OpenSSL maintenance 2024/09

[thillux]

Description of changes

This PR combines the usual OpenSSL version bump with some maintenance:

• OpenSSL now releases only on Github -> switch to URLs on Github for all versions
• Revisit if we can use the latest OpenSSL version as the default now (set it to openssl_3_3).
• Bump all OpenSSL packages to the latest available version for CVE fixes.

Fixed CVEs:

• Fixed possible denial of service in X.509 name checks. (CVE-2024-6119)
• Fixed possible buffer overread in SSL_select_next_proto(). (CVE-2024-5535)

Changelog(s):
The changes are the same for all updated OpenSSL versions. See changelog.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[emilazy]

Happy with the general approach here as discussed on Matrix, but I’m −1 on introducing 3.1 as yet another version, when we’ll already have 3.0, 3.2, and 3.3. Ideally we’d only have one version of OpenSSL; Arch, Alpine, and Void ship 3.3 and 1.1, and Fedora ships only 3.2.

I think that we should rename openssl_3 to openssl_3_0 if it’s no longer going to be the default, though that might be unnecessary churn if we can hopefully remove it after the 24.11 release.

[thillux]

Happy with the general approach here as discussed on Matrix, but I’m −1 on introducing 3.1 as yet another version, when we’ll already have 3.0, 3.2, and 3.3. Ideally we’d only have one version of OpenSSL; Arch, Alpine, and Void ship 3.3 and 1.1, and Fedora ships only 3.2.

I think that we should rename openssl_3 to openssl_3_0 if it’s no longer going to be the default, though that might be unnecessary churn if we can hopefully remove it after the 24.11 release.

Fair, reduce to 3_3, 3_0, 1_1 for 24.11?

[thillux]

I'm currently testing if some important packages like systemd still build with OpenSSL 3.3. Therefore some more patches are included. I needed to bump ibm-sw-tpm2 and use a better maintained swtpm for tests in tpm2-tss to work.

[emilazy]

Fair, reduce to 3_3, 3_0, 1_1 for 24.11?

Sounds good to me! I’d also be okay with leaving 3.2 in and just dropping the other versions in bulk after the release if everything goes well; whatever your preference is.

[thillux]

After some issues in the past, where e.g. systemd failed to build with a recent OpenSSL version, I tried to fix these.

Older discussions about updating OpenSSL default:

• openssl_3_1: init at 3.1.3 #244893
• openssl: 3.0.8 -> 3.1.0 #221206

[emilazy]

LGTM; a few tweaks to the release note.

I’ll let a couple others take a look at this rather than unilaterally merging, since it’s a significant change :)

I look forward to dropping the other versions after branch‐off.

[emilazy]

LGTM. Will let someone else take a look too.

[reckenrode]

OpenSSL 3.x is supposed to be API- and ABI-stable. If a package pins the version, that’s a problem with the package. If OpenSSL breaks API, that’s an upstream bug. I’m all for doing what every other package ecosystem seemingly does, which is ship the latest OpenSSL by default. Both MacPorts and Homebrew ship OpenSSL 3.3. Homebrew also offers OpenSSL 3.0 as a separate package in case something really needs it.

https://openssl-library.org/policies/technical/stable-release-updates/

[emilazy]

This needs rebasing for conflicts, but I’m otherwise minded to merge.

[thillux]

@emilazy: Rebased.

[emilazy]

After discussion on Matrix I think we have consensus to ignore the LTS releases and just package and track the latest stable releases going forward. Thank you for your work on this!

[trofi]

Bisect says 7932bf5 openssl: set default to openssl_3_3 broke mumble in staging as:

$ nix build --no-link github:NixOS/nixpkgs/staging#mumble -L
...
mumble> [ 97%] Built target mumble_autogen
mumble> make[2]: *** No rule to make target '/nix/store/kdazpap3bnl355f3nv7p01dpwad8c90w-openssl-3.3.2-dev/lib/libcrypto.so', needed by 'mumble'.  Stop.
mumble> make[2]: *** Waiting for unfinished jobs....

[thillux]

@trofi I looked into this, but have not found the root cause yet. In this error message, somehow the dev-Output got used to provide the lib folder. While it technically contains a lib folder, only the pkg-config and cmake-Files are there. The "useful" lib folder is in the out-Output. I don't see that anything changed between 3.0.x and 3.3.x in the output structure. OpenSSL 3.0.x also places a lib folder in both the out and dev derivation.

[thillux]

Something like this will probably fix it (builds still in progress):

diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
index 0313841dce30..951505d1fd08 100644
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@@ -233,6 +233,10 @@ let
         echo "Found an erroneous dependency on perl ^^^" >&2
         exit 1
       fi
+    '' + lib.optionalString (lib.versionAtLeast version "3.3.0") ''
+      # cleanup cmake helpers for now (for OpenSSL >= 3.3), only rely on pkg-config.
+      # pkg-config gets its paths fixed correctly
+      rm -r $dev/lib/cmake
     '';
 
     passthru.tests.pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;

When I have more time, I'll may also patch the CMake-Scripts and don't delete them.