6 --- Comment #6 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- New staging project to check for build failures: openSUSE:Factory:Staging:Gcc7 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1172267 Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1190566 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1172267 Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1193740 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1172267 Bug 1172267 depends on bug 1193740, which changed state. Bug 1193740 Summary: VUL-1: CVE-2021-4044: openssl-3: Invalid handling of X509_verify_cert() internal errors in libssl https://bugzilla.suse.com/show_bug.cgi?id=1193740 What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |UPSTREAM -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1172267 https://bugzilla.suse.com/show_bug.cgi?id=1172267#c7 Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #7 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- Released. Closing. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com