At least mine net-p2p/cardano-node, but I will take care of it.

Wait, this is probably not enough. cardano-node was failing due to missing RSA_generate_key, which is also deprecated.

In D41505#945635, @arrowd wrote:

Wait, this is probably not enough. cardano-node was failing due to missing RSA_generate_key, which is also deprecated.

Yes this change is necessary but not sufficient. I think it's enough for vbox though?

@kbowling identified rsa_depr.c for RSA_generate_key; I'm looking at what else might be needed now.

This is the right thing to do, given that this gets compiled/linked in unconditionally upstream.

I think we (I'm signing myself up for this) should audit the build.info files -- it looks like there are some items that should be audited for sanity. While perusing the files I found this:

IF[{- $disabled{'deprecated-3.0'} && !$disabled{module} && !$disabled{shared} -}]
  SOURCE[../../providers/liblegacy.a]=$ALL
ENDIF

It would be a good idea to check and make sure the legacy provider we build is 100% compatible with what upstream provides, given that we don't disable the legacy provider in world.

In D41505#945636, @emaste wrote:

In D41505#945635, @arrowd wrote:

Wait, this is probably not enough. cardano-node was failing due to missing RSA_generate_key, which is also deprecated.

Yes this change is necessary but not sufficient. I think it's enough for vbox though?

@kbowling identified rsa_depr.c for RSA_generate_key; I'm looking at what else might be needed now.

@arrowd :
Virtualbox should be updated to use RSA_generate_key_ex (available in 1.x) or the EVP-equivalent API (which is generally available in 1.1+).

crypto/openssl/include/openssl/rsa.h:OSSL_DEPRECATEDIN_0_9_8 RSA *RSA_generate_key(int bits, unsigned long e, void
crypto/openssl/include/openssl/rsa.h:OSSL_DEPRECATEDIN_3_0 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,

This might make keeping boringSSL and libreSSL support more difficult, but they're based on 1.x -- which has a monolithic architecture.

I bring up supporting boringSSL and libreSSL, because more third-parties seem to be moving towards supporting the OpenSSL 3.x model (which is modular), as it makes adding module-based crypto providers, e.g., FIPS 140-2/140-3, easier to do -- making downstream consumers more "crypto agile" (I've been told).

net-p2p/cardano-node still fails to build, now with undefined reference to DSA_generate_parameters.

net-p2p/cardano-node still fails to build, now with undefined reference to DSA_generate_parameters.

can you check again after 8f37b3a142f2f7197896cd283c44c7e4fb64aaf3 (which includes additional openssl fixes in parent commits), and open a PR if there is still an issue?

How to build this change quicker than make buildworld?

In D41505#955787, @arrowd wrote:

How to build this change quicker than make buildworld?

You can just do make -C secure/lib/libcrypto. (You can also run make buildenv first and do the libcrypto build in there, if you have a recent buildworld already and your host does not match the version you're building.)

It seems that didn't help. This is what I did:

fetch -o /dev/stdout 'https://reviews.freebsd.org/file/data/nrhuojeq3ijpd2qw6szl/PHID-FILE-pfpfqsfp5jhnoi2kcy5k/file' | patch -p1
make -C secure/lib/libcrypto
make -C secure/lib/libcrypto install
cp /usr/lib/ossl-modules/fips.so /usr/local/poudriere/jails/default/usr/lib/ossl-modules/fips.so
poudriere testport -j default net-p2p/cardano-node

This resulted in the same linker error.

Do we care if this bug will end up in the release? If we don't I'll stop pinging this issue.

Do we care if this bug will end up in the release? If we don't I'll stop pinging this issue.

Is there a PR for it?