openssl_legacy: init and use

[ajs124]

Description of changes

Follow-up to #196906

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.11 Release Notes (or backporting 22.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[vcunat]

I don't think we can catch this amount of rebuilds before branch-off, unless @mweinelt is OK with delaying it by a few days. (*-darwin stdenvs get rebuilt) Of course, that still doesn't prevent it from getting staged for both 21.11 and unstable.

[vcunat]

python310Packages.ntlm-auth builds with this, at least. (on x86_64-linux)

[mweinelt]

I think at this point we should go with staging-22.11.

[ajs124]

Alright, so I'll retarget this against staging and we backport it into staging-22.11, once that's created?

[SuperSandro2000]

Suggested change

	${lib.optionalString (conf != null) "cat ${conf} > $etc/etc/ssl/openssl.cnf"}
	'';
	'' + lib.optionalString (conf != null) ''
	cat ${conf} > $etc/etc/ssl/openssl.cnf
	'';

Normally not a big fan of this but shouldn't this cut down the amount of rebuilds?

[ajs124]

Probably, but I'd guess not significantly, since this PR changes openldap and python3.

[github-actions]

Successfully created backport PR #203138 for staging-22.11.

[vcunat]

This doesn't seem to work well on darwin, but I don't know why:
https://hydra.nixos.org/eval/1786377?filter=openldap#tabs-now-fail

[SuperSandro2000]

It doesn't like rc4

additional info: SASL(-1): generic failure: internal error: failed to init cipher 'rc4'

[vcunat]

Yes, I thought the need for RC4 was one of the reasons to try keeping older openssl in there. (and now a new reconfigured one)

[ajs124]

Hm. It works just fine on linux though. Maybe the openssl config file doesn't work the same way on darwin?

[vcunat]

We'll need some way forward. This breaks really many builds (roughly 1000*2).

I could simply put the rm line back as optionalString stdenv.isDarwin, but perhaps it would be better if someone checked that we're not leaving some big problem in there.

[tjni]

I don't know why exactly, but #204554 seems to fix the issue.

[vcunat]

I'm not familiar with library loading on darwin.

But I believe that even even on Linux+glibc these library overrides are a bit difficult. I'm sure libldap.so is typically not used stand-alone, and some binaries using it probably use openssl already (not in _legacy variant). In those cases it's not clear which version is loaded first and thus wins. What I'm certain of is that when you run an executable (without using extra loading magic), a particular SONAME is satisfied just once, including in all libraries – and thus each symbol name is consistent across the whole executable.

This mechanism can also cause problems when impure loading happens, e.g. in particular with /run/opengl-driver.

EDIT: I don't know openldap well; maybe it will almost always get used as the executables (and thus have separate library loading) and not as libraries.

[ajs124]

Usage of openldap as an executable or library are both common

[vcunat]

This is in nixos-unstable now, so I assume we're still backporting to 22.11 even though it's long past release?