Opened 2 days ago
Last modified 21 hours ago
#5912 new enhancement
openssl-4.0.0
| Reported by: | Bruce Dubbs | Owned by: | lfs-book |
|---|---|---|---|
| Priority: | normal | Milestone: | 13.1 |
| Component: | Book | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New major version.
Change History (20)
comment:1 by , 2 days ago
follow-up: 5 comment:2 by , 2 days ago
Did a test build in chroot. Looked pretty clean but I did not log it.
All tests successful.
Files=361, Tests=4374, 37 wallclock secs ( 5.31 usr 0.42 sys + 339.35 cusr 43.32 csys = 388.40 CPU)
I don't understand cusr or csys. User and system I guess.
comment:4 by , 2 days ago
I think the problem might rather lie in dependent packages, since there are changes to the API.
comment:5 by , 2 days ago
Replying to Bruce Dubbs:
Did a test build in chroot. Looked pretty clean but I did not log it.
All tests successful.
Files=361, Tests=4374, 37 wallclock secs ( 5.31 usr 0.42 sys + 339.35 cusr 43.32 csys = 388.40 CPU)
I don't understand cusr or csys. User and system I guess.
I think cusr is total computing time for user, that is sum of user times for each core. And similarly for csys.
comment:6 by , 2 days ago
An incomplete (found on my system) list of things requiring a rebuild for openssl:
- openssh
- git
- sudo
- wpa_supplicant
- coreutils
- kmod
- systemd
- rustc
- cargo-c
- lynx
- libarchive
- openldap
- ruby
- cryptsetup
- neon
- krb5
- python
- libnvme
- pipewire
- pulseaudio
- Net::SSLeay
- libssh2
- libevent
- cups
- gst-plugins-?? (I've not figured out ?? yet)
- curl
follow-up: 11 comment:7 by , 2 days ago
It looks like "make test" now automatically uses all cores so we no longer need to set HARNESS_JOBS.
comment:8 by , 45 hours ago
The Python 3 _ssl module fails to build. https://github.com/python/cpython/pull/146217 allows it to build but there's still an unresolved yet runtime issue: https://github.com/python/cpython/issues/148292
comment:9 by , 45 hours ago
krb5 needs https://github.com/krb5/krb5/pull/1489 and https://github.com/krb5/krb5/pull/1490. Apply 1490 first, then 1489, to avoid conflict.
comment:10 by , 44 hours ago
sudo needs https://github.com/sudo-project/sudo/pull/483 (manual operation needed).
comment:11 by , 44 hours ago
Replying to Xi Ruoyao:
It looks like "make test" now automatically uses all cores so we no longer need to set HARNESS_JOBS.
We probably still need it for timing purposes, but other than mentioning it in the timing, we can probably remove it for the test instruction in the book.
comment:12 by , 44 hours ago
wpa_supplicant needs https://git.w1.fi/cgit/hostap/commit/?id=141abf49a432c9a0f4f38c47a477ab258ec9e239.
comment:13 by , 44 hours ago
If libssh2 is enabled, several curl tests fail with Failure establishing ssh session: -43, Failed getting banner. I don't know which package to blame. More strangely, if running one of those tests directly with ./runtests.pl in tests/ it passes.
comment:15 by , 43 hours ago
openldap needs at least (I only tried a lib-only build) sed -e 's/cn->length/ASN1_STRING_length(cn)/g' -e 's/cn->data/ASN1_STRING_get0_data(cn)/g' -i libraries/libldap/tls_o.c (not submitted upstream yet).
comment:16 by , 43 hours ago
gst-plugins-bad rebuilds fine but there are one new test failure in elements_dtls.
comment:18 by , 24 hours ago
rustc is a little complicated, we need to update (or patch but I don't think patching is easier than updating) the shipped openssl and openssl-sys crates (used by cargo) to support openssl-4.0.0.
curl https://github.com/lfs-book/rust-openssl/archive/v0.10.77+openssl4/rust-openssl-0.10.77+openssl4.tar.gz -LO
cd rustc-1.94.1-src
tar xf ../rust-openssl-0.10.77+openssl4.tar.gz
mv rust-openssl-0.10.77+openssl4 rust-openssl
cat >> Cargo.toml << EOF
[patch.crates-io]
openssl = { path = "../../../rust-openssl/openssl" }
openssl-sys = { path = "../../../rust-openssl/openssl-sys" }
EOF
sed -ri src/tools/cargo/Cargo.lock.orig \
-e '/name = "openssl-sys"/,/^$/{/source|checksum/d;s/0.9.111/0.9.113/}' \
-e '/name = "openssl"/,/^$/{/source|checksum/d;s/0.10.75/0.10.77/}' \
-e '/name = "openssl-macros"/,/^$/{/source|checksum/d}'
I guess cargo-c needs something similar as it ships some code from cargo.
comment:19 by , 21 hours ago
Net::SSLeay https://github.com/radiator-software/p5-net-ssleay/pull/553. Not merged yet but the test suite passes on 1.96 (the book has 1.94 now).
# Major changes between OpenSSL 3.6 and OpenSSL 4.0.0 [14 Apr 2026]
OpenSSL 4.0.0 is a feature release adding significant new functionality to OpenSSL.
This release incorporates the following potentially significant or incompatible changes:
PKCS5_PBKDF2_HMACAPI with FIPS provider.X509_V_FLAG_X509_STRICTis set.libcryptono longer cleans up globally allocated data viaatexit().BIO_snprintf()now usessnprintf()provided by libc instead of internal implementation.OPENSSL_cleanup()now runs in a global destructor, or not at all by default.ASN1_STRINGhas been made opaque.constqualifiers for argument and return types, where suitable.X509_cmp_time(),X509_cmp_current_time(), andX509_cmp_timeframe()in favor ofX509_check_certificate_times().no-enginebuild option and theOPENSSL_NO_ENGINEmacro are always present.enable-tls-deprecated-ecconfiguration option.enable-ec_explicit_curvesconfiguration option.c_rehashscript tool. Useopenssl rehashinstead.msie-hackoption from theopenssl cacommand.BIO_f_reliable()implementation without replacement. It was broken since 3.0 release without any complaints.EVP_CIPHER,EVP_MD,EVP_PKEY, andEVP_PKEY_ASN1methods.ERR_get_state(),ERR_remove_state()andERR_remove_thread_state(). TheERR_STATEobject is now always opaque.darwin-i386{,-cc}anddarwin-ppc{,64}{,-cc}targets from Configurations.This release adds the following new features:
doc/designs/ech-api.mdfor details.sm2sig_sm3, key exchange groupcurveSM2, and [tls-hybrid-sm2-mlkem] post-quantum groupcurveSM2MLKEM768.-defer_testsoption of theopenssl fipsinstallcommand.