Ubuntu
unbound package

unbound: Fail to build against OpenSSL 3.0

Bug #1946217 reported by Simon Chopin
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unbound (Debian)
Fix Released
Unknown
unbound (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Hello,

As part of a rebuild against OpenSSL3, this package failed to build on one or
several architectures. You can find the details of the rebuild at

https://people.canonical.com/~schopin/rebuilds/openssl-3.0.0-impish.html

or for the amd64 failed build, directly at

https://launchpad.net/~schopin/+archive/ubuntu/openssl-3.0.0/+build/22099423/+files/buildlog_ubuntu-impish-amd64.unbound_1.13.1-1ubuntu1.0~ssl3ppa1.1_BUILDING.txt.gz

We're planning to transition to OpenSSL 3.0 for the 22.04 release, and consider
this issue as blocking for this transition.

You can find general migration informations at
https://www.openssl.org/docs/manmaster/man7/migration_guide.html
For your tests, you can build against libssl-dev as found in the PPA
schopin/openssl-3.0.0

The release 1.13.2 should have this fixed:
https://github.com/NLnetLabs/unbound/releases/tag/release-1.13.2

Paride Legovini (paride)
Changed in unbound (Ubuntu):
importance: Undecided → High
Revision history for this message
Simon Chopin (schopin) wrote :

I can confirm that the version 1.13.2 fixes the issue, as I've uploaded an updated package to schopin/foundation-openssl3 which builds with success. However, the autopkgtests fail because of the python 3.10 transition (couldn't find the _unbound module for 3.10)

Revision history for this message
Simon Chopin (schopin) wrote :

To be clear: the tests also fail when built against libssl1.1

Lucas Kanashiro (lucaskanashiro)
tags: added: server-next
Christian Ehrhardt  (paelzer)
Changed in unbound (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The FTBFS was fixed by vorlon in https://launchpad.net/ubuntu/+source/unbound/1.13.1-1ubuntu3:

unbound (1.13.1-1ubuntu3) jammy; urgency=medium

  * debian/patches/openssl3.patch: compatibility with OpenSSL 3.

 -- Steve Langasek <email address hidden> Thu, 09 Dec 2021 20:51:29 +0000

And it migrated. There are other openssl3 changes in 1.13.2, but they don't seem mandatory yet. For example, switch to SSL_get_peer1_certificate from SSL_get_peer_certificate, since the latter was deprecated (but not removed) in openssl 3. I didn't spot any build warnings about that.

I'll take a quick look at other changes in 1.13.2 to see if it makes sense to patch them, instead of going ahead of debian and jump to 1.13.2.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The other changes are deeper and I don't feel comfortable backporting them to 1.13.1. We can wait a bit for debian to move ahead and re-merge, or update to 1.13.2 ourselves, or even 1.14.0 (but that's a .0 release, and jammy is an LTS).
In any case, I will close this bug as the build is succeeding now, a debian bug was filed, and the patch steve used is committed upstream.

Changed in unbound (Ubuntu):
assignee: Andreas Hasenack (ahasenack) → nobody
status: New → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The bug to track updating unbound to 1.13.2 (or 1.14.0) is https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1946909

Bug Watch Updater (bug-watch-updater)
Changed in unbound (Debian):
status: Unknown → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in unbound (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.