Change History (36)
comment:1 by , 4 weeks ago
follow-up: 5 comment:2 by , 4 weeks ago
Did a test build in chroot. Looked pretty clean but I did not log it.
All tests successful.
Files=361, Tests=4374, 37 wallclock secs ( 5.31 usr 0.42 sys + 339.35 cusr 43.32 csys = 388.40 CPU)
I don't understand cusr or csys. User and system I guess.
comment:4 by , 4 weeks ago
I think the problem might rather lie in dependent packages, since there are changes to the API.
comment:5 by , 4 weeks ago
Replying to Bruce Dubbs:
Did a test build in chroot. Looked pretty clean but I did not log it.
All tests successful.
Files=361, Tests=4374, 37 wallclock secs ( 5.31 usr 0.42 sys + 339.35 cusr 43.32 csys = 388.40 CPU)
I don't understand cusr or csys. User and system I guess.
I think cusr is total computing time for user, that is sum of user times for each core. And similarly for csys.
comment:6 by , 4 weeks ago
An incomplete (found on my system) list of things requiring a rebuild for openssl:
- openssh
- git
- sudo
- wpa_supplicant
- coreutils
- kmod
- systemd
- rustc
- cargo-c
- lynx
- libarchive
- openldap
- ruby
- cryptsetup
- neon
- krb5
- python
- libnvme
- pipewire
- pulseaudio
- Net::SSLeay
- libssh2
- libevent
- cups
- gst-plugins-bad
- curl
follow-up: 11 comment:7 by , 4 weeks ago
It looks like "make test" now automatically uses all cores so we no longer need to set HARNESS_JOBS.
follow-up: 27 comment:8 by , 4 weeks ago
The Python 3 _ssl module fails to build. https://github.com/python/cpython/pull/146217 allows it to build but there's still an unresolved yet runtime issue: https://github.com/python/cpython/issues/148292
comment:9 by , 4 weeks ago
krb5 needs https://github.com/krb5/krb5/pull/1489 and https://github.com/krb5/krb5/pull/1490. Apply 1490 first, then 1489, to avoid conflict.
comment:10 by , 4 weeks ago
sudo needs https://github.com/sudo-project/sudo/pull/483 (sed -e 's/\([->.a-zA-Z_]*\)->length/ASN1_STRING_length(\1)/' -i lib/iolog/hostcheck.c).
comment:11 by , 4 weeks ago
Replying to Xi Ruoyao:
It looks like "make test" now automatically uses all cores so we no longer need to set HARNESS_JOBS.
We probably still need it for timing purposes, but other than mentioning it in the timing, we can probably remove it for the test instruction in the book.
comment:12 by , 4 weeks ago
wpa_supplicant needs https://git.w1.fi/cgit/hostap/commit/?id=141abf49a432c9a0f4f38c47a477ab258ec9e239.
comment:13 by , 4 weeks ago
If libssh2 is enabled, several curl tests fail with Failure establishing ssh session: -43, Failed getting banner. I don't know which package to blame. More strangely, if running one of those tests directly with ./runtests.pl in tests/ it passes.
follow-up: 32 comment:15 by , 4 weeks ago
openldap needs at least (I only tried a lib-only build) sed -e 's/cn->length/ASN1_STRING_length(cn)/g' -e 's/cn->data/ASN1_STRING_get0_data(cn)/g' -i libraries/libldap/tls_o.c (not submitted upstream yet).
comment:16 by , 4 weeks ago
gst-plugins-bad rebuilds fine but there are one new test failure in elements_dtls.
follow-ups: 22 28 comment:18 by , 4 weeks ago
rustc is a little complicated, we need to update (or patch but I don't think patching is easier than updating) the shipped openssl and openssl-sys crates (used by cargo) to support openssl-4.0.0.
curl https://github.com/lfs-book/rust-openssl/archive/v0.10.77+openssl4/rust-openssl-0.10.77+openssl4.tar.gz -LO
cd rustc-1.95.0-src
tar xf ../rust-openssl-0.10.77+openssl4.tar.gz
mv rust-openssl-0.10.77-openssl4 rust-openssl
cat >> src/tools/cargo/Cargo.toml << EOF
[patch.crates-io]
openssl = { path = "../../../rust-openssl/openssl" }
openssl-sys = { path = "../../../rust-openssl/openssl-sys" }
EOF
sed -ri src/tools/cargo/Cargo.lock \
-e '/name = "openssl-sys"/,/^$/{/source|checksum/d;s/0.9.111/0.9.113/}' \
-e '/name = "openssl"/,/^$/{/source|checksum/d;s/0.10.75/0.10.77/}' \
-e '/name = "openssl-macros"/,/^$/{/source|checksum/d}'
I guess cargo-c needs something similar as it ships some code from cargo.
comment:19 by , 4 weeks ago
Net::SSLeay https://github.com/radiator-software/p5-net-ssleay/pull/553. Not merged yet but the test suite passes on 1.96 (the book has 1.94 now).
follow-up: 34 comment:20 by , 4 weeks ago
comment:21 by , 2 weeks ago
In https://savannah.gnu.org/bugs/index.php?68265 is included a patch that fixes building wget with openssl-4.
comment:22 by , 2 weeks ago
Replying to Xi Ruoyao:
rustc is a little complicated, we need to update (or patch but I don't think patching is easier than updating) the shipped openssl and openssl-sys crates (used by cargo) to support openssl-4.0.0.
Are opensll* the only crates that needs to be updated? I'm seeing this with the curl crate:
cargo:warning=curl/lib/vtls/openssl.c: In function 'ossl_certchain':
cargo:warning=curl/lib/vtls/openssl.c:433:11: error: invalid use of incomplete
typedef 'ASN1_INTEGER' {aka 'struct asn1_string_st'}
cargo:warning= 433 | if(num->type == V_ASN1_NEG_INTEGER)
cargo:warning= | ^~
cargo:warning=curl/lib/vtls/openssl.c:435:23: error: invalid use of incomplete
typedef 'ASN1_INTEGER' {aka 'struct asn1_string_st'}
cargo:warning= 435 | for(j = 0; j < num->length; j++)
cargo:warning= | ^~
cargo:warning=curl/lib/vtls/openssl.c:436:34: error: invalid use of incomplete
typedef 'ASN1_INTEGER' {aka 'struct asn1_string_st'}
cargo:warning= 436 | BIO_printf(mem, "%02x", num->data[j]);
cargo:warning= | ^~
cargo:warning=curl/lib/vtls/openssl.c:634:26: error: invalid use of incomplete
typedef 'ASN1_BIT_STRING' {aka 'const struct asn1_string_st'}
cargo:warning= 634 | for(j = 0; j < psig->length; j++)
cargo:warning= | ^~
cargo:warning=curl/lib/vtls/openssl.c:635:38: error: invalid use of incomplete
typedef 'ASN1_BIT_STRING' {aka 'const struct asn1_string_st'}
cargo:warning= 635 | BIO_printf(mem, "%02x:", psig->data[j]);
cargo:warning= | ^~
comment:23 by , 2 weeks ago
If you've installed curl on the system, rustc shouldn't build it's own copy and then you'll not hit it.
The shipped copy is curl-8.17 and AFAIK the build with openssl-4 is only fixed in curl-8.19.
comment:25 by , 2 weeks ago
I guess the problem is curl-8.19 isn't built with nghttp2 then. We should raise the nghttp2 dependency in curl to recommended...
comment:27 by , 10 days ago
Replying to Xi Ruoyao:
The Python 3 _ssl module fails to build. https://github.com/python/cpython/pull/146217 allows it to build but there's still an unresolved yet runtime issue: https://github.com/python/cpython/issues/148292
148292 is superseded by 149102. I gathered it and some commits seemingly depended from main, and 149078 to fix test failure with Linux 7.0 at https://github.com/xry111/cpython/tree/xry111/3.14.4-openssl4-linux7.
comment:28 by , 5 days ago
Replying to Xi Ruoyao:
I guess cargo-c needs something similar as it ships some code from cargo.
cargo-c-0.10.22 has already updated the openssl crate version so it's fine.
comment:29 by , 4 days ago
BIND Utilities builds correctly, but dig, nslookup, and the rest of the utilities crash with OpenSSL-4.x:
renodr [ ~ ]$ dig linuxfromscratch.org
; <<>> DiG 9.20.20 <<>> linuxfromscratch.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9681
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;linuxfromscratch.org. IN A
;; ANSWER SECTION:
linuxfromscratch.org. 900 IN A 208.118.68.85
;; Query time: 114 msec
;; SERVER: 75.75.75.75#53(75.75.75.75) (UDP)
;; WHEN: Fri May 08 12:31:02 CDT 2026
;; MSG SIZE rcvd: 65
mem.c:848: REQUIRE(((ctx) != ((void *)0) && ((const isc__magic_t *)(ctx))->magic == ((('M') << 24 | ('e') << 16 | ('m') << 8 | ('C'))))) failed, back trace
/usr/lib/libisc-9.20.20.so(+0x363b8) [0x7fdaa92c73b8]
/usr/lib/libisc-9.20.20.so(isc_assertion_failed+0xa) [0x7fdaa92c730a]
/usr/lib/libisc-9.20.20.so(+0x4e906) [0x7fdaa92df906]
/usr/lib/libcrypto.so.4(CRYPTO_malloc+0x22) [0x7fdaa874cdd2]
/usr/lib/libcrypto.so.4(CRYPTO_zalloc+0x9) [0x7fdaa874cf89]
/usr/lib/libcrypto.so.4(OPENSSL_sk_new_reserve+0x21) [0x7fdaa88a0501]
/usr/lib/libcrypto.so.4(OPENSSL_sk_dup+0xe) [0x7fdaa88a087e]
/usr/lib/libcrypto.so.4(CONF_modules_unload+0x68) [0x7fdaa8695bb8]
/usr/lib/libcrypto.so.4(+0x195d9e) [0x7fdaa8695d9e]
/usr/lib/libcrypto.so.4(+0xdcaa2) [0x7fdaa85dcaa2]
/lib64/ld-linux-x86-64.so.2(+0x2012) [0x7fdaa9334012]
/lib64/ld-linux-x86-64.so.2(+0x5e4e) [0x7fdaa9337e4e]
/usr/lib/libc.so.6(+0x403d0) [0x7fdaa8cfb3d0]
/usr/lib/libc.so.6(+0x404ba) [0x7fdaa8cfb4ba]
/usr/lib/libc.so.6(+0x26f7f) [0x7fdaa8ce1f7f]
/usr/lib/libc.so.6(__libc_start_main+0x87) [0x7fdaa8ce2097]
dig(_start+0x21) [0x564f38407f41]
Aborted (core dumped) dig linuxfromscratch.org
Unfortunately BIND 9.20.22 does not fix the issue either, going to poke around upstream shortly to try to find a solution.
comment:30 by , 4 days ago
https://gitlab.isc.org/isc-projects/bind9/-/commit/bb706b18001d9926bb8a635a395a6e8718925278 fixes the problems with BIND.
comment:31 by , 4 days ago
IO-Socket-SSL does have some test problems with OpenSSL-4:
t/connectSSL-timeout.t ............ ok # Failed test 'no TLS support at t/core.t line 38. # ' # at ./t/testlib.pl line 41. t/core.t .......................... Dubious, test returned 1 (wstat 256, 0x100) Failed 48/48 subtests t/dhe.t ........................... ok [...] Test Summary Report ------------------- t/core.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Parse errors: Bad plan. You planned 48 tests but ran 1. Files=45, Tests=823, 44 wallclock secs ( 0.10 usr 0.01 sys + 3.10 cusr 0.37 csys = 3.58 CPU) Result: FAIL Failed 1/45 test programs. 1/823 subtests failed.
comment:32 by , 4 days ago
Replying to Xi Ruoyao:
openldap needs at least (I only tried a lib-only build)
sed -e 's/cn->length/ASN1_STRING_length(cn)/g' -e 's/cn->data/ASN1_STRING_get0_data(cn)/g' -i libraries/libldap/tls_o.c(not submitted upstream yet).
Following up real quick, this patch is sufficient for the server side and the tests still fail at the exact same spot as well, so we should be good on this!
comment:33 by , 4 days ago
Serf seems to be broken in a similar way to how wpa_supplicant is. I created the following patch:
renodr [ /sources ]$ diff -Naurp serf-1.3.10.orig/buckets/ssl_buckets.c serf-1.3.10/serf-1.3.10/buckets/ssl_buckets.c
--- serf-1.3.10.orig/buckets/ssl_buckets.c 2023-05-18 04:33:55.000000000 -0500
+++ serf-1.3.10/serf-1.3.10/buckets/ssl_buckets.c 2026-05-09 01:10:29.528563263 -0500
@@ -567,11 +567,11 @@ get_subject_alt_names(apr_array_header_t
switch (nm->type) {
case GEN_DNS:
if (copy_action == ErrorOnNul &&
- strlen(nm->d.ia5->data) != nm->d.ia5->length)
+ strlen((const char *)ASN1_STRING_get0_data(nm->d.ia5)) != ASN1_STRING_length(nm->d.ia5))
return SERF_ERROR_SSL_CERT_FAILED;
if (san_arr && *san_arr)
- p = pstrdup_escape_nul_bytes((const char *)nm->d.ia5->data,
- nm->d.ia5->length,
+ p = pstrdup_escape_nul_bytes((const char *)ASN1_STRING_get0_data(nm->d.ia5),
+ ASN1_STRING_length(nm->d.ia5),
pool);
break;
default:
to fix:
gcc -o buckets/ssl_buckets.os -c -std=c89 -Wdeclaration-after-statement -Wmissing-prototypes -Wall -g -O2 -fPIC -DNDEBUG -DOPENSSL_NO_STDIO -DLINUX -D_REENTRANT -D_GNU_SOURCE -I. -I/usr/include/apr-1 -I/usr/include -I/usr/include buckets/ssl_buckets.c
buckets/ssl_buckets.c: In function 'get_subject_alt_names':
buckets/ssl_buckets.c:570:41: error: invalid use of incomplete typedef 'ASN1_IA5STRING' {aka 'struct asn1_string_st'}
570 | strlen(nm->d.ia5->data) != nm->d.ia5->length)
| ^~
buckets/ssl_buckets.c:570:61: error: invalid use of incomplete typedef 'ASN1_IA5STRING' {aka 'struct asn1_string_st'}
570 | strlen(nm->d.ia5->data) != nm->d.ia5->length)
| ^~
buckets/ssl_buckets.c:573:77: error: invalid use of incomplete typedef 'ASN1_IA5STRING' {aka 'struct asn1_string_st'}
573 | p = pstrdup_escape_nul_bytes((const char *)nm->d.ia5->data,
| ^~
buckets/ssl_buckets.c:574:63: error: invalid use of incomplete typedef 'ASN1_IA5STRING' {aka 'struct asn1_string_st'}
574 | nm->d.ia5->length,
|
I will submit this upstream once I've tested subversion with it, but it at least allows it to build.
comment:34 by , 4 days ago
Replying to Xi Ruoyao:
Git needs https://git.kernel.org/pub/scm/git/git.git/commit/?id=74137b733e59faaf3f3c6428af34c3798ce92757.
Git was fixed with version 2.54.0
comment:36 by , 24 hours ago
MariaDB has runtime failures with OpenSSL-4, in this case these showed during the test suite (though it doesn't show during the build process unfortunately):
The following tests FAILED:
19 - my_tzinfo (Failed)
25 - aes (Failed)
32 - mf_iocache (Failed)
78 - test-connect (Failed)
When reviewing the test suite logs it looks like they fail due to invalid lengths. I looked at upstream and found https://github.com/MariaDB/server/pull/5029 which resolves the problem.
# Major changes between OpenSSL 3.6 and OpenSSL 4.0.0 [14 Apr 2026]
OpenSSL 4.0.0 is a feature release adding significant new functionality to OpenSSL.
This release incorporates the following potentially significant or incompatible changes:
PKCS5_PBKDF2_HMACAPI with FIPS provider.X509_V_FLAG_X509_STRICTis set.libcryptono longer cleans up globally allocated data viaatexit().BIO_snprintf()now usessnprintf()provided by libc instead of internal implementation.OPENSSL_cleanup()now runs in a global destructor, or not at all by default.ASN1_STRINGhas been made opaque.constqualifiers for argument and return types, where suitable.X509_cmp_time(),X509_cmp_current_time(), andX509_cmp_timeframe()in favor ofX509_check_certificate_times().no-enginebuild option and theOPENSSL_NO_ENGINEmacro are always present.enable-tls-deprecated-ecconfiguration option.enable-ec_explicit_curvesconfiguration option.c_rehashscript tool. Useopenssl rehashinstead.msie-hackoption from theopenssl cacommand.BIO_f_reliable()implementation without replacement. It was broken since 3.0 release without any complaints.EVP_CIPHER,EVP_MD,EVP_PKEY, andEVP_PKEY_ASN1methods.ERR_get_state(),ERR_remove_state()andERR_remove_thread_state(). TheERR_STATEobject is now always opaque.darwin-i386{,-cc}anddarwin-ppc{,64}{,-cc}targets from Configurations.This release adds the following new features:
doc/designs/ech-api.mdfor details.sm2sig_sm3, key exchange groupcurveSM2, and [tls-hybrid-sm2-mlkem] post-quantum groupcurveSM2MLKEM768.-defer_testsoption of theopenssl fipsinstallcommand.