openssh @9.5p1_2: Fails to configure on Lion & Mtn Lion - Missing entropy source

[RobK88]

I am unable to upgrade openssh to version @9.5p1_2 pn Lion and Mtn Lion. I see a configure error.

Below is the error seen on Lion:

configure: error: OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options
Command failed:  cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_net_openssh/openssh/work/openssh-9.5p1" && ./configure --prefix=/opt/local --with-ssl-dir=/opt/local --sysconfdir=/opt/local/etc/ssh --with-privsep-path=/var/empty --with-md5-passwords --with-pid-dir=/opt/local/var/run --with-pam --mandir=/opt/local/share/man --with-zlib=/opt/local --without-kerberos5 --with-libedit --with-pie --without-xauth --without-ldns --with-audit=bsm --with-keychain=apple 
Exit code: 1
Error: Failed to configure openssh: consult /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_net_openssh/openssh/work/openssh-9.5p1/config.log
Error: Failed to configure openssh: configure failure: command execution failed
Error: See /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_net_openssh/openssh/main.log for details.
Error: Follow https://guide.macports.org/#project.tickets if you believe there is a bug.

[RobK88]

It also fails to configure on Mtn Lion. I will attach configure.log.

[RobK88]

config.log from Mtn Lion

[RobK88]

main.log from Mtn Lion

[RobK88]

You may want to consider adding @neverpanic to this ticket who made the last commit for openssh

[RobK88]

The cause of this configure error for openssh may really stem from openssl not being properly configured before it was built.

[artkiver (グレェ)]

Thank you for reporting this! I am not sure if I have any Lion nor Mountain Lion systems to test against at the moment, but I will see what I can do.

As one possible workaround, can you see if you are running into the same sorts of issues if using libressl ​https://ports.macports.org/port/libressl/ from MacPorts instead of openssl? If attempting that workaround you may need to deactivate openssl, and I realize not all MacPorts are presently using the following sorts of parameters in their Portfiles:

    depends_lib         path:lib/libssl.dylib:openssl \

which facilitates compatibility with different TLS libraries so it might raise some challenges for things aside from OpenSSH; but it will at least help us to narrow down if this is an OpenSSL related issue (which would be my first guess given the revision was in relation to that) or something else.

Thank you again for bringing this to our attention!

Replying to RobK88:

The cause of this configure error for openssh may really stem from openssl not being properly configured before it was built.

[RobK88]

When I get a chance, I will try adding depends_lib path:lib/libssl.dylib:openssl \ to thePortfile for openssh

[RobK88]

P.S. I also tried openssh @ 9.5p1_2 on High Sierra. It works! It does not look like openssh @ 9.5p1_2 is broken on High Sierra.

[RobK88]

No luck installing libressl

bash-3.2$ sudo port deactivate openssl
Password:
Note: It is not recommended to uninstall/deactivate a port that has dependents as it breaks the dependents.
The following ports will break:
 libevent @2.1.12_2
 ntp @4.2.8p17_0
 xar @1.8.0.498_0
 kerberos5 @1.21.2_0
 cyrus-sasl2 @2.1.28_1
 libfetch @9.0.0-RELEASE_3
 openldap @2.6.6_0
 python310 @3.10.13_0
 rsync @3.2.7_0
 python39 @3.9.18_0
 opusfile @0.12_1
 libshout2 @2.4.6_0
 neon @0.32.5_0
 w3m @0.5.3.20230121_0
 qt4-mac @4.8.7_14
 net-snmp @5.9.4_0
 sane-backends @1.2.1_1
 python311 @3.11.6_0
 curl @8.4.0_0
 libgit2 @1.7.1_0
 openssh @9.5p1_1
 sudo @1.9.15p2_0
 postgresql15 @15.5_0
 xmlsec-1.2 @1.2.38_0
 openvpn2 @2.6.8_0
 gdal @3.8.0_1
 p5.34-net-ssleay @1.920.0_2
Continue? [y/N]: Y
Warning: Deactivate forced.  Proceeding despite dependencies.
--->  Deactivating openssl @3_15+universal
--->  Cleaning openssl
bash-3.2$ 

bash-3.2$ sudo port clean openssh
--->  Cleaning openssh

bash-3.2$ sudo port install libressl
--->  Fetching archive for libressl
--->  Attempting to fetch libressl-3.8.2_0.darwin_11.x86_64.tbz2 from http://packages.macports.org/libressl
--->  Attempting to fetch libressl-3.8.2_0.darwin_11.x86_64.tbz2 from http://mirror.fcix.net/macports/packages/libressl
--->  Attempting to fetch libressl-3.8.2_0.darwin_11.x86_64.tbz2 from http://ywg.ca.packages.macports.org/mirror/macports/packages/libressl
--->  Fetching distfiles for libressl
--->  Attempting to fetch libressl-3.8.2.tar.gz from https://cdn.openbsd.org/pub/OpenBSD/LibreSSL
--->  Verifying checksums for libressl                                               
--->  Extracting libressl
--->  Applying patches to libressl
--->  Configuring libressl
Warning: Configuration logfiles contain indications of -Wimplicit-function-declaration; check that features were not accidentally disabled:
  getentropy: found in libressl-3.8.2/config.log
--->  Building libressl
Error: Failed to build libressl: command execution failed
Error: See /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_libressl/libressl/main.log for details.
Error: Follow https://guide.macports.org/#project.tickets if you believe there is a bug.
Error: Processing of port libressl failed

This is a different bug. I was hoping libressl would fix the problem with openssh on Lion and Mtn Lion.

I filed a ticket for libressl - See comment:ticket:68770:1

[RobK88]

The problem is definitely with the latest version of openssl and openssl3.

I reverted to the previous version of openssl and openssl3 by copying the previous Portfiles into my local repo. Then after building and installing the previous version of openssl and openssl3, I tried to build the latest version of openssh on Lion. It worked!

bash-3.2$ sudo port install openssl
Password:
--->  Computing dependencies for openssl
--->  Fetching distfiles for openssl
--->  Verifying checksums for openssl
--->  Extracting openssl
--->  Configuring openssl
--->  Building openssl
--->  Staging openssl into destroot
--->  Installing openssl @3_14
--->  Deactivating openssl @3_15+universal
--->  Cleaning openssl
--->  Activating openssl @3_14
--->  Cleaning openssl
--->  Updating database of binaries
--->  Scanning binaries for linking errors
--->  No broken files found.                             
--->  No broken ports found.

bash-3.2$ sudo port install openssl3
--->  Computing dependencies for openssl3
--->  Fetching distfiles for openssl3
--->  Verifying checksums for openssl3
--->  Extracting openssl3
--->  Configuring openssl3
--->  Building openssl3                                  
--->  Staging openssl3 into destroot                     
--->  Installing openssl3 @3.1.4_0                       
--->  Deactivating openssl3 @3.2.0_0+universal
--->  Cleaning openssl3
--->  Activating openssl3 @3.1.4_0
--->  Cleaning openssl3
--->  Updating database of binaries
--->  Scanning binaries for linking errors
--->  Found 4 broken files, matching files to ports      
--->  Found 1 broken port, determining rebuild order
You can always run 'port rev-upgrade' again to fix errors.
The following ports will be rebuilt: curl @8.4.0+ssl+universal
Continue? [Y/n]: Y
--->  Computing dependencies for curl
--->  Dependencies to be installed: openssl openssl3
--->  Fetching distfiles for openssl3
--->  Verifying checksums for openssl3
--->  Extracting openssl3
--->  Configuring openssl3
--->  Building openssl3                                  
--->  Staging openssl3 into destroot                     
--->  Installing openssl3 @3.1.4_0+universal             
--->  Deactivating openssl3 @3.1.4_0
--->  Cleaning openssl3
--->  Activating openssl3 @3.1.4_0+universal
--->  Cleaning openssl3
--->  Fetching distfiles for openssl
--->  Verifying checksums for openssl
--->  Extracting openssl
--->  Configuring openssl
--->  Building openssl
--->  Staging openssl into destroot
--->  Installing openssl @3_14+universal
--->  Deactivating openssl @3_14
--->  Cleaning openssl
--->  Activating openssl @3_14+universal
--->  Cleaning openssl
--->  Cleaning curl
--->  Updating database of binaries
--->  Scanning binaries for linking errors
--->  No broken files found.                             
--->  No broken ports found.

bash-3.2$ sudo port clean openssh
Password:
--->  Cleaning openssh

bash-3.2$ port installed openssh
The following ports are currently installed:
  openssh @9.5p1_1 (active)
 
bash-3.2$ sudo port upgrade openssh
--->  Computing dependencies for openssh
--->  Fetching distfiles for openssh
--->  Verifying checksums for openssh
--->  Extracting openssh
--->  Applying patches to openssh
--->  Configuring openssh
--->  Building openssh                                   
--->  Staging openssh into destroot                      
--->  Creating launchd control script 'OpenSSH'
--->  Installing openssh @9.5p1_2                        
--->  Cleaning openssh
--->  Computing dependencies for openssh
--->  Deactivating openssh @9.5p1_1
--->  Cleaning openssh
--->  Activating openssh @9.5p1_2
--->  Cleaning openssh
--->  Scanning binaries for linking errors
--->  No broken files found.                             
--->  No broken ports found.
--->  Some of the ports you installed have notes:
  openssh has the following notes:
    A startup item has been generated that will aid in starting openssh with launchd. It is disabled by default. Execute the
    following command to start it, and to cause it to launch at startup:
    
        sudo port load openssh

[ryandesign (Ryan Carsten Schmidt)]

Seems like the update to openssl3 @3.2.0 has caused problems for many ports.

[neverpanic (Clemens Lang)]

Sounds like this is a duplicate of #68766? Any reason why we shouldn't just close it as that?

[fhgwright (Fred Wright)]

In dbf4acd621d2b7b73d980baa4559cd8b722a075e/macports-ports (master):

openssl3: Roll back broken v3.2.0 to v3.1.4 on OS <10.13

Version 3.2.0 has many issues on many older platforms.

Adds -devel version to facilitate testing 3.2.0 in such cases.

Although the epoch bump is only needed for the rollback cases, making
it conditional on the OS version would require that it remain so in
the future, so the unconditional epoch bump is preferable. The epoch
bump is the only change for macOS >= 10.14.

Revbumps the usual suspects.

Closes: #68763
Closes: #68766

TESTED:
Built, tested, and ran "openssl rand -hex 8" on 10.4-10.5 ppc,
10.4-10.6 i386, 10.5-10.15 x86_64, and 11.x-14.x arm64
The 3.1.4 version builds for all relevant platforms, and passes its
tests on all but 10.6-10.8.
The 3.2.0 -devel version builds for all but 10.4, failing its tests on
10.5-10.9 and 10.13 universal.
The 3.2.0 version fails its tests on 10.14 and 14.x.
The non-devel versions all pass "openssl rand".