-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate loading legacy provider with OpenSSL 3.0 #40455
Comments
@danbev It looks like we don't build at least
|
@richardlau Thanks, I'll take a look. These gypi files are generated and perhaps we are missing, or reading the wrong source list from configdata.pm. |
This commit adds a missing OpenSSL 3.0 source file, legacyprov.c. Refs: nodejs#40455
This commit adds a configuration time flag to enable OpenSSL legacy module to be built. For example, the following will build the legacy module: $ ./configure --openssl-legacy-module To enable the default provider one has currently has to update the OpenSSL configuration file, openssl.cnf: [openssl_init] providers = provider_sect [provider_sect] default = default_sect legacy = legacy_sect [default_sect] activate = 1 [legacy_sect] activate = 1 This module can then be used by specifying the environment variable OPENSSL_MODULES like this: $ env OPENSSL_MODULES= \ $PWD/out/Release/obj.target/deps/openssl/lib/openssl-modules \ OPENSSL_CONF=out/Release/obj.target/deps/openssl/openssl.cnf \ ./node -p 'crypto.createHash("md4")' Hash { _options: undefined, [Symbol(kHandle)]: Hash {}, [Symbol(kState)]: { [Symbol(kFinalized)]: false } Refs: nodejs#40455
FWIW This hack appears to allow the legacy provider to be statically compiled and loaded: diff --git a/deps/openssl/config/archs/linux-x86_64/asm/openssl.gypi b/deps/openssl/config/archs/linux-x86_64/asm/openssl.gypi
index 46cc9b2b4a..13b6d6eb96 100644
--- a/deps/openssl/config/archs/linux-x86_64/asm/openssl.gypi
+++ b/deps/openssl/config/archs/linux-x86_64/asm/openssl.gypi
@@ -775,6 +775,7 @@
'openssl/engines/e_padlock.c',
'openssl/providers/baseprov.c',
'openssl/providers/defltprov.c',
+ 'openssl/providers/legacyprov.c',
'openssl/providers/nullprov.c',
'openssl/providers/prov_running.c',
'openssl/providers/common/der/der_rsa_sig.c',
diff --git a/deps/openssl/config/archs/linux-x86_64/asm_avx2/openssl.gypi b/deps/openssl/config/archs/linux-x86_64/asm_avx2/openssl.gypi
index cb90c57338..4f5a640dd8 100644
--- a/deps/openssl/config/archs/linux-x86_64/asm_avx2/openssl.gypi
+++ b/deps/openssl/config/archs/linux-x86_64/asm_avx2/openssl.gypi
@@ -775,6 +775,7 @@
'openssl/engines/e_padlock.c',
'openssl/providers/baseprov.c',
'openssl/providers/defltprov.c',
+ 'openssl/providers/legacyprov.c',
'openssl/providers/nullprov.c',
'openssl/providers/prov_running.c',
'openssl/providers/common/der/der_rsa_sig.c',
diff --git a/deps/openssl/config/archs/linux-x86_64/no-asm/openssl.gypi b/deps/openssl/config/archs/linux-x86_64/no-asm/openssl.gypi
index 647092c410..279a4d27c3 100644
--- a/deps/openssl/config/archs/linux-x86_64/no-asm/openssl.gypi
+++ b/deps/openssl/config/archs/linux-x86_64/no-asm/openssl.gypi
@@ -782,6 +782,7 @@
'openssl/engines/e_padlock.c',
'openssl/providers/baseprov.c',
'openssl/providers/defltprov.c',
+ 'openssl/providers/legacyprov.c',
'openssl/providers/nullprov.c',
'openssl/providers/prov_running.c',
'openssl/providers/common/der/der_rsa_sig.c',
diff --git a/deps/openssl/openssl.gyp b/deps/openssl/openssl.gyp
index 4d4e6f2801..d178ffaa61 100644
--- a/deps/openssl/openssl.gyp
+++ b/deps/openssl/openssl.gyp
@@ -29,6 +29,7 @@
# is able to create a malicious DLL in one of the default search paths.
'OPENSSL_NO_HW',
'OPENSSL_API_COMPAT=0x10100001L',
+ 'STATIC_LEGACY',
#'OPENSSL_NO_DEPRECATED',
],
'conditions': [
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 7e0c8ba3eb..c1fe6fb6ac 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -170,6 +170,16 @@ void InitCryptoOnce() {
ENGINE_load_builtin_engines();
#endif // !OPENSSL_NO_ENGINE
+#if OPENSSL_VERSION_MAJOR >= 3
+ // Put behind a flag?
+ {
+ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
+ if (legacy_provider == nullptr) {
+ fprintf(stderr, "Unable to load legacy provider.\n");
+ }
+ }
+#endif
+
NodeBIO::GetMethod();
}
I'm not entirely sure how to get |
This commit adds a configuration time flag to enable OpenSSL legacy module to be built. For example, the following will build the legacy module: $ ./configure --openssl-legacy-module To enable the default provider one has currently has to update the OpenSSL configuration file, openssl.cnf: [openssl_init] providers = provider_sect [provider_sect] default = default_sect legacy = legacy_sect [default_sect] activate = 1 [legacy_sect] activate = 1 This module can then be used by specifying the environment variable OPENSSL_MODULES like this: $ env OPENSSL_MODULES= \ $PWD/out/Release/obj.target/deps/openssl/lib/openssl-modules \ OPENSSL_CONF=out/Release/obj.target/deps/openssl/openssl.cnf \ ./node -p 'crypto.createHash("md4")' Hash { _options: undefined, [Symbol(kHandle)]: Hash {}, [Symbol(kState)]: { [Symbol(kFinalized)]: false } Refs: nodejs#40455
This commit adds an option to Node.js named --openssl-legacy-module and if specified will load OpenSSL 3.0 Legacy provider. $ ./node --help ... --openssl-legacy-module enable OpenSSL 3.0 legacy module Example usage: $ ./node --openssl-legacy-module -p 'crypto.createHash("md4")' Hash { _options: undefined, [Symbol(kHandle)]: Hash {}, [Symbol(kState)]: { [Symbol(kFinalized)]: false } } Co-authored-by: Richard Lau <rlau@redhat.com> Refs: nodejs#40455
This sounds good to me and if we can do that and not have to mess around with openssl.cnf that is great.
Yeah, I was not sure about this either. We need to add this to generate_gypi.pl. The easiest way to try this out it to update that file and then run I've opened a pull request based on your suggestion: #40478. I've added you as Co-author which I hope is alright. |
This commit adds an option to Node.js named --openssl-legacy-provider and if specified will load OpenSSL 3.0 Legacy provider. $ ./node --help ... --openssl-legacy-provider enable OpenSSL 3.0 legacy provider Example usage: $ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")' Hash { _options: undefined, [Symbol(kHandle)]: Hash {}, [Symbol(kState)]: { [Symbol(kFinalized)]: false } } Co-authored-by: Richard Lau <rlau@redhat.com> Refs: nodejs#40455
This commit adds an option to Node.js named --openssl-legacy-provider and if specified will load OpenSSL 3.0 Legacy provider. $ ./node --help ... --openssl-legacy-provider enable OpenSSL 3.0 legacy provider Example usage: $ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")' Hash { _options: undefined, [Symbol(kHandle)]: Hash {}, [Symbol(kState)]: { [Symbol(kFinalized)]: false } } Co-authored-by: Richard Lau <rlau@redhat.com> Refs: #40455 PR-URL: #40478 Refs: #40455 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Modify the build matrix to add Node 17 to the environments under test. The GCC setup from Node 16 is reused here. As a workaround for a bug caused by Node 17 switching to OpenSSL 3, we add the `--openssl-legacy-provider` option to the `NODE_OPTIONS` environment variable. See [this node issue][node] and [this webpack issue][webpack] for details. [node]: nodejs/node#40455 [webpack]: webpack/webpack#14532
Modify the build matrix to add Node 17 to the environments under test. The GCC setup from Node 16 is reused here. As a workaround for a bug caused by Node 17 switching to OpenSSL 3, we add the `--openssl-legacy-provider` option to the `NODE_OPTIONS` environment variable. See [this node issue][node] and [this webpack issue][webpack] for details. [node]: nodejs/node#40455 [webpack]: webpack/webpack#14532
Modify the build matrix to add Node 17 to the environments under test. The GCC setup from Node 16 is reused here. As a workaround for a bug caused by Node 17 switching to OpenSSL 3, we add the `--openssl-legacy-provider` option to the `NODE_OPTIONS` environment variable. See [this node issue][node] and [this webpack issue][webpack] for details. [node]: nodejs/node#40455 [webpack]: webpack/webpack#14532
This commit adds an option to Node.js named --openssl-legacy-provider and if specified will load OpenSSL 3.0 Legacy provider when dynamically linking Node.js v16.x with OpenSSL 3.0. Building: $ ./configure --shared-openssl \ --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \ --shared-openssl-includes=/path/openssl_quic-3.0/include \ --shared-openssl-libname=crypto,ssl $ make -j8 Verify options is available: $ ./node --help ... --openssl-legacy-provider enable OpenSSL 3.0 legacy provider Usage: $ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64 $ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/ $ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf $ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")' Hash { _options: undefined, [Symbol(kHandle)]: Hash {}, [Symbol(kState)]: { [Symbol(kFinalized)]: false } } Fixes: nodejs#40948 Refs: nodejs#40455 PR-URL: nodejs#40478 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
This commit adds an option to Node.js named --openssl-legacy-provider and if specified will load OpenSSL 3.0 Legacy provider when dynamically linking Node.js v16.x with OpenSSL 3.0. Building: $ ./configure --shared-openssl \ --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \ --shared-openssl-includes=/path/openssl_quic-3.0/include \ --shared-openssl-libname=crypto,ssl $ make -j8 Verify options is available: $ ./node --help ... --openssl-legacy-provider enable OpenSSL 3.0 legacy provider Usage: $ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64 $ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/ $ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf $ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")' Hash { _options: undefined, [Symbol(kHandle)]: Hash {}, [Symbol(kState)]: { [Symbol(kFinalized)]: false } } Fixes: #40948 Refs: #40455 PR-URL: #40478 Backport-PR-URL: #42972 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
This commit adds an option to Node.js named --openssl-legacy-provider and if specified will load OpenSSL 3.0 Legacy provider when dynamically linking Node.js v16.x with OpenSSL 3.0. Building: $ ./configure --shared-openssl \ --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \ --shared-openssl-includes=/path/openssl_quic-3.0/include \ --shared-openssl-libname=crypto,ssl $ make -j8 Verify options is available: $ ./node --help ... --openssl-legacy-provider enable OpenSSL 3.0 legacy provider Usage: $ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64 $ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/ $ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf $ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")' Hash { _options: undefined, [Symbol(kHandle)]: Hash {}, [Symbol(kState)]: { [Symbol(kFinalized)]: false } } Fixes: #40948 Refs: #40455 PR-URL: #40478 Backport-PR-URL: #42972 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
use nodejs 17, which supports --openssl-legacy-provider options which seems to be needed for openssl3. This option is not backported to nodejs 16. ref: webpack/webpack#14532 ref: nodejs/node#40455
This commit adds an option to Node.js named --openssl-legacy-provider and if specified will load OpenSSL 3.0 Legacy provider when dynamically linking Node.js v16.x with OpenSSL 3.0. Building: $ ./configure --shared-openssl \ --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \ --shared-openssl-includes=/path/openssl_quic-3.0/include \ --shared-openssl-libname=crypto,ssl $ make -j8 Verify options is available: $ ./node --help ... --openssl-legacy-provider enable OpenSSL 3.0 legacy provider Usage: $ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64 $ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/ $ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf $ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")' Hash { _options: undefined, [Symbol(kHandle)]: Hash {}, [Symbol(kState)]: { [Symbol(kFinalized)]: false } } Fixes: nodejs/node#40948 Refs: nodejs/node#40455 PR-URL: nodejs/node#40478 Backport-PR-URL: nodejs/node#42972 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Node.js 16+ supports dynamically linking with OpenSSL 3.0, however, that results in 'error:0308010C:digital envelope routines::unsupported' error. To work-around that with the legacy Webpack 4.0 we use, one needs to enable the OpenSSL 3.0 Legacy provider by setting: NODE_OPTIONS=--openssl-legacy-provider For more info, see: - webpack/webpack#14532 - nodejs/node#40455 - nodejs/node#40948
Node.js 16+ supports dynamically linking with OpenSSL 3.0, however, that results in 'error:0308010C:digital envelope routines::unsupported' error. To work-around that with the legacy Webpack 4.0 we use, one needs to enable the OpenSSL 3.0 Legacy provider by setting: NODE_OPTIONS=--openssl-legacy-provider For more info, see: - webpack/webpack#14532 - nodejs/node#40455 - nodejs/node#40948
In my case I had some webpack commands which failed
and would need an NODE OPTION set for every command/task, which looks ugly:
So I was looking for a solution how to set this "globally" at least per project.
After reading the documentation, it seems that we can set node options this way: So when I add the following to my
maybe this helps someone else, migrating from NODE 14/16 to NODE >16 |
PS D:\Work Area------\admin> ng serve Error: error:0308010C:digital envelope routines::unsupported Node.js v18.19.1 i'm facing this issue in angular , even it's Node v20 |
I though it would be possible to enable it but updating openssl.cnf like this:
But that does not work:
This issue should take a closer look at how the legacy provider can be enabled.
Refs: #40119 (comment)
The text was updated successfully, but these errors were encountered: