Re: [gentoo-user] What to do about openssl

[Alan McKinnon]

Hi John

All version 1.x have been masked. They are very very old and have obsolete code.

Upgrade to v3.x - this is what portage is telling you.

Is there some reason you require v1.1.x? Do you have a local mask for openssl?

Alan

On Wed, Oct 4, 2023 at 5:34 PM John Covici <cov...@ccs.covici.com> wrote:

Hi.  I just did a world update and found that my openssl-1.1.1v is
masked.  What can I do, I don't have any version that is not masked
and according to the message this version is EOL.

Thanks in advance for any suggestions.


--
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici wb2una
         cov...@ccs.covici.com

--

Alan McKinnon
alan dot mckinnon at gmail dot com

[John Covici]

[Grant Edwards]

On 2023-10-04, John Covici <cov...@ccs.covici.com> wrote:
> Hi. I just did a world update and found that my openssl-1.1.1v is
> masked. What can I do,

Use one of the stable versions.

> I don't have any version that is not masked

Huh? What architecture are you on? There are three versions of
openssl that are stable and not masked for amd64, x86, and most
others:

3.0.9-r1
3.0.9-r2
3.0.10

see

https://packages.gentoo.org/packages/dev-libs/openssl

> and according to the message this version is EOL.

Indeed. OpenSSL 1.1.1 is dead. Support ended a few weeks ago.

[John Covici]

All those are masked, I am using the ~amd64.

[John Covici]

On Wed, 04 Oct 2023 11:38:04 -0400,
Alan McKinnon wrote:
>
> [1 <text/plain; UTF-8 (quoted-printable)>]

All of the v3 packages are masked in my repository, just updated a
couple of days ago.

Here is what I get
Available versions: [M]1.0.2u-r1^td [M]1.1.1u(0/1.1)^t{xpak}
[M](~)1.1.1v(0/1.1)^t{xpak} [M](~)1.1.1w(0/1.1)^t [m]3.0.9-r1(0/3)^t
[m]3.0.9-r2(0/3)^t [m]3.0.10(0/3)^t [m](~)3.0.11(0/3)^t
[m](~)3.1.1-r1(0/3)^t [m](~)3.1.1-r2(0/3)^t [m](~)3.1.2(0/3)^t
[m](~)3.1.3(0/3)^t {+asm bindist fips gmp kerberos ktls rfc3779 sctp
sslv2 (+)sslv3 static-libs test tls-compression (+)tls-heartbeat
vanilla verify-sig weak-ssl-ciphers ABI_MIPS="n32 n64 o32"
ABI_S390="32 64" ABI_X86="32 64
x32" CPU_FLAGS_X86="sse2"}

[Matt Connell]

On Wed, 2023-10-04 at 12:57 -0400, John Covici wrote:
> All those are masked, I am using the ~amd64.

> All of the v3 packages are masked in my repository, just updated a
> couple of days ago.

Something on your local machine is masking these, they are definitely
unmasked for me and many others. Check /etc/portage/package.mask to
start with, but in general I would grep -r openssl /etc/portage/ to see
what all you've got set (or unset)...

[John Covici]

On Wed, 04 Oct 2023 11:53:46 -0400,
Grant Edwards wrote:
>

Upon further investigation, I hadd masked them off myself , if I
unmask the 3.x I get the following:
Script started on 2023-10-04 13:10:40-04:00 [COMMAND="emerge -1
dev-libs/openssl" TERM="linux" TTY="/dev/tty1" COLUMNS="240"
LINES="67"]
^M
These are the packages that would be merged, in order:^M
^M
Calculating dependencies . .... ... done!^M
Dependency resolution took 38.07 s.^M
^M
[ebuild r U ] dev-libs/openssl-3.1.3:0/3::gentoo
[1.1.1v:0/1.1::gentoo] USE="asm -fips% -ktls% -rfc3779 -sctp
-static-libs -test -tls-compression -vanilla -verify-sig
-weak-ssl-ciphers (-sslv3%) (-tls-heartbeat%)" ABI_X86="(64) -32
(-x3\2)" CPU_FLAGS_X86="(sse2)" 15,198 KiB^M
[ebuild rR ] sys-apps/coreutils-9.4::gentoo USE="acl nls openssl
(split-usr) xattr -caps -gmp -hostname -kill -multicall (-selinux)
-static -test -vanilla -verify-sig" 0 KiB^M
[ebuild rR ] net-misc/rsync-3.2.7-r2::gentoo USE="acl iconv ssl
xattr -examples -lz4 -rrsync -stunnel -system-zlib -verify-sig -xxhash
-zstd" PYTHON_SINGLE_TARGET="python3_11 -python3_10" 0 KiB^M
[ebuild rR ] net-misc/wget-1.21.4::gentoo USE="ipv6 nls pcre
(ssl) zlib -cookie-check -debug -gnutls -idn -metalink -ntlm -static
-test -uuid -verify-sig" 0 KiB^M
[ebuild rR ] dev-lang/python-3.12.0_rc3_p1:3.12::gentoo
USE="ensurepip gdbm ncurses readline sqlite ssl -bluetooth -build
-debug -examples -libedit -lto -pgo -test -tk -valgrind -verify-sig" 0
KiB^M
[ebuild rR ] dev-libs/libtpms-0.9.6::gentoo 0 KiB^M
[ebuild rR ] www-client/w3m-0.5.3_p20230121::gentoo USE="X gpm
nls ssl unicode -fbcon -gdk-pixbuf -imlib -lynxkeymap -nntp -xface"
L10N="-ja" 0 KiB^M
[ebuild rR ] dev-db/mysql-connector-c-8.0.32-r1:0/21::gentoo
USE="static-libs -ldap" ABI_X86="(64) -32 (-x32)" 0 KiB^M
[ebuild rR ] dev-lang/rust-1.72.0:stable/1.72::gentoo USE="lto
(-big-endian) -clippy -debug -dist -doc (-llvm-libunwind) (-miri)
(-nightly) (-parallel-compiler) -profiler -rust-analyzer -rust-src
-rustfmt -system-bootstrap -system-llv\m -test -verify-sig -wasm"
ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="sse2" LLVM_TARGETS="(X86)
-AArch64 -AMDGPU -ARM -AVR -BPF -Hexagon -Lanai -LoongArch -MSP430
-Mips -NVPTX -PowerPC -RISCV -Sparc -SystemZ -VE -WebAssembly -XCore"
0 KiB^M
[ebuild rR ] net-libs/libssh-0.10.5:0/4::gentoo USE="sftp zlib
-debug -doc -examples -gcrypt -gssapi -mbedtls -pcap -server
-static-libs -test" ABI_X86="(64) -32 (-x32)" 0 KiB^M
[ebuild rR ] dev-db/mariadb-connector-c-3.3.4:0/3::gentoo
USE="curl ssl -gnutls -kerberos -static-libs -test" ABI_X86="(64) -32
(-x32)" 0 KiB^M
[ebuild rR ] app-crypt/swtpm-0.8.1-r2::gentoo USE="seccomp -fuse
-test" 0 KiB^M
[ebuild rR ] dev-python/cryptography-41.0.4::gentoo USE="-debug
-test" PYTHON_TARGETS="python3_11 -pypy3 -python3_10 -python3_12" 0
KiB^M
[ebuild rR ] dev-db/mariadb-10.11.5:10.11/18::gentoo USE="backup
odbc pam perl server systemd xml -bindist -columnstore -cracklib
-debug -extraengine -galera -innodb-lz4 -innodb-lzo -innodb-snappy
-jdbc -jemalloc -kerberos -latin1 -mr\oonga -numa -oqgraph -profiling
-rocksdb -s3 (-selinux) -sphinx -sst-mariabackup -sst-rsync -static
-systemtap -tcmalloc -test -yassl" 0 KiB^M
[ebuild rR ] dev-db/postgresql-16.0:16::gentoo USE="icu nls pam
readline server ssl systemd xml zlib -debug -doc -kerberos -ldap -llvm
-lz4 -perl -python (-selinux) -static-libs -tcl -uuid -zstd"
PYTHON_SINGLE_TARGET="python3_11 -pyth\on3_10 -python3_12" 0 KiB^M
[ebuild rR ] app-admin/syslog-ng-4.4.0::gentoo USE="systemd -amqp
-caps -dbi -geoip2 -http -json -kafka -mongodb -pacct -python -redis
-smtp -snmp -spoof-source -tcpd -test"
PYTHON_SINGLE_TARGET="python3_11 -python3_10 -python3_12" 0 \KiB^M
[ebuild rR ] dev-db/postgresql-14.9:14::gentoo USE="icu nls pam
readline server ssl systemd xml zlib -debug -doc -kerberos -ldap -llvm
-lz4 -perl -python (-selinux) -static-libs -tcl -uuid (-threads%)"
PYTHON_SINGLE_TARGET="python3_11\ -python3_10 -python3_12" 0 KiB^M
[ebuild rR ] dev-lang/php-8.2.10:8.2::gentoo USE="acl apache2
bcmath bzip2 cgi cli ctype curl exif fileinfo filter flatfile fpm ftp
gd gdbm iconv imap intl ipv6 jit mhash mysql mysqli nls odbc opcache
pcntl pdo phar posix postgres rea\dline session sharedmem simplexml
sockets spell sqlite ssl sysvipc tokenizer truetype unicode xml
xmlreader xmlwriter zip zlib -apparmor -argon2 -avif -berkdb -calendar
-cdb -cjk -debug -embed -enchant -ffi -firebird -gmp -inifile -iodbc
-\kerberos -ldap -ldap-sasl -libedit -lmdb -mssql -oci8-instant-client
-phpdbg -qdbm (-selinux) -session-mm -snmp -soap -sodium -systemd
-test -threads -tidy -tokyocabinet -valgrind -webp -xpm -xslt" 0 KiB^M
[ebuild rR ] app-emulation/spice-0.15.2::gentoo USE="gstreamer
-lz4 -sasl -smartcard -static-libs -test" 0 KiB^M
[ebuild rR ] net-misc/openssh-9.4_p1::gentoo USE="X pam pie ssl
-audit (-debug) -kerberos -ldns -libedit -livecd -security-key
(-selinux) -static -test -verify-sig -xmss" 0 KiB^M
[ebuild rR ] app-admin/lastpass-cli-1.3.3::local_ebuilds
[1.3.3::gentoo] USE="X pinentry -libressl -test" 0 KiB^M
[ebuild rR ] app-admin/sudo-1.9.14_p3::gentoo USE="nls pam
secure-path sendmail ssl -gcrypt -ldap -offensive -sasl (-selinux)
-skey -sssd -verify-sig" 0 KiB^M
[ebuild rR ] net-misc/spice-gtk-0.42-r3::gentoo USE="gtk3
introspection policykit usbredir vala -gtk-doc -lz4 -mjpeg -sasl
-smartcard -valgrind -wayland -webdav" 0 KiB^M
[ebuild rR ] media-sound/pulseaudio-daemon-16.1-r7::gentoo USE="X
alsa alsa-plugin asyncns bluetooth dbus gdbm glib gstreamer orc ssl
systemd udev webrtc-aec -aptx (-elogind) -equalizer -fftw -jack -ldac
-lirc -ofono-headset (-oss) (-\selinux) -sox (-system-wide) -tcpd
-test -valgrind -zeroconf" 0 KiB^M
^M
Total: 24 packages (1 upgrade, 23 reinstalls), Size of downloads:
15,198 KiB^M
^M
!!! Multiple package instances within a single package slot have been
pulled^M
!!! into the dependency graph, resulting in a slot conflict:^M
^M
dev-libs/openssl:0^M
^M
(dev-libs/openssl-3.1.3:0/3::gentoo, ebuild scheduled for merge)
USE="asm -fips -ktls -rfc3779 -sctp -static-libs -test
-tls-compression -vanilla -verify-sig -weak-ssl-ciphers"
ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" pulled in b\y^M
dev-libs/openssl (Argument)^M
^M
(dev-libs/openssl-1.1.1v-1:0/1.1::gentoo, installed) USE="asm
-rfc3779 -sctp (-sslv3) -static-libs -test -tls-compression
-tls-heartbeat -vanilla -verify-sig -weak-ssl-ciphers"
ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" pulled in
b\y^M
dev-libs/openssl:0/1.1= required by
(sys-fs/cryptsetup-2.6.1-1:0/12::gentoo, installed)
USE="argon2 nls openssl udev userland_GNU -fips -gcrypt
-kernel -nettle -pwquality -ssh -static -static-libs -test
-urandom" ABI_X86="(64)"^M
^^^^^^^
^M
<dev-libs/openssl-3.0:0/1.1=
required by
(dev-lang/php-7.4.33-r6-1:7.4/7.4::gentoo,
installed) USE="acl apache2 bcmath
bzip2 cgi cli ctype curl exif
fileinfo filter flatfile fpm ftp
gd gdbm iconv imap intl ipv6 jit
json mhash mysql mys\qli nls odbc
opcache pcntl pdo phar posix
postgres readline session
sharedmem simplexml sockets spell
sqlite ssl sysvipc tokenizer
truetype unicode xml xmlreader
xmlrpc xmlwriter zip zlib -argon2
-berkdb -calendar -cdb -cjk
-coverage -debu\g -embed -enchant
-ffi -firebird -gmp -inifile
-iodbc -kerberos -ldap -ldap-sasl
-libedit -lmdb -mssql
-oci8-instant-client -phpdbg -qdbm
(-selinux) -session-mm -snmp -soap
-sodium -systemd -test -threads
-tidy -tokyocabinet -webp -xpm
-xs\lt" ABI_X86="(64)"^M
^ ^^^^^^^^^^
\
\
\ ^M
(and 59 more with the same
problems)

[Alan McKinnon]

That should not happen, and is probably happening because you have masked something deep in the dep graph that is required.

Please post all your package.mask files, and provided if you have any of those

Alan

[Steve Wilson]

From https://www.php.net/manual/en/openssl.requirements.php

PHP 7.1-8.0 requires OpenSSL >= 1.0.1, < 3.0.
PHP >= 8.1 requires OpenSSL >= 1.0.2, < 4.0.

So it looks like you need to upgrade php to 8.1

I've a similar problem with my server requiring php 7.2 and trying to figure out the upgrade path for all php based sites/apps is a pain.

[John Covici]

On Wed, 04 Oct 2023 13:23:40 -0400,

Alan McKinnon wrote:
>
> [1 <text/plain; UTF-8 (quoted-printable)>]

> That should not happen, and is probably happening because you have masked
> something deep in the dep graph that is required.
>
> Please post all your package.mask files, and provided if you have any of
> those
>
>
> Alan

Here is my package.mask file.

#1.4.1 has some serious problems
>=app-backup/rsnapshot-1.4.1


#i use udev
>=sys-fs/static-dev-0.1





#not yet ready
#mutes everything
>=media-sound/alsa-utils-1.2.5

That is all I have.

> [2 <text/html; UTF-8 (quoted-printable)>]

[John Covici]

On Wed, 04 Oct 2023 13:36:38 -0400,
Steve Wilson wrote:
>
> [1 <text/plain; UTF-8 (7bit)>]

> From https://www.php.net/manual/en/openssl.requirements.php
>
> PHP 7.1-8.0 requires OpenSSL >= 1.0.1, < 3.0.
> PHP >= 8.1 requires OpenSSL >= 1.0.2, < 4.0.
>
> So it looks like you need to upgrade php to 8.1
>
> I've a similar problem with my server requiring php 7.2 and
> trying to figure out the upgrade path for all php based
> sites/apps is a pain.
>
> On 04/10/2023 18:15, John Covici wrote:
> > On Wed, 04 Oct 2023 11:53:46 -0400,
> > Grant Edwards wrote:

The php was the problem, I had upgraded it, but not removed the 7.4
yet. After doing a depclean on that all is at least compiling now,
including many, many reinstalls.

Thanks all.

> [2 <text/html; UTF-8 (7bit)>]