952101 – dev-libs/openssl-3.4.1 errors with MinProtocol = TLSv1.0 in openssl.cnf

Bug 952101 - dev-libs/openssl-3.4.1 errors with MinProtocol = TLSv1.0 in openssl.cnf

Summary: dev-libs/openssl-3.4.1 errors with MinProtocol = TLSv1.0 in openssl.cnf

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2025-03-26 11:04 UTC by Xoores
Modified:	2025-03-29 17:01 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Xoores 2025-03-26 11:04:24 UTC

I ran world update yesterday, however it failed on one random package and now I'm quite stuck with Python not working.

I'm unable to even get emerge --info as emerge just crashes on import of some SSL-relatec package:

# emerge --info
Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.12/emerge", line 57, in main
    retval = emerge_main()
             ^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/_emerge/main.py", line 1308, in emerge_main
    return run_action(emerge_config)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/_emerge/actions.py", line 3997, in run_action
    return action_info(
           ^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/_emerge/actions.py", line 1978, in action_info
    sync = portage.sync.module_controller.get_class(repo.sync_type)()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/portage/module.py", line 158, in get_class
    mod = self._modules[modname]["parent"].get_class(modname)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/portage/module.py", line 79, in get_class
    module = __import__(kid["module_name"], [], [], ["not empty"])
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/portage/sync/modules/rsync/rsync.py", line 24, in <module>
    from portage.sync.syncbase import NewBase
  File "/usr/lib/python3.12/site-packages/portage/sync/syncbase.py", line 24, in <module>
    import gemato.openpgp
  File "/usr/lib/python3.12/site-packages/gemato/openpgp.py", line 39, in <module>
    import requests
  File "/usr/lib/python3.12/site-packages/requests/__init__.py", line 164, in <module>
    from .api import delete, get, head, options, patch, post, put, request
  File "/usr/lib/python3.12/site-packages/requests/api.py", line 11, in <module>
    from . import sessions
  File "/usr/lib/python3.12/site-packages/requests/sessions.py", line 15, in <module>
    from .adapters import HTTPAdapter
  File "/usr/lib/python3.12/site-packages/requests/adapters.py", line 80, in <module>
    _preloaded_ssl_context = create_urllib3_context()
                             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/urllib3/util/ssl_.py", line 288, in create_urllib3_context
    context = SSLContext(PROTOCOL_TLS_CLIENT)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/ssl.py", line 438, in __new__
    self = _SSLContext.__new__(cls, protocol)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ssl.SSLError: [SSL] error in system default config (_ssl.c:3040)


I get the same error when trying to import aiohttp, requests or anything related to SSL - both for Python3.11 and 3.12.

$ python3         
Python 3.11.11 (main, Mar 26 2025, 02:54:47) [GCC 14.2.1 20241221] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.11/site-packages/requests/__init__.py", line 164, in <module>
    from .api import delete, get, head, options, patch, post, put, request
  File "/usr/lib/python3.11/site-packages/requests/api.py", line 11, in <module>
    from . import sessions
  File "/usr/lib/python3.11/site-packages/requests/sessions.py", line 15, in <module>
    from .adapters import HTTPAdapter
  File "/usr/lib/python3.11/site-packages/requests/adapters.py", line 80, in <module>
    _preloaded_ssl_context = create_urllib3_context()
                             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 288, in create_urllib3_context
    context = SSLContext(PROTOCOL_TLS_CLIENT)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 500, in __new__
    self = _SSLContext.__new__(cls, protocol)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ssl.SSLError: [SSL] error in system default config (_ssl.c:3062)


I have tried to google the error, but TBH I really cannot find anything. Does anyone have a clue what might be the cause and what could I do to fix the issue (would like to avoid reinstallation obivously :-))

Thx!

Comment 1 Sam James archtester

2025-03-26 11:06:42 UTC

Hi! Can you show us emerge --info, and also emerge -pvO dev-python/requests?

Comment 2 Sam James archtester

2025-03-26 11:06:50 UTC

(In reply to Sam James from comment #1)
> Hi! Can you show us emerge --info, and also emerge -pvO dev-python/requests?

Also, emerge -pvO dev-libs/openssl?

Comment 3 Xoores 2025-03-26 11:09:08 UTC

Hi Sam,

I can not do any of these right now as the emerge is terminally broken as I described 😅 It fails on import of some library, that requires SSL & just crashes on startup.

However I will try & nuke the configs in the /etc/ssl directory. Maybe there is something left behind that is causing this...

Comment 4 Sam James archtester

2025-03-26 11:12:58 UTC

Sorry, I'd misread and assumed it was only on e.g. importing requests rather than emerge --info too (doh), but emerge --info involves importing requests (that might be worth a bug by itself, we should try to make it as resilient as possible).

Comment 5 Xoores 2025-03-26 11:30:30 UTC

No worries :)

Yeah, I definitely agree that emerge --info probably should not import anything that it does not need to in order to dump as much info as it can.

The most painful thing about this error is that it is not descriptive (not fault of gentoo of course) and that googling it just gets thousands of *similar* errors that are connected to doing connections & invalid SSL certificates.

I have nuked the openssl.conf and we are back in business!

That means that I had *something* in the openssl.conf (perhaps from the past, since I'm running this particular instance of Gentoo from ~2018) that new openssl does not like. And there seems to be no grace in the fail. However I dont *think* that I ever changed this particular file (apart from updates coming from dispatch-conf).

$ eix -I openssl
 [I] dev-libs/openssl
   ... (snipped)
   Installed versions:  3.4.1(0/3)^t(01:21:03 03/26/25)

After some more digging, I found the culprit:
  [system_default_sect]
  MinProtocol = TLSv1.0

MinProtocol was in there for some reason & simply deleting it fixes the problem (as far as I can tell for now).

I would, perhaps, suggest adding a pre-merge check for this particular version of the openssl? I think that maybe just grepping the openssl.conf for the TLSv1.0 might be plenty good to catch this in time :-)

Comment 6 Mike Gilbert gentoo-dev

2025-03-26 19:38:43 UTC

Was this setting ever valid? Or did older versions of OpenSSL simply ignore it?

Comment 7 Xoores 2025-03-26 19:43:27 UTC

As far as I can see, it was a valid setting - for example here:

https://github.com/openssl/openssl/discussions/22752

I also thinkg that TLSv1.0 was dropped some time ago (not sure though, maybe I'm confusing it with something else), so I don't know why this particular version started erroring out this hard.

I'm quite sure that I had to enable TLSv1.0 in Java few years ago, but that was completely different config file.

Comment 8 Mike Gilbert gentoo-dev

2025-03-26 20:01:12 UTC

From what version did you upgrade where TLSv1.0 worked?

I would guess it is invalid when the security level is greater than zero in newer openssl versions.

Comment 9 Xoores 2025-03-26 20:43:33 UTC

I believe it was dev-libs/openssl-3.3.2-r3 - emerge.log says this:


1742948175:  >>> emerge (42 of 436) dev-libs/openssl-3.4.1 to /
1742948175:  === (42 of 436) Cleaning (dev-libs/openssl-3.4.1::/var/db/repos/gentoo/dev-libs/openssl/openssl-3.4.1.ebuild)
1742948176:  === (42 of 436) Compiling/Merging (dev-libs/openssl-3.4.1::/var/db/repos/gentoo/dev-libs/openssl/openssl-3.4.1.ebuild)
1742948509:  === (42 of 436) Merging (dev-libs/openssl-3.4.1::/var/db/repos/gentoo/dev-libs/openssl/openssl-3.4.1.ebuild)
1742948514:  >>> AUTOCLEAN: dev-libs/openssl:0
1742948514:  === Unmerging... (dev-libs/openssl-3.3.2-r3)
1742948517:  >>> unmerge success: dev-libs/openssl-3.3.2-r3
1742948520:  === (42 of 436) Post-Build Cleaning (dev-libs/openssl-3.4.1::/var/db/repos/gentoo/dev-libs/openssl/openssl-3.4.1.ebuild)
1742948520:  ::: completed emerge (42 of 436) dev-libs/openssl-3.4.1 to /

Maybe, honestly dunno... The worst thing about this is that it completely nukes any Python app that relies on openssl, because it errors out on *import* of network-related libraries (tried with aiohttp and requests, both will throw an exception). You can't even emerge --info in this state.

Comment 10 Mike Gilbert gentoo-dev

2025-03-26 21:09:46 UTC

Based on the documentation, I don't think MinProtocol = TLSv1.0 was ever a valid setting.

https://docs.openssl.org/3.3/man3/SSL_CONF_cmd/#supported-configuration-file-commands

I think the issue is that openssl previously did not generate errors when the ssl_conf section was invalid. This was changed in the PR below.

https://github.com/openssl/openssl/pull/24275

Comment 11 Xoores 2025-03-29 17:01:50 UTC

Nice find, did not know about the OpenSSL change of parsing config! :)