<div dir="auto">This seems like something that could justify a bugfix release. I am not qualified to swap out LibreSSL but I will roll a new release if someone else can upgrade to OpenSSL (and include options that would help Thierry)</div><div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Fri, Feb 6, 2026 at 6:44 PM <<a href="mailto:thierry@lelegard.fr">thierry@lelegard.fr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Pierre-Alain,<br>
<br>
OK, I start to understand. Forgive my ignorance on DragonFly BSD. The repo DragonFlyBSD/DeltaPorts<br>
only contains the differences with FreeBSD Ports. Am I right?<br>
<br>
So, the core problem is that OpenSSL is the default on FreeBSD, installed in the core OS, outside<br>
Ports, with a decently recent version and all providers, including the legacy provider, while DragonFly<br>
uses an obsolete and incompatible LibreSSL in the core OS, forcing us to install OpenSSL Port, which<br>
is otherwise useless on FreeBSD.<br>
<br>
So, adding LEGACY to security/openssl can be a bug request to DragonFlyBSD/DeltaPorts, to be<br>
added in the differences. However, boosting openssl to a more recent version is more risky<br>
because its impacts on that port may be too high. There are separate version-specific ports<br>
for openssl33, 34, 35, 36. So, the solution is probably to request the same update on all of<br>
them, don't change the baseline of openssl port, and install a more recent version if necessary.<br>
<br>
I don't have any account on <a href="https://bugs.dragonflybsd.org" rel="noreferrer" target="_blank">https://bugs.dragonflybsd.org</a>. I will create an issue on GitHub.<br>
<br>
Thank you for your help.<br>
<br>
-Thierry Lelégard (<a href="mailto:thierry@lelegard.fr" target="_blank">thierry@lelegard.fr</a>)<br>
<br>
-----Original Message-----<br>
From: Pierre-Alain TORET <<a href="mailto:pierre-alain@toret.fr" target="_blank">pierre-alain@toret.fr</a>> <br>
Sent: Friday, 6 February, 2026 18:45<br>
To: Thierry Lelégard <<a href="mailto:thierry@lelegard.fr" target="_blank">thierry@lelegard.fr</a>>; users <<a href="mailto:users@lists.dragonflybsd.org" target="_blank">users@lists.dragonflybsd.org</a>><br>
Subject: Re: OpenSSL: no "legacy" provider<br>
<br>
Thierry,<br>
<br>
we're inheriting most of the options (and ports) we use from FreeBSD ports.<br>
<br>
I just checked, LEGACY option is disabled in their ports tree<br>
<a href="https://cgit.freebsd.org/ports/tree/security/openssl/Makefile#n43" rel="noreferrer" target="_blank">https://cgit.freebsd.org/ports/tree/security/openssl/Makefile#n43</a><br>
<br>
But your port uses the base SSL of FreeBSD, which is different from the one in DragonFly (LibreSSL, not up-to-date). So we will see how to adapt so that the port can build properly.<br>
<br>
Can you please open an issue in either <a href="https://bugs.dragonflybsd.org" rel="noreferrer" target="_blank">https://bugs.dragonflybsd.org</a> or in <a href="https://github.com/DragonFlyBSD/DeltaPorts" rel="noreferrer" target="_blank">https://github.com/DragonFlyBSD/DeltaPorts</a> about that ?<br>
<br>
Le 06/02/2026 à 16:30, Thierry Lelégard a écrit :<br>
> Hi Pierre-Alain,<br>
> <br>
> Thanks for your response. It clearly explains the problem.<br>
> <br>
> The choice of building the openssl package with the FIPS module but <br>
> not the LEGACY one is quite unfortunate. It makes the openssl package <br>
> incompatible with all other operating systems, where the "legacy" <br>
> provider is always available by default.<br>
> <br>
> Rebuilding openssl is of course possible but that is probably not what <br>
> a user would expect to do. If I would like to add tsduck (my<br>
> project) to DragonFly's DPort (it has been recently added to FreeBSD <br>
> Ports), it would require openssl as a dependency. However, that <br>
> openssl package does not meet the requirement for the "legacy" package.<br>
> And therefore, tsduck cannot be added to DPort.<br>
> <br>
> Do you think that there is any chance to have openssl rebuilt with the <br>
> "legacy" provider enabled by default? And also maybe a decently more <br>
> recent version? The current OpenSSL project is at version 3.6. Version <br>
> 3.0 is outdated.<br>
> <br>
> I understand that this is too demanding for my project. But any other <br>
> application requiring legacy cryptographic algorithms would face the <br>
> same problem. So, this is a more general issue.<br>
> <br>
> Of course, the term "legacy" is not appealing. However, some <br>
> applications need this module. It contains old cryptographic <br>
> algorithms which are no longer considered secure enough. They should <br>
> not be used in new applications. This is why OpenSSL moved them in a "legacy"<br>
> provider. They are no longer usable by default. The application must <br>
> explicitly activate that provider to use them, making it clear that <br>
> this is legacy stuff. But applications working on old data or old <br>
> protocols (such as ATSC TV streams in the case of<br>
> tsduck) need them. So having the legacy provider available on demand <br>
> is a requirement for these applications.<br>
> <br>
> -Thierry Lelégard (<a href="mailto:thierry@lelegard.fr" target="_blank">thierry@lelegard.fr</a>)<br>
> <br>
> -----Original Message-----<br>
> From: Pierre-Alain <<a href="mailto:pierre-alain@toret.fr" target="_blank">pierre-alain@toret.fr</a>><br>
> To: John <<a href="mailto:dragonflybsd@marino.st" target="_blank">dragonflybsd@marino.st</a>>; Thierry <<a href="mailto:thierry@lelegard.fr" target="_blank">thierry@lelegard.fr</a>><br>
> Cc: users <<a href="mailto:users@lists.dragonflybsd.org" target="_blank">users@lists.dragonflybsd.org</a>><br>
> Date: Friday, 6 February 2026 3:42 PM CET<br>
> Subject: Re: OpenSSL: no "legacy" provider<br>
> <br>
> <br>
> Hi Thierry,<br>
> <br>
> concerning DPorts, there is the LEGACY option available :<br>
> <br>
> <a href="https://gitweb.dragonflybsd.org/?p=dports.git;a=blob;f=security/openss" rel="noreferrer" target="_blank">https://gitweb.dragonflybsd.org/?p=dports.git;a=blob;f=security/openss</a><br>
> l/Makefile;h=13d4729473fec2601acac1aaa9bd81526b70946b;hb=HEAD#l71<br>
> <br>
> But if you look at the line defining OPTIONS_DEFAULT, it's disabled. <br>
> So you would need to rebuild the package with that LEGACY option <br>
> enabled to get the legacy provider module built-in.<br>
> <br>
> It's building fine on current master.<br>
> <br>
> Le 06/02/2026 à 15:03, John Marino (DragonFly) a écrit :<br>
>> So between FreeBSD and NetBSD you are mixing up your SSL sources. <br>
>> You quoted the base SSL on FreeBSD and you quoted the pkgsrc version of openssl.<br>
>><br>
>> So I assume you are looking at the base SSL of DragonFly which is <br>
>> actually an older libreSSL.<br>
>><br>
>> What you should be looking at is the dports or Ravenports version of <br>
>> openssl 3.0, because you would be linking with those, not the base <br>
>> SSL library.<br>
>><br>
>> For ravenports, openssl3 does indeed install a legacy.so.<br>
>> <a href="https://www.ravenports.com/catalog/bucket_B9/openssl30/std/" rel="noreferrer" target="_blank">https://www.ravenports.com/catalog/bucket_B9/openssl30/std/</a> <https:// <br>
>> <a href="http://www.ravenports.com/catalog/bucket_B9/openssl30/std/" rel="noreferrer" target="_blank">www.ravenports.com/catalog/bucket_B9/openssl30/std/</a>><br>
>> <a href="https://raw.githubusercontent.com/Ravenports/Ravenports/master/" rel="noreferrer" target="_blank">https://raw.githubusercontent.com/Ravenports/Ravenports/master/</a><br>
>> bucket_B9/openssl30 <<a href="https://raw.githubusercontent.com/Ravenports/" rel="noreferrer" target="_blank">https://raw.githubusercontent.com/Ravenports/</a><br>
>> Ravenports/master/bucket_B9/openssl30><br>
>><br>
>> John<br>
>><br>
>><br>
>> On Fri, Feb 6, 2026 at 7:58 AM Thierry Lelégard <<a href="mailto:thierry@lelegard.fr" target="_blank">thierry@lelegard.fr</a> <br>
>> <mailto:<a href="mailto:thierry@lelegard.fr" target="_blank">thierry@lelegard.fr</a>>> wrote:<br>
>><br>
>> Hi,<br>
>><br>
>> I maintain an open source project (<a href="http://tsduck.io" rel="noreferrer" target="_blank">tsduck.io</a> <<a href="http://tsduck.io" rel="noreferrer" target="_blank">http://tsduck.io</a>>)<br>
>> which uses OpenSSL as cryptographic<br>
>> library. For some old format, DES is used. No need to comment why<br>
>> DES shall no<br>
>> longer be used, it's for management of old data only.<br>
>><br>
>> With OpenSSL, DES is now part of the "legacy" provider module. The<br>
>> provider must<br>
>> be explicitly activated in the application.<br>
>><br>
>> On FreeBSD 15.0 with OpenSSL 3.5.4, the legacy provider module is in<br>
>> /usr/lib/ossl-modules/legacy.so.<br>
>><br>
>> On NetBSD 9.3 with OpenSSL 3.6.0, it is in /usr/pkg/lib/ossl-<br>
>> modules/legacy.so.<br>
>><br>
>> However, on DragonFly BSD 6.4.2 with OpenSSL 3.0.15, there is no<br>
>> "legacy" module.<br>
>> The only SSL module is the "fips" one in /usr/local/lib/ossl-<br>
>> modules/fips.so.<br>
>> And of course, all DES operations fail.<br>
>><br>
>> It is not a matter of OpenSSL version, the principle of "providers"<br>
>> was introduced<br>
>> in 3.0 and the legacy provider was created to host old algorithms.<br>
>><br>
>> Is there a "legacy" OpenSSL module with DragonFly BSD or was it<br>
>> completely removed<br>
>> from the OpenSSL package? I found no additional package which could<br>
>> install it.<br>
>><br>
>> Thanks for your help.<br>
>><br>
>> -Thierry Lelégard (<a href="mailto:thierry@lelegard.fr" target="_blank">thierry@lelegard.fr</a> <br>
>> <mailto:<a href="mailto:thierry@lelegard.fr" target="_blank">thierry@lelegard.fr</a>>)<br>
>><br>
> <br>
<br>
<br>
</blockquote></div></div>