Re: OpenSSL legacy provider is broken

Wed, 13 Aug 2025 18:27:57 -0700 

On 2025-08-10 06:53, Pierre Pronchery wrote:

                        Hey,


On 10 Aug 2025, at 04:32, Enji Cooper (yaneurabeya) <[email protected]> 
wrote:



On Aug 9, 2025, at 7:08 AM, Ian FREISLICH <[email protected]> wrote:

Previously this worked

[brane] /usr/ports # openssl list -providers -provider legacy
Providers:
legacy
   name: OpenSSL Legacy Provider
   version: 3.0.16
   status: active

Since the build last night,

[router] /usr/ports/net/freeradius3 # openssl list -providers -provider legacy
list: unable to load provider legacy
Hint: use -provider-path option or OPENSSL_MODULES environment variable.
10B045DBE7340000:error:12800067:DSO support routines:dlfcn_load:could not load the shared 
library:/usr/src/crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/legacy.so):
 /usr/lib/ossl-modules/legacy.so: Undefined symbol "ossl_kdf_pvk_functions"
10B045DBE7340000:error:12800067:DSO support routines:DSO_load:could not load 
the shared library:/usr/src/crypto/openssl/crypto/dso/dso_lib.c:147:
10B045DBE7340000:error:07880025:common libcrypto 
routines:provider_init:reason(37):/usr/src/crypto/openssl/crypto/provider_core.c:1019:name=legacy

and freeradius doesn't start because of this:

[router] /usr/ports/net/freeradius3 # radiusd -fX
FreeRADIUS Version 3.2.7
...
(TLS) Failed loading legacy provider

I haven't yet figured out what part of my EAP configuration needs the legacy 
provider. It may be that EAP just needs a working legacy provider because it 
looks like the EAP module unconditionally attempts to load the provider and 
fails.


It could well be that it does.

Regardless I didn’t mean to break the legacy provider, but it’s
certainly because of the OpenSSL 3.5.1 import. Sorry!

I have pushed a partial fix here, and will keep pushing to that
branch until I get it to work fully again:
https://github.com/khorben/freebsd-src/tree/khorben/openssl-3.5.1-legacy


That fixes this missing symbol, but here's the next error:

[router] ~ # openssl list -providers -provider legacy
list: unable to load provider legacy
Hint: use -provider-path option or OPENSSL_MODULES environment variable.
10B0E52D30440000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:/usr/src/crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/legacy.so): /usr/lib/ossl-modules/legacy.so: Undefined symbol "ossl_param_find_pidx" 10B0E52D30440000:error:12800067:DSO support routines:DSO_load:could not load the shared library:/usr/src/crypto/openssl/crypto/dso/dso_lib.c:147: 10B0E52D30440000:error:07880025:common libcrypto routines:provider_init:reason(37):/usr/src/crypto/openssl/crypto/provider_core.c:1019:name=legacy
Is there a target/directory I can make in that compile will compile just this? The no clean default on buildworld doesn't seem to work and compiling everything takes forever. 

Ian

Reply via email to