https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c1 --- Comment #1 from Pedro Monreal Gonzalez --- Staging project to test the changes: * https://build.opensuse.org/project/show/openSUSE:Factory:Staging:N -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c3 --- Comment #3 from Pedro Monreal Gonzalez --- Note that, FIPS_mode() and FIPS_mode_set() have been removed and replaced by EVP_default_properties_is_fips_enabled() and EVP_default_properties_enable_fips() respectively. If needed, we could add this patch for compatibility: * https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c9s/0008-Add-FIP... -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c5 --- Comment #5 from Pedro Monreal Gonzalez --- Update xmlsec1 to 1.2.36 that contains the openssl 3.0 adaption: * https://build.opensuse.org/request/show/1033572 -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c7 --- Comment #7 from Pedro Monreal Gonzalez --- After renaming the openssl-3 binary to openssl lots of build failures have been fixed and now the list has been reduced to 14. The only packages that remain to be fixed are: * appx-util -> Fixed by Fedora folks here https://src.fedoraproject.org/rpms/appx-util/blob/rawhide/f/0001-Add-support... * fipscheck -> Fix submitted, see comment#4 * ibmtss -> 1) See the openss-3 fixes in next branch https://sourceforge.net/p/ibmtpm20tss/tss/ci/next/tree/ 2) could also be built not requiring a crypto library (--enable-nocrypto, -DTPM_TSS_NOCRYPTO) https://sourceforge.net/p/ibmtpm20tss/tss/ci/master/tree/ * libftdi1 -> Build failure not related to openssl-3 * nodejs18 -> nodejs18.spec:273: bad %if condition (if condition needs to adapt for openssl-3) * nodejs19 -> nodejs19.spec:272: bad %if condition (if condition needs to adapt for openssl-3) * openssh -> Rebase to 9.0p1 should fix it * php7 -> Needs adaption of deprecated functions. * python-eventlet -> Temporarily disable test_017_ssl_zeroreturnerror also in python3.8 (add skiptests+=" or test_017_ssl_zeroreturnerror") * python-M2Crypto -> Fixed by Fedora folks here https://src.fedoraproject.org/rpms/m2crypto/tree/rawhide * python-pyzmq -> Skip failing test in python310 (add SKIPPED_TESTS+=" or test_on_recv_basic") * python-Twisted -> Not sure yet! * qpid-proton -> Fix submitted, see comment#4 * xmlsec1 -> Fix submitted, see comment#5 -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c8 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |amajer@suse.com --- Comment #8 from Marcus Meissner --- Adam, can you take a look at the nodejs18 and nodejs19 fails here? -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c12 --- Comment #12 from Otto Hollmann --- For the record, I'm working on rebasing OpenSSH to 9.1. There are quite a lot SUSE specific patches that need to be rebased. Some patches also need to be adapted to openssl-3 but it should be doable. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c14 --- Comment #14 from Pedro Monreal Gonzalez --- appx-utils: https://build.opensuse.org/request/show/1034816 python-eventlet: https://build.opensuse.org/request/show/1034824 python-pyzmq: https://build.opensuse.org/request/show/1034831 -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 Pedro Monreal Gonzalez changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|[TRACKERBUG] Set openssl |[TRACKERBUG] Set OpenSSL |3.0.7 as the default |3.0 as the default openssl |openssl in TW |in TW -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c18 --- Comment #18 from Pedro Monreal Gonzalez --- ibmtss: https://build.opensuse.org/request/show/1037119 -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c20 --- Comment #20 from Adam Majer --- (In reply to Pedro Monreal Gonzalez from comment #19)

php7 buildfailure against openssl-3 was also fixed by Petr. Only packages that need adaption are openssh and nodejs18/19.

For the record, nodejs18 and nodejs19 are compiled upstream with vendored OpenSSL 3.0 and their unit tests take this into account. So problems here are incompatibilities between how we build openssl vs. how they build it (and probably how others build it too) What I'm seeing in the tests that that there is some unregistered scheme that we are not building. Looks like file:// scheme is not supported? I will try to find some time later today and see if I can narrow this down to what configuration seems to be different from upstream build. # not ok 2884 parallel/test-tls-sni-option --- duration_ms: 1.809 severity: fail exitcode: 1 stack: |- node:events:491 throw er; // Unhandled 'error' event ^ Error: 4081FBD8297F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file Emitted 'error' event on TLSSocket instance at: at TLSSocket._emitTLSError (node:_tls_wrap:908:10) at TLSWrap.onerror (node:_tls_wrap:439:11) { # ../node18 parallel/test-tls-key-mismatch.js 'Error: error:16000069:STORE routines::unregistered scheme' at Object.<anonymous> (/home/abuild/rpmbuild/BUILD/node-v18.12.1/test/parallel/test-tls-key-mismatch.js:41:8) at Module._compile (node:internal/modules/cjs/loader:1159:14) at Module._extensions..js (node:internal/modules/cjs/loader:1213:10) at Module.load (node:internal/modules/cjs/loader:1037:32) at Module._load (node:internal/modules/cjs/loader:878:12) at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12) at node:internal/main/run_main_module:23:47 { generatedMessage: true, code: 'ERR_ASSERTION', actual: Error: error:16000069:STORE routines::unregistered scheme at setKey (node:internal/tls/secure-context:92:11) at configSecureContext (node:internal/tls/secure-context:174:7) at Object.createSecureContext (node:_tls_common:117:3) at /home/abuild/rpmbuild/BUILD/node-v18.12.1/test/parallel/test-tls-key-mismatch.js:42:7 at getActual (node:assert:757:5) at Function.throws (node:assert:903:24) at Object.<anonymous> (/home/abuild/rpmbuild/BUILD/node-v18.12.1/test/parallel/test-tls-key-mismatch.js:41:8) at Module._compile (node:internal/modules/cjs/loader:1159:14) at Module._extensions..js (node:internal/modules/cjs/loader:1213:10) at Module.load (node:internal/modules/cjs/loader:1037:32) { opensslErrorStack: [ 'error:05800074:x509 certificate routines::key values mismatch', 'error:80000002:system library::No such file or directory' ], library: 'STORE routines', reason: 'unregistered scheme', code: 'ERR_OSSL_OSSL_STORE_UNREGISTERED_SCHEME' }, expected: /^Error: error:05800074:x509 certificate routines::key values mismatch$/, operator: 'throws' } -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c22 --- Comment #22 from Pedro Monreal Gonzalez --- (In reply to Pedro Monreal Gonzalez from comment #21)

(In reply to Adam Majer from comment #20)

...

(In reply to Pedro Monreal Gonzalez from comment #19)

...

php7 buildfailure against openssl-3 was also fixed by Petr. Only packages that need adaption are openssh and nodejs18/19.

For the record, nodejs18 and nodejs19 are compiled upstream with vendored OpenSSL 3.0 and their unit tests take this into account. So problems here are incompatibilities between how we build openssl vs. how they build it (and probably how others build it too) What I'm seeing in the tests that that there is some unregistered scheme that we are not building. Looks like file:// scheme is not supported?

[...]

Adam, thanks for the details. I could find this recently reported issue in openssl upstream for nodejs in [0] and that it has been fixed in commit [1]. I'll commit the patch soon and see if there is something else, OK?

[0] https://github.com/openssl/openssl/pull/12901 [1] https://github.com/openssl/openssl/commit/ c60b5723194952d2e4bbfc1e4a3eb07b7581edd9

OK, that one is already in. I'm looking into this one: * https://github.com/openssl/openssl/pull/16452 -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c24 --- Comment #24 from Pedro Monreal Gonzalez --- Example of error now in nodejs: [ 1611s] not ok 3733 sequential/test-tls-connect [ 1611s] --- [ 1611s] duration_ms: 0.546 [ 1611s] severity: fail [ 1611s] exitcode: 1 [ 1611s] stack: |- [ 1611s] node:assert:750 [ 1611s] throw err; [ 1611s] ^ [ 1611s] [ 1611s] AssertionError [ERR_ASSERTION]: The input did not match the regular expression /no cipher match/i. Input: [ 1611s] [ 1611s] 'Error: error:80000002:system library::No such file or directory' [ 1611s] [ 1611s] at Object.<anonymous> (/home/abuild/rpmbuild/BUILD/node-v19.1.0/test/sequential/test-tls-connect.js:53:10) [ 1611s] at Module._compile (node:internal/modules/cjs/loader:1205:14) [ 1611s] at Module._extensions..js (node:internal/modules/cjs/loader:1259:10) [ 1611s] at Module.load (node:internal/modules/cjs/loader:1068:32) [ 1611s] at Module._load (node:internal/modules/cjs/loader:909:12) [ 1611s] at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:82:12) [ 1611s] at node:internal/main/run_main_module:23:47 { [ 1611s] generatedMessage: true, [ 1611s] code: 'ERR_ASSERTION', [ 1611s] actual: Error: error:80000002:system library::No such file or directory [ 1611s] at configSecureContext (node:internal/tls/secure-context:230:11) [ 1611s] at Object.createSecureContext (node:_tls_common:117:3) [ 1611s] at Object.connect (node:_tls_wrap:1626:48) [ 1611s] at /home/abuild/rpmbuild/BUILD/node-v19.1.0/test/sequential/test-tls-connect.js:54:9 [ 1611s] at getActual (node:assert:757:5) [ 1611s] at Function.throws (node:assert:903:24) [ 1611s] at Object.<anonymous> (/home/abuild/rpmbuild/BUILD/node-v19.1.0/test/sequential/test-tls-connect.js:53:10) [ 1611s] at Module._compile (node:internal/modules/cjs/loader:1205:14) [ 1611s] at Module._extensions..js (node:internal/modules/cjs/loader:1259:10) [ 1611s] at Module.load (node:internal/modules/cjs/loader:1068:32) { [ 1611s] opensslErrorStack: [ 'error:0A0000B9:SSL routines::no cipher match' ], [ 1611s] library: 'system library' [ 1611s] }, [ 1611s] expected: /no cipher match/i, [ 1611s] operator: 'throws' [ 1611s] } [ 1611s] [ 1611s] Node.js v19.1.0 -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c26 --- Comment #26 from Adam Majer --- (In reply to Pedro Monreal Gonzalez from comment #24)a

Example of error now in nodejs:

[ 1611s] AssertionError [ERR_ASSERTION]: The input did not match the regular expression /no cipher match/i. Input: [ 1611s] [ 1611s] 'Error: error:80000002:system library::No such file or directory' [ 1611s] actual: Error: error:80000002:system library::No such file or directory [ 1611s] opensslErrorStack: [ 'error:0A0000B9:SSL routines::no cipher match' ], [ 1611s] library: 'system library' [ 1611s] }, [ 1611s] expected: /no cipher match/i, [ 1611s] operator: 'throws'

So, I've removed some lines from the error message. It looks there are 2 errors. The no file/directory and the next one is the expected "no cipher match". - Adam -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c28 --- Comment #28 from Dirk Mueller --- well Error: error:80000002:system library::No such file or directory sounds like a serious issue found by the testsuite, so I don't think skipping is appropriate. hence my suggestion to hardcode 1.x for now until we had time to analyze it. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c31 --- Comment #31 from Adam Majer --- I've checked with embedded openssl in nodejs19 and sadly I'm getting similar results with failed unit tests. I will have to look at this more closely - perhaps I'm doing things wrong there. In the meantime, I've prepared nodejs19 to build with openssl-1_1 but when trying to build against Staging:N with openssl-3 as default, I cannot install 1.1.1 openssl, [ 8s] now installing cumulated packages [ 9s] Preparing... ######################################## [ 9s] file /etc/ssl/openssl.cnf conflicts between attempted installs of openssl-1_1-1.1.1s-2.4.x86_64 and libopenssl3-3.0.7-2.11.x86_64 [ 9s] exit ... [ 9s] It seems the config file is part of a shared library? -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c33 --- Comment #33 from Otto Hollmann --- I finished patch for OpenSSH. Now it can be build with OpenSSL 1.1 or OpenSSL 3

https://build.opensuse.org/request/show/1043949

There are still some warnings about deprecated function (if build with OpenSSL 3), but it will be resolved by OpenSSH version upgrade. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c35 --- Comment #35 from Pedro Monreal Gonzalez --- (In reply to Pedro Monreal Gonzalez from comment #34)

The new mariadb build failure in test pl.rpl_change_master_demote seems to be due to a flaky test as mentioned upstream in: * https://github.com/MariaDB/server/commit/9bf5274929

This patch is already in the mariadb version shipped in Factory.

I discussed this with the mariadb maintainer and he is going to disable this test. Note also this bug report from upstream as they noticed its flakiness: * https://jira.mariadb.org/browse/MDEV-29517 -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c37 --- Comment #37 from Pedro Monreal Gonzalez --- (In reply to Dirk Mueller from comment #36)

JFTR, this patch that was added in openssl-3 is breaking python3* in staging:N

* Make file access errors much more readable: APPS load_key_certs_crls() openssl-OSSL_STORE_open_ex-Prevent-spurious-error-unregister.patch

it appears it is subject of multiple regressions, I see merged and unmerged fixes in this area as followup of it. I'm trying to find the right set of patches to cherry-pick onwards, but if we don't have a strong reason to keep it, dropping it would fix 3-4 build failures.

Yes, thanks! That patch was added trying to fix some nodejs regression tests. It turned out that the problem was elsewhere, see bsc#1207484. Removing that patch fixes other build failures. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c44 --- Comment #44 from Pedro Monreal Gonzalez --- Thanks to everyone involved! -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205042 https://bugzilla.suse.com/show_bug.cgi?id=1205042#c46 --- Comment #46 from Swamp Workflow Management --- SUSE-SU-2023:0419-1: An update that solves 7 vulnerabilities, contains two features and has three fixes is now available. Category: security (moderate) Bug References: 1200303,1201325,1201326,1201327,1201328,1203831,1203832,1205042,1205119,1205236 CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215,CVE-2022-35255,CVE-2022-35256,CVE-2022-43548 JIRA References: PED-2097,PED-3192 Sources used: openSUSE Leap 15.5 (src): nodejs18-18.13.0-150400.9.3.1 openSUSE Leap 15.4 (src): nodejs18-18.13.0-150400.9.3.1 SUSE Linux Enterprise Module for Web Scripting 15-SP4 (src): nodejs18-18.13.0-150400.9.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.