[Bug 1205042] New: [TRACKERBUG] Set openssl 3.0.7 as the default openssl in TW
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042 Bug ID: 1205042 Summary: [TRACKERBUG] Set openssl 3.0.7 as the default openssl in TW Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: screening-team-bugs@suse.de Reporter: pmonrealgonzalez@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- This tracker-bug will be used for the switch from OpenSSL 1.1.1x to version 3.0.7 in TW and collects information about the main changes in version 3.0.x and the list of packages that need to be adapted for the upgrade. Major changes in 3.0.0: * OpenSSL 3.0 is a major release and consequently any application that currently uses an older version of OpenSSL will at the very least need to be recompiled in order to work with the new version. * The OpenSSL versioning scheme has changed with the 3.0 release to format: MAJOR.MINOR.PATCH The patch level is indicated by the third number instead of a letter * Providers and FIPS support Providers collect together and make available algorithm implementations. * Use of the low level APIs have been deprecated. * Some cryptographic algorithms that were available via the EVP APIs are now considered legacy and their use is strongly discouraged. * Engines and "METHOD" APIs are deprecated and shall be transformed to providers. OpenSSL 3.0.0 design: * https://www.openssl.org/docs/OpenSSL300Design.html Migration guide: * https://www.openssl.org/docs/man3.0/man7/migration_guide.html OpenSSL wiki: * https://wiki.openssl.org/index.php/OpenSSL_3.0 -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c1
--- Comment #1 from Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c2
--- Comment #2 from Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c3
--- Comment #3 from Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c4
--- Comment #4 from Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c5
--- Comment #5 from Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c6
--- Comment #6 from Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c7
--- Comment #7 from Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c8
Marcus Meissner
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c9
--- Comment #9 from Adam Majer
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c12
--- Comment #12 from Otto Hollmann
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c13
Pedro Monreal Gonzalez
For the record, I'm working on rebasing OpenSSH to 9.1. There are quite a lot SUSE specific patches that need to be rebased. Some patches also need to be adapted to openssl-3 but it should be doable.
I'm also adding Hans Petter in CC since he is the openssh maintainer. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c14
--- Comment #14 from Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c15
--- Comment #15 from Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c17
--- Comment #17 from Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c18
--- Comment #18 from Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c19
--- Comment #19 from Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c20
--- Comment #20 from Adam Majer
php7 buildfailure against openssl-3 was also fixed by Petr. Only packages that need adaption are openssh and nodejs18/19.
For the record, nodejs18 and nodejs19 are compiled upstream with vendored OpenSSL 3.0 and their unit tests take this into account. So problems here are incompatibilities between how we build openssl vs. how they build it (and probably how others build it too) What I'm seeing in the tests that that there is some unregistered scheme that we are not building. Looks like file:// scheme is not supported? I will try to find some time later today and see if I can narrow this down to what configuration seems to be different from upstream build. # not ok 2884 parallel/test-tls-sni-option --- duration_ms: 1.809 severity: fail exitcode: 1 stack: |- node:events:491 throw er; // Unhandled 'error' event ^ Error: 4081FBD8297F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file Emitted 'error' event on TLSSocket instance at: at TLSSocket._emitTLSError (node:_tls_wrap:908:10) at TLSWrap.onerror (node:_tls_wrap:439:11) { # ../node18 parallel/test-tls-key-mismatch.js 'Error: error:16000069:STORE routines::unregistered scheme' at Object.<anonymous> (/home/abuild/rpmbuild/BUILD/node-v18.12.1/test/parallel/test-tls-key-mismatch.js:41:8) at Module._compile (node:internal/modules/cjs/loader:1159:14) at Module._extensions..js (node:internal/modules/cjs/loader:1213:10) at Module.load (node:internal/modules/cjs/loader:1037:32) at Module._load (node:internal/modules/cjs/loader:878:12) at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12) at node:internal/main/run_main_module:23:47 { generatedMessage: true, code: 'ERR_ASSERTION', actual: Error: error:16000069:STORE routines::unregistered scheme at setKey (node:internal/tls/secure-context:92:11) at configSecureContext (node:internal/tls/secure-context:174:7) at Object.createSecureContext (node:_tls_common:117:3) at /home/abuild/rpmbuild/BUILD/node-v18.12.1/test/parallel/test-tls-key-mismatch.js:42:7 at getActual (node:assert:757:5) at Function.throws (node:assert:903:24) at Object.<anonymous> (/home/abuild/rpmbuild/BUILD/node-v18.12.1/test/parallel/test-tls-key-mismatch.js:41:8) at Module._compile (node:internal/modules/cjs/loader:1159:14) at Module._extensions..js (node:internal/modules/cjs/loader:1213:10) at Module.load (node:internal/modules/cjs/loader:1037:32) { opensslErrorStack: [ 'error:05800074:x509 certificate routines::key values mismatch', 'error:80000002:system library::No such file or directory' ], library: 'STORE routines', reason: 'unregistered scheme', code: 'ERR_OSSL_OSSL_STORE_UNREGISTERED_SCHEME' }, expected: /^Error: error:05800074:x509 certificate routines::key values mismatch$/, operator: 'throws' } -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c21
--- Comment #21 from Pedro Monreal Gonzalez
(In reply to Pedro Monreal Gonzalez from comment #19)
php7 buildfailure against openssl-3 was also fixed by Petr. Only packages that need adaption are openssh and nodejs18/19.
For the record, nodejs18 and nodejs19 are compiled upstream with vendored OpenSSL 3.0 and their unit tests take this into account. So problems here are incompatibilities between how we build openssl vs. how they build it (and probably how others build it too) What I'm seeing in the tests that that there is some unregistered scheme that we are not building. Looks like file:// scheme is not supported?
[...]
Adam, thanks for the details. I could find this recently reported issue in openssl upstream for nodejs in [0] and that it has been fixed in commit [1]. I'll commit the patch soon and see if there is something else, OK? [0] https://github.com/openssl/openssl/pull/12901 [1] https://github.com/openssl/openssl/commit/c60b5723194952d2e4bbfc1e4a3eb07b75... -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c22
--- Comment #22 from Pedro Monreal Gonzalez
(In reply to Adam Majer from comment #20)
(In reply to Pedro Monreal Gonzalez from comment #19)
php7 buildfailure against openssl-3 was also fixed by Petr. Only packages that need adaption are openssh and nodejs18/19.
For the record, nodejs18 and nodejs19 are compiled upstream with vendored OpenSSL 3.0 and their unit tests take this into account. So problems here are incompatibilities between how we build openssl vs. how they build it (and probably how others build it too) What I'm seeing in the tests that that there is some unregistered scheme that we are not building. Looks like file:// scheme is not supported?
[...]
Adam, thanks for the details. I could find this recently reported issue in openssl upstream for nodejs in [0] and that it has been fixed in commit [1]. I'll commit the patch soon and see if there is something else, OK?
[0] https://github.com/openssl/openssl/pull/12901 [1] https://github.com/openssl/openssl/commit/ c60b5723194952d2e4bbfc1e4a3eb07b7581edd9
OK, that one is already in. I'm looking into this one: * https://github.com/openssl/openssl/pull/16452 -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c23
Pedro Monreal Gonzalez
actual: Error: error:80000002:system library::No such file or directory at setKey (node:internal/tls/secure-context:92:11) Fail in context.setKey(key, passphrase);
2) Tests parallel/test-tls-set-ciphers-error sequential/test-tls-connect
actual: Error: error:80000002:system library::No such file or directory at configSecureContext (node:internal/tls/secure-context:230:11) Fail in context.setCiphers(cipherList);
I just don't know how to debug this further. I will submit the new version to the staging project and it should be ready for testing tomorrow. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c24
--- Comment #24 from Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c25
--- Comment #25 from Dirk Mueller
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c26
--- Comment #26 from Adam Majer
Example of error now in nodejs:
[ 1611s] AssertionError [ERR_ASSERTION]: The input did not match the regular expression /no cipher match/i. Input: [ 1611s] [ 1611s] 'Error: error:80000002:system library::No such file or directory' [ 1611s] actual: Error: error:80000002:system library::No such file or directory [ 1611s] opensslErrorStack: [ 'error:0A0000B9:SSL routines::no cipher match' ], [ 1611s] library: 'system library' [ 1611s] }, [ 1611s] expected: /no cipher match/i, [ 1611s] operator: 'throws'
So, I've removed some lines from the error message. It looks there are 2 errors. The no file/directory and the next one is the expected "no cipher match". - Adam -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c27
--- Comment #27 from Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c28
--- Comment #28 from Dirk Mueller
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c29
--- Comment #29 from Pedro Monreal Gonzalez
well Error: error:80000002:system library::No such file or directory sounds like a serious issue found by the testsuite, so I don't think skipping is appropriate. hence my suggestion to hardcode 1.x for now until we had time to analyze it.
I think its a missing pem file from the test suite but as I said, I don't know how to debug it further from nodejs, -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c31
--- Comment #31 from Adam Majer
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c32
--- Comment #32 from Pedro Monreal Gonzalez
I've checked with embedded openssl in nodejs19 and sadly I'm getting similar results with failed unit tests. I will have to look at this more closely - perhaps I'm doing things wrong there.
Thanks for checking this. I'm also looking into this also from the openssl side.
In the meantime, I've prepared nodejs19 to build with openssl-1_1 but when trying to build against Staging:N with openssl-3 as default, I cannot install 1.1.1 openssl,
[ 8s] now installing cumulated packages [ 9s] Preparing... ######################################## [ 9s] file /etc/ssl/openssl.cnf conflicts between attempted installs of openssl-1_1-1.1.1s-2.4.x86_64 and libopenssl3-3.0.7-2.11.x86_64 [ 9s] exit ... [ 9s]
It seems the config file is part of a shared library?
In Staging:N, the actual openssl-1_1 ships openssl.cnf and I have modified it to be called openssl-1_1.cnf for the transition-to-default-openssl but this new version is not yet in Staging:N, that should fix the conflict. I'll submit sometime today as there is a running security update for openssl-3 in the middle. I have also moved the config file to be shipped by the library since it can be installed without the CLI and I think it should be the right package to ship it. But, we can keep the cnf file in the CLI if both packages should be installed always together. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c33
--- Comment #33 from Otto Hollmann
There are still some warnings about deprecated function (if build with OpenSSL 3), but it will be resolved by OpenSSH version upgrade. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c34
--- Comment #34 from Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c35
--- Comment #35 from Pedro Monreal Gonzalez
The new mariadb build failure in test pl.rpl_change_master_demote seems to be due to a flaky test as mentioned upstream in: * https://github.com/MariaDB/server/commit/9bf5274929
This patch is already in the mariadb version shipped in Factory.
I discussed this with the mariadb maintainer and he is going to disable this test. Note also this bug report from upstream as they noticed its flakiness: * https://jira.mariadb.org/browse/MDEV-29517 -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c36
--- Comment #36 from Dirk Mueller
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c37
--- Comment #37 from Pedro Monreal Gonzalez
JFTR, this patch that was added in openssl-3 is breaking python3* in staging:N
* Make file access errors much more readable: APPS load_key_certs_crls() openssl-OSSL_STORE_open_ex-Prevent-spurious-error-unregister.patch
it appears it is subject of multiple regressions, I see merged and unmerged fixes in this area as followup of it. I'm trying to find the right set of patches to cherry-pick onwards, but if we don't have a strong reason to keep it, dropping it would fix 3-4 build failures.
Yes, thanks! That patch was added trying to fix some nodejs regression tests. It turned out that the problem was elsewhere, see bsc#1207484. Removing that patch fixes other build failures. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c43
Dirk Mueller
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c44
--- Comment #44 from Pedro Monreal Gonzalez
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c45
--- Comment #45 from Swamp Workflow Management
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1205042
https://bugzilla.suse.com/show_bug.cgi?id=1205042#c46
--- Comment #46 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@suse.com