pfSense » pfSense Packages

Also: workaround until ALPN is working again is going back to "npn HTTP/1.1,HTTP/1.0" instead of "alpn HTTP/1.1,HTTP/1.0" in case somebody else comes here with the problem...

Likely related to haproxy being build against openssl 1.0.1, where it used to be against 1.0.2. Can see that in haproxy -vv output. I'm not sure how to change that though with the pkg Makefile.

Right - openssl is now 1.0.1s where it is 1.0.2c on 2.2.6.

Openssl was downgraded at https://redmine.pfsense.org/projects/pfsense/repository/freebsd-src/revisions/73af9669cdc04af0c06344ce6f0d85808187eab3 and it says it was a security update... but but that doesn't explain why the version was downgraded. All those vulnerabilities are listed as also being fixed in 1.0.2g (and now 1.0.2h has fixes that apply to 1.0.1s) - in fact 1.0.2g was already merged at that point according to https://redmine.pfsense.org/projects/pfsense/repository/freebsd-src/revisions/72d32bf80dfdcfe0e69da200b66f195e919653f7

Now I'm just as confused as when I started.

This is not a HAProxy issue, this is an entire pfSense issue. Because openssl in pfSense was reverted from 1.0.2 to 1.0.1, ALL packages appear to be effected.

openssl:
[2.3.2-RELEASE][root@pfSense.localdomain]/: openssl version
OpenSSL 1.0.1s-freebsd 1 Mar 2016

nginx:
[2.3.2-RELEASE][root@pfSense.localdomain]/: nginx -V
nginx version: nginx/1.10.1
built with OpenSSL 1.0.1s-freebsd 1 Mar 2016

Note that openssl 1.0.1 will hit end of life in just three months, December 31st, 2016. This should be marked as a critical security issue for pfSense to revert back to the 1.0.2 branch or upgrade to the 1.1.0 branch ASAP. This isn't just about maintaining the current feature set that added by 1.0.2, but also for maintaining proper network security within pfSense, a network security operating system.

Also note that I included nginx in this list, since pfSense 2.3.x switched to including nginx by default. nginx statically compiles in openssl instead of dynamically linking to it, so it needs to be updated as well. And as such, there are possibly other applications either included directly with pfSense or available via packages which statically compile in openssl.

Another note is that as of pfSense 2.3.x, the base FreeBSD package repository has been removed. If this WASNT the case, it would be as simple as running a "pkg upgrade" command on the various packages, such as openssl and nginx, to get a properly updated version of each. But because of this change, it has made it more difficult to replace these packages.

We use the OpenSSL version provided in the base system of FreeBSD 10.3, which is maintained by FreeBSD. If/when FreeBSD updates the version of OpenSSL on the 10.3 security/errata branch, we'll pick up the changes there. If there is a concern, it should be raised upstream. However, FreeBSD has a history of maintaining OpenSSL security patches for versions in existing branches directly, so I would not worry about OpenSSL's support dates but the dates given by FreeBSD instead.

2.4 snapshots, based on FreeBSD 11, already contain OpenSSL 1.0.2h.

That doesn't however allow access to new openssl 1.1 features like ALPN.
Haproxy used to build not using the freebsd base version but the openssl from 'ports', then both versions were present on pfSense this changed when switching to the new git ports tree.

Is it possible to make changes to existing ports makefiles?

Pi Ba wrote:

Is it possible to make changes to existing ports makefiles?

See this and replace with < 1100000?

https://svnweb.freebsd.org/ports/head/net/haproxy-devel/Makefile?r1=425832&r2=426105

Is it possible to set build options for dependent ports?
Maybe we can add an OPTION to set 'WITH_OPENSSL_PORT= yes' in the official net/haproxy-devel FreeBSD port.

Joshua Ruehlig wrote:

Is it possible to set build options for dependent ports?

See the previous comment.

Kill Bill wrote:

Joshua Ruehlig wrote:

Is it possible to set build options for dependent ports?

See the previous comment.

I saw your comment. I was just thinking of a way we wouldn't need to rely on maintaining our own change outside of the FreeBSD ports tree. But I guess we could justify pushing this fix upstream since ALPN is a valid reason to require newer OpenSSL.

Also, I see the haproxy-devel port changed slightly and "WITH_OPENSSL_PORT=yes" needs to be added back.
https://github.com/freebsd/freebsd-ports/commit/f3daf2261fb178366adda1ccfd67d90513f16f2a

The extra build flag should probably be added to: https://github.com/pfsense/pfsense/blob/master/tools/conf/pfPorts/make.conf#L102

However Renato expressed a while back that it was unwanted to have multiple openssl versions on pfSense due to previous issues. Though that was open to discussion as with pkg it likely/hopefully causes less issues then with pbi..

Pi Ba wrote:

The extra build flag should probably be added to: https://github.com/pfsense/pfsense/blob/master/tools/conf/pfPorts/make.conf#L102

However Renato expressed a while back that it was unwanted to have multiple openssl versions on pfSense due to previous issues. Though that was open to discussion as with pkg it likely/hopefully causes less issues then with pbi..

I would assume all we need is HAProxy to be built with newer openssl, and not actually care what version is installed on pfsense.

On my pfsense 2.2 system I installed hitch (another SSL capable proxy) with 'pkg add'. I built the package on another system with "WITH_OPENSSL_PORT=yes" in my make.conf and it works as expected, supporting ALPN, on my pfsense system.

First, that isn't the way you set OpenSSL to use the port now. It would be:

DEFAULT_VERSIONS+=  ssl=openssl

Second, building from ports really wants all of them set the same. Once you have OpenSSL installed from ports, you can't build against the base system OpenSSL: https://github.com/freebsd/freebsd-ports/blob/master/Mk/Uses/ssl.mk#L59

Even if poudriere helps there, it's not a situation that should be sought out on purpose. We finally got away from having multiple copies of OpenSSL around, we're not keen on resurrecting that problem source.

Once the FreeBSD base OpenSSL is updated to a version that supports this feature then it should work. Until then, unless Renato has a better idea, I don't see it happening.

Ok, just to clear up my understanding. Is the following correct?

If we build a port with openssl from ports, it now adds that as a dependency. This is something we want to avoid in order to have everything use the same openssl, from base.

On my pfsense 2.2 system, I was able to get an externally built 'hitch' package working because pfsense includes the openssl port, version 1.0.2k.
On another pfsense 2.3 I have, this would not work because openssl from ports is not included.

Joshua Ruehlig wrote:

Ok, just to clear up my understanding. Is the following correct?

If we build a port with openssl from ports, it now adds that as a dependency. This is something we want to avoid in order to have everything use the same openssl, from base.

Yes.

On my pfsense 2.2 system, I was able to get an externally built 'hitch' package working because pfsense includes the openssl port, version 1.0.2k.
On another pfsense 2.3 I have, this would not work because openssl from ports is not included.

Correct. On 2.2.x, the FreeBSD base system was built against base OpenSSL (e.g. sshd) but packages/ports (even pfSense base system software built from ports, like OpenVPN) was built against the ports OpenSSL. It was not ideal trying to keep all that straight.

Ok, thanks that makes sense.

I excitedly wait for pfSense 2.4, and an ALPN capable HAProxy then.

You can wait, but its still 1.0.2..

[2.4.0-BETA][root@pfSense.localdomain]/root: openssl version
OpenSSL 1.0.2k-freebsd 26 Jan 2017

Pi Ba wrote:

You can wait, but its still 1.0.2..

[2.4.0-BETA][root@pfSense.localdomain]/root: openssl version
OpenSSL 1.0.2k-freebsd 26 Jan 2017

I'm not sure why this is a problem. 1.0.2 supports ALPN I believe.

Ah yes sorry, got some versions mixed up in my head..