SOLVED openssl update to 1.1.1?

[Itay1778]

Hey
I want to switch to TLS1.3 and after a little test I realized that my problem is that openssl is on version 1.0.2 and pkg update does not update it. I need to update it at least to version 1.1.1
And I did not really find anything on Google to help me.
Do you know what to do? How to fix it?

FreeNAS 11.2 u4
WebServer: Nginx and its version supports TLS1.3 The only thing left to update is the openssl

Hope you'll help me find a solution
Thanks
Itay

 

[seanm]

I suspect you'll have to wait until FreeNAS updates to FreeBSD 12: https://www.freebsd.org/doc/handbook/openssl.html

 

[Jailer]

Are you talking about a jail or the main system?

 

[Itay1778]

Are you talking about a jail or the main system?

I am talking about jail.
and because of what @seanm said

I suspect you'll have to wait until FreeNAS updates to FreeBSD 12

then i will try to change the jail to FreeBSD 12

 

[Jailer]

then i will try to change the jail to FreeBSD 12

Don't do that. You can't run a newer release in a jail than what the main system is on.

Just run pkg install openssl111 to install the package. You'll also have to install the ports version of Nginx and choose the option to use the package version rather than the base version by editing /etc/make.conf and adding DEFAULT_VERSIONS+=ssl=openssl111 before you install it.

 

[Itay1778]

Don't do that. You can't run a newer release in a jail than what the main system is on.

Just run pkg install openssl111 to install the package. You'll also have to install the ports version of Nginx and choose the option to use the package version rather than the base version by editing /etc/make.conf and adding DEFAULT_VERSIONS+=ssl=openssl111 before you install it.

Ok thanks I'll try it
But I do not think I need to install the nginx ports version because by what I understood my existing version of nginx supports TLS1.3.

 

[Jailer]

Ok thanks I'll try it
But I do not think I need to install the nginx ports version because by what I understood my existing version of nginx supports TLS1.3.

Nginx does but the base openssl version in the jail does not. That's why you have to install Nginx from ports like I said above.

 

[Itay1778]

Don't do that. You can't run a newer release in a jail than what the main system is on.

Just run pkg install openssl111 to install the package. You'll also have to install the ports version of Nginx and choose the option to use the package version rather than the base version by editing /etc/make.conf and adding DEFAULT_VERSIONS+=ssl=openssl111 before you install it.

I installed everything and set everything according to what you said to me.
but still when I do openssl version it still shows me the version

Code:

OpenSSL 1.0.2o-freebsd  27 Mar 2018

 

[Jailer]

Right, that's because the base version is still 1.0.2, you can't change that. That's what all the packages are compiled against by default. That's why you have to make the changes I posted above to make nginx work with openssl111.

 

[Itay1778]

Right, that's because the base version is still 1.0.2, you can't change that. That's what all the packages are compiled against by default. That's why you have to make the changes I posted above to make nginx work with openssl111.

So will it work even if it shows the wrong version?

 

[Jailer]

It's not the wrong version. Please read this page for more information.

https://wiki.freebsd.org/OpenSSL#OpenSSL_in_base

 

[Itay1778]

Right, that's because the base version is still 1.0.2, you can't change that. That's what all the packages are compiled against by default. That's why you have to make the changes I posted above to make nginx work with openssl111.

Works !!
Thank you!

 

[User5010]

editing /etc/make.conf and adding DEFAULT_VERSIONS+=ssl=openssl111

I am probably stupid, but anyhow, I'll ask it. Where can I find this file (jail or FreeNAS system)? If I look in the /etc/ folder of my jail, I did not have such file. So I did create one, then uninstall the openssl111pkg, and reinstall the pkg, yet, Nginx still give the same error and I do have the same openssl version of OpenSSL 1.0.2o.

Something I miss (other than better knowledge)?

 

[Itay1778]

Something I miss (other than better knowledge)?

Yes Jail, I also didn't have the file that's fine. Create it
And you need to install the ports version of Nginx
And by adding DEFAULT_VERSIONS+=ssl=openssl111 inside the /etc /make.conf of the Jail
And of course installing pkg install openssl111 first thing
So it should work
This is exactly what you need to do I did according to this and have TLS1.3

Just run pkg install openssl111 to install the package. You'll also have to install the ports version of Nginx and choose the option to use the package version rather than the base version by editing /etc/make.conf and adding DEFAULT_VERSIONS+=ssl=openssl111 before you install it.

 

[sleeper52]

Using FreeNAS 11.3-U3.2
I'm trying to switch over to openssl111 from OpenSSL 1.0.2s-freebsd 28 May 2019 on one of my jails (Jackett).
As suggested, I made a /etc/make.conf file and added the line

Code:

DEFAULT_VERSIONS+=ssl=openssl111

Then did

Code:

#portsnap fetch update
# cd /usr/ports/www/nginx/
# make install clean

After the #make install clean command, I am getting this

Code:

make: "/usr/ports/Mk/Uses/ssl.mk" line 97: You are using an unsupported SSL provider openssl111"

Tried

Code:

#pkg install openssl111

but i got this error

Code:

pkg: No packages available to install matching 'openssl111' have been found in the repositories

Any advice?

 

[sleeper52]

Still hoping someone could help me on this.

 

[Itay1778]

Using FreeNAS 11.3-U3.2
I'm trying to switch over to openssl111 from OpenSSL 1.0.2s-freebsd 28 May 2019 on one of my jails (Jackett).
As suggested, I made a /etc/make.conf file and added the line

Code:

DEFAULT_VERSIONS+=ssl=openssl111

Then did

Code:

#portsnap fetch update
# cd /usr/ports/www/nginx/
# make install clean

After the #make install clean command, I am getting this

Code:

make: "/usr/ports/Mk/Uses/ssl.mk" line 97: You are using an unsupported SSL provider openssl111"

Tried

Code:

#pkg install openssl111

but i got this error

Code:

pkg: No packages available to install matching 'openssl111' have been found in the repositories

Any advice?

The pkg name is changed to openssl only
Please do

Code:

 pkg install openssl

 

[sleeper52]

The pkg name is changed to openssl only
Please do

Code:

 pkg install openssl

worked and updated to 1.1.1g
Thanks.
Unfortunately this did not resolve my issue when adding losslessclub.com indexer to my Jackett jail. I'm still getting an OpenSSL error. Was hoping this would resolve it. Darn....

Code:

{0} System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /usr/ports/lang/mono/work/mono-6.8.0.96/external/boringssl/ssl/handshake_client.c:1132
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00048] in <d349126a5c244a1c9241a40862b79e0a>:0
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in <d349126a5c244a1c9241a40862b79e0a>:0
  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <d349126a5c244a1c9241a40862b79e0a>:0
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in <d349126a5c244a1c9241a40862b79e0a>:0
   --- End of inner exception stack trace ---
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x00262] in <d349126a5c244a1c9241a40862b79e0a>:0
  at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore (System.IO.Stream stream, System.Net.Security.SslClientAuthenticationOptions sslOptions, System.Threading.CancellationToken cancellationToken) [0x000c3] in <3163c3a218ad47f0abdb25d4ba342345>:0
   --- End of inner exception stack trace ---
  at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore (System.IO.Stream stream, System.Net.Security.SslClientAuthenticationOptions sslOptions, System.Threading.CancellationToken cancellationToken) [0x00102] in <3163c3a218ad47f0abdb25d4ba342345>:0
  at System.Net.Http.HttpConnectionPool.CreateConnectionAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x00322] in <3163c3a218ad47f0abdb25d4ba342345>:0
  at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync (System.Threading.Tasks.ValueTask`1[TResult] creationTask) [0x000a2] in <3163c3a218ad47f0abdb25d4ba342345>:0
  at System.Net.Http.HttpConnectionPool.SendWithRetryAsync (System.Net.Http.HttpRequestMessage request, System.Boolean doRequestAuth, System.Threading.CancellationToken cancellationToken) [0x00089] in <3163c3a218ad47f0abdb25d4ba342345>:0
  at System.Net.Http.DecompressionHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x000ca] in <3163c3a218ad47f0abdb25d4ba342345>:0
  at CloudflareSolverRe.ClearanceHandler.SendRequestAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x00090] in <d04cd2ac2811440c84416674a9f38b05>:0
  at CloudflareSolverRe.ClearanceHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x000a4] in <d04cd2ac2811440c84416674a9f38b05>:0
  at System.Net.Http.HttpClient.FinishSendAsyncBuffered (System.Threading.Tasks.Task`1[TResult] sendTask, System.Net.Http.HttpRequestMessage request, System.Threading.CancellationTokenSource cts, System.Boolean disposeCts) [0x0017e] in <3163c3a218ad47f0abdb25d4ba342345>:0
  at Jackett.Common.Utils.Clients.HttpWebClient.Run (Jackett.Common.Utils.Clients.WebRequest webRequest) [0x0048a] in <ea73a59895b248dfa6b6c5202b1fd7f4>:0
  at Jackett.Common.Utils.Clients.WebClient.GetString (Jackett.Common.Utils.Clients.WebRequest request) [0x0010b] in <ea73a59895b248dfa6b6c5202b1fd7f4>:0
  at Jackett.Common.Indexers.BaseWebIndexer.RequestLoginAndFollowRedirect (System.String url, System.Collections.Generic.IEnumerable`1[T] data, System.String cookies, System.Boolean returnCookiesFromFirstCall, System.String redirectUrlOverride, System.String referer, System.Boolean accumulateCookies) [0x000cb] in <ea73a59895b248dfa6b6c5202b1fd7f4>:0
  at Jackett.Common.Indexers.CardigannIndexer.DoLogin () [0x00165] in <ea73a59895b248dfa6b6c5202b1fd7f4>:0
  at Jackett.Common.Indexers.CardigannIndexer.ApplyConfiguration (Newtonsoft.Json.Linq.JToken configJson) [0x00079] in <ea73a59895b248dfa6b6c5202b1fd7f4>:0
  at Jackett.Server.Controllers.IndexerApiController.UpdateConfig (Jackett.Common.Models.DTO.ConfigItem[] config) [0x0012d] in <718732ee92ed4b0380d5d4081aca417c>:0
  at Microsoft.AspNetCore.Mvc.Internal.ActionMethodExecutor+TaskOfIActionResultExecutor.Execute (Microsoft.AspNetCore.Mvc.Infrastructure.IActionResultTypeMapper mapper, Microsoft.Extensions.Internal.ObjectMethodExecutor executor, System.Object controller, System.Object[] arguments) [0x00071] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeActionMethodAsync () [0x00131] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeNextActionFilterAsync () [0x0009e] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Rethrow (Microsoft.AspNetCore.Mvc.Filters.ActionExecutedContext context) [0x0001b] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Next (Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker+State& next, Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker+Scope& scope, System.Object& state, System.Boolean& isCompleted) [0x00382] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeInnerFilterAsync () [0x0002f] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeNextResourceFilter () [0x0009f] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Rethrow (Microsoft.AspNetCore.Mvc.Filters.ResourceExecutedContext context) [0x0001b] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Next (Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker+State& next, Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker+Scope& scope, System.Object& state, System.Boolean& isCompleted) [0x00840] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync () [0x0002f] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync () [0x0012e] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke (Microsoft.AspNetCore.Http.HttpContext httpContext) [0x001cb] in <6092a16d93814eba828b517a2b132f80>:0
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke (Microsoft.AspNetCore.Http.HttpContext context) [0x00384] in <427697fe42b7459ba5302fb76d339d3b>:0
  at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke (Microsoft.AspNetCore.Http.HttpContext context) [0x0043e] in <f352e566abf6421e87eafbcf57a0b237>:0
  at Jackett.Server.Middleware.CustomExceptionHandler.Invoke (Microsoft.AspNetCore.Http.HttpContext httpContext) [0x0008a] in <718732ee92ed4b0380d5d4081aca417c>:0

 

[Itay1778]

Unfortunately this did not resolve my issue when adding losslessclub.com indexer to my Jackett jail. I'm still getting an OpenSSL error. Was hoping this would resolve it. Darn....

Sorry to hear that it did not help you.
I personally do not know and have not tried "Jackett"
Try to open issues in their github maybe they will understand what is going on there.
Good luck!

 

[ornias]

@sleeper52 It doesn't help much if you didn't mention the fact you are running a Mono version that is considered to be experimental.