Updating OpenSSL breaks Nextcloud server 23/24/25 side encryption due to RC4 deprecation

[AkechiShiro]

Describe the bug

Updating openssl breaks Nextcloud server 24/25's (RC4 is deprecated and removed but used in Nextcloud) server side encryption,

PR being developed for a fix upstream : nextcloud/server#25551

Issue mentioning a workaround : nextcloud/server#32003

Workaround mentioned upstream :

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

I couldn't make this workaround work on NixOS, just yet, I've attempted:

  environment.etc = {
    # Creates /etc/openssl.conf
    "openssl.conf" = {
        text = ''
            [provider_sect]
            default = default_sect
            legacy = legacy_sect

            [default_sect]
            activate = 1

            [legacy_sect]
            activate = 1
            '';
            # The UNIX file mode bits
            mode = "0440";
            };
        };

Steps To Reproduce

Steps to reproduce the behavior:

1. Updating openssl breaks Nextcloud 24/25's Server Side Encryption

Expected behavior

Server side encryption should just work.

Screenshots

Errors on the web interface or in the logs contains one or multiples of the following:

OCA\Encryption\Exceptions\MultiKeyDecryptException: multikeydecrypt with share key failed:error:0480006C:PEM routines::no start line
OCA\Encryption\Exceptions\MultiKeyDecryptException: multikeydecrypt with share key failed:error:0308010C:digital envelope routines::unsupported
Sabre\DAV\Exception\ServiceUnavailable: Encryption not ready: multikeydecrypt with share key failed:error:0308010C:digital envelope routines::unsupported

Additional context

Bug due to deprecation of RC4 in OpenSSL by default, not due to Nix/NixOS.

Notify maintainers

@schneefux @bachp @globin @fpletz

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

- system: `"x86_64-linux"`
 - host os: `Linux 5.15.64, NixOS, 22.11 (Raccoon), 22.11pre420607.969c3ccf30a`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.11.0`
 - channels(root): `"nixos, nixos-old-20.09, nixos-unstable, nixpkgs-unstable"`
 - channels(user): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

[ajs124]

ouch. We could maybe offer something like php_openssl_legacy? cc @NixOS/php

For that we'd need an openssl_3 with a openssl.conf containing those settings and override that into php.

[RaitoBezarius]

@ajs124 I have some code that adds the workaround (1) above-mentioned for OpenSSL 3, that I am still testing, will do a PR soon.
Another workaround (2) is to use a OpenSSL extension linked against OpenSSL 1.1.1q for PHP, will do a PR for this soon too.

In all the cases, upgrading to NextCloud 25 is dangerous at the moment, I'd advise to:

• either, apply workaround (1) by default for NextCloud (we are already building an environment on the top of the phpPackage, we can override openssl extension there)

• either, apply workaround (2) by default for NextCloud

• write a release note NOW regarding OpenSSL and RC4 NextCloud encryption (?)

• make this issue a release blocker for 22.11? (cc @mweinelt)

[ajs124]

cc @Ma27

[mweinelt]

Resolved in #198470