HomeFreeBSD

Merge OpenSSL 3.0.9

Description

Merge OpenSSL 3.0.9

Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (the
version we were previously using) will be EOL as of 2023-09-11.

Most of the base system has already been updated for a seamless switch
to OpenSSL 3.0. For many components we've added
-DOPENSSL_API_COMPAT=0x10100000L to CFLAGS to specify the API version,
which avoids deprecation warnings from OpenSSL 3.0. Changes have also
been made to avoid OpenSSL APIs that were already deprecated in OpenSSL
1.1.1. The process of updating to contemporary APIs can continue after
this merge.

Additional changes are still required for libarchive and Kerberos-
related libraries or tools; workarounds will immediately follow this
commit. Fixes are in progress in the upstream projects and will be
incorporated when those are next updated.

There are some performance regressions in benchmarks (certain tests in
openssl speed) and in some OpenSSL consumers in ports (e.g. haproxy).
Investigation will continue for these.

Netflix's testing showed no functional regression and a rather small,
albeit statistically significant, increase in CPU consumption with
OpenSSL 3.0.

Thanks to ngie@ and des@ for updating base system components, to
antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to
Netflix and everyone who tested prior to commit or contributed to this
update in other ways.

PR: 271615
PR: 271656 [exp-run]
Relnotes: Yes
Sponsored by: The FreeBSD Foundation

Details

Provenance
khorben_defora.orgAuthored on Jun 23 2023, 10:53 PM
emasteCommitted on Jun 23 2023, 10:53 PM
Parents
rGb08ee10c0646: wg: fix a number of issues with module load failure handling
rGb84c4564effd: openssl: Vendor import of OpenSSL-3.0.9
Branches
Unknown
Tags
Unknown

Event Timeline

Very Large Commit

This commit is very large, and affects more than 2000 files. Changes are not shown.