Pacman mirrors failed to run with custom hardened openssl build

Command executed:

sudo pacman-mirrors -id -aS stable -P https -t 10’

Error received:

Traceback (most recent call last):
File "/usr/bin/pacman-mirrors", line 20, in <module>
from pacman_mirrors import pacman_mirrors
File "/usr/lib/python3.9/site-packages/pacman_mirrors/pacman_mirrors.py", line 31, in <module>
from pacman_mirrors.builder import common, fasttrack, interactive
File "/usr/lib/python3.9/site-packages/pacman_mirrors/builder/common.py", line 24, in <module>
from pacman_mirrors.builder.builder import build_pool
File "/usr/lib/python3.9/site-packages/pacman_mirrors/builder/builder.py", line 26, in <module>
from pacman_mirrors.functions.outputFn import write_custom_mirrors_json
File "/usr/lib/python3.9/site-packages/pacman_mirrors/functions/outputFn.py", line 23, in <module>
from pacman_mirrors.functions import customFn
File "/usr/lib/python3.9/site-packages/pacman_mirrors/functions/customFn.py", line 22, in <module>
from pacman_mirrors.functions import defaultFn
File "/usr/lib/python3.9/site-packages/pacman_mirrors/functions/defaultFn.py", line 23, in <module>
from pacman_mirrors.functions import pools
File "/usr/lib/python3.9/site-packages/pacman_mirrors/functions/pools.py", line 23, in <module>
from pacman_mirrors.functions.httpFn import get_ip_country
File "/usr/lib/python3.9/site-packages/pacman_mirrors/functions/httpFn.py", line 26, in <module>
import ssl
File "/usr/lib/python3.9/ssl.py", line 98, in <module>
import _ssl             # if we can't import it, let the error propagate
ImportError: /usr/lib/python3.9/lib-dynload/_ssl.cpython-39-x86_64-linux-gnu.so: undefined symbol: TLSv1_2_method, version OPENSSL_1_1_0

Why is it referring to openssl 1.1.0 instead of latest release version openssl 1.1.1j (From repo) or openssl 1.1.1k (From AUR)

Also why is TLSv1_2_method symbol missing.

My PKGBUILD for openssl

# Maintainer:  Vincent Grande <shoober420@gmail.com>
# Contributor: Pierre Schmitz <pierre@archlinux.de>

pkgname=openssl-hardened
_ver=1.1.1k
# use a pacman compatible version scheme
pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
pkgrel=1
pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security'
arch=('x86_64')
url='https://www.openssl.org'
license=('custom:BSD')
depends=('glibc')
makedepends=('perl')
optdepends=('ca-certificates' 'perl')
replaces=('openssl-perl' 'openssl-doc')
backup=('etc/ssl/openssl.cnf')
provides=(openssl)
conflicts=(openssl)
source=("https://artfiles.org/openssl.org/source/openssl-$_ver.tar.gz"
	'ca-dir.patch')
sha256sums=('892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5'
	    '75aa8c2c638c8a3ebfd9fa146fc61c7ff878fc997dc6aa10d39e4b2415d669b2')
validpgpkeys=('8657ABB260F056B1E5190839D9C4D26D0E604491'
	'7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C')

prepare() {
	cd "$srcdir/openssl-$_ver"

	# set ca dir to /etc/ssl by default
	patch -p0 -i "$srcdir/ca-dir.patch"
}

build() {
	cd "$srcdir/openssl-$_ver"

	# mark stack as non-executable: http://bugs.archlinux.org/task/12434
	./Configure --prefix=/usr --openssldir=/etc/ssl --libdir=lib \
		shared enable-ec_nistp_64_gcc_128 linux-x86_64 no-comp no-deprecated no-weak-ssl-ciphers \
		no-dtls1 no-dtls1-method no-ssl2 no-ssl3 no-ssl3-method no-tls1 no-tls1-method \
		enable-egd \
		-DOPENSSL_USE_IPV6=0 \
		"-Wa,--noexecstack ${CPPFLAGS} ${CFLAGS} ${LDFLAGS}"

	make depend
	make
}

check() {
	cd "$srcdir/openssl-$_ver"

	# the test fails due to missing write permissions in /etc/ssl
	# revert this patch for make test
	patch -p0 -R -i "$srcdir/ca-dir.patch"

	make test

	patch -p0 -i "$srcdir/ca-dir.patch"
	# re-run make to re-generate CA.pl from th patched .in file.
	make apps/CA.pl
}

package() {
	cd "$srcdir/openssl-$_ver"

	make DESTDIR=$pkgdir MANDIR=/usr/share/man MANSUFFIX=ssl install_sw install_ssldirs install_man_docs

	install -D -m644 LICENSE $pkgdir/usr/share/licenses/openssl/LICENSE
}

TLS 1.1, TLS 1.2, TLS 1.3 is enabled as default behavior. I chose to build openssl with TLS1.0, DTLSv1, ssl2, ssl3 disabled. Also build is ignoring weak ssl ciphers.

Any help is much appreciated

pacman-mirrors uses the Python request library.

I remember when we used urllib it was necessary to set SSL context - I don’t think we do that now - I will take a look at the code - but don’t get your hopes up.

correct . last line in error says

ImportError: /usr/lib/python3.9/lib-dynload/_ssl.cpython-39-x86_64-linux-gnu.so: undefined symbol: TLSv1_2_method, version OPENSSL_1_1_0

And package owner for

/usr/lib/python3.9/lib-dynload/_ssl.cpython-39-x86_64-linux-gnu.so

is

/usr/lib/python3.9/lib-dynload/_ssl.cpython-39-x86_64-linux-gnu.so is owned by python 3.9.2-1

if i try to build with –api=1.1.1 no-deprecated, build fails,

but –api=1.1.0 no-deprecated works

So modified build configuration is as follows. additional flags are marked in BOLD

./Configure --prefix=/usr --openssldir=/etc/ssl --libdir=lib –api=1.1.0
shared enable-ec_nistp_64_gcc_128 linux-x86_64 no-comp no-deprecated
no-weak-ssl-ciphers no-dtls1 no-dtls1-method no-ssl3 no-ssl3-method no-tls1 no-tls1-method
enable-tls1_1 enable-tls1_1-method enable-tls1_2 enable-tls1_2-method enable-tls1_3 enable-egd
-DOPENSSL_USE_IPV6=0
“-Wa,–noexecstack ${CPPFLAGS} ${CFLAGS} ${LDFLAGS}”

It appears openssl is currently built with support for deprecated API’s and even distribution packages are built against available openssl. Hence hardened openssl wud require recompiling all dependent packages against hardened openssl and it is quite possible many packages still might use deprecated api hence i will have to build everything locally and debug / fix codebase. My skillset restricts me and I understand rebuilding all manjaro packages is certainly not feasible.

Hopefully in future when 1.1.0 branch of openssl is retired / replaced by 3.0 branch, only then Arch linux wud transition and thereafter it wud happen for manjaro and other Arch linux based distros.