Support OpenSSL 3.0 Legacy provider in version 16 #40948

herbrechtsmeier · 2021-11-24T10:54:06Z

Node v16 supports dynamically linking with OpenSSL 3.0 (#29817) but doesn't support OpenSSL 3.0 Legacy provider (#40455). Please backport 86d1c0c or always load the legacy provider for OpenSSL 3.0.

The text was updated successfully, but these errors were encountered:

No longer have support for MD4, the default hashFunction. Mess with webpack to use sha256. This solution is from: webpack/webpack#13572 (comment) And was added to phosphor-webui here: openbmc/phosphor-webui@8588400 Ideally --openssl-legacy-provider would work as webpack/webpack#14532 describes but Node 16 supports linking with SSL 3.0 but doesn't support openssl-legacy-provider. See nodejs/node#40948. This should enable the new Yocto bump to pass. Tested: Build Witherspoon Tacoma with https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/48473 and the 3 and this change. The webui looked good. Change-Id: I66f2cc45af85096f9abe935d269838c6a680bc9b Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

Load OpenSSL 3.0 Legacy provider if OpenSSL major version isn't below 3 to be compatible with older OpenSSL major versions and resolve nodejs#40948.

Load OpenSSL 3.0 Legacy provider if OpenSSL major version isn't below 3 to be inline with older OpenSSL major versions and support the default hashFunction MD4 of webpack. Fixes: nodejs#40948 Refs: https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html Refs: https://webpack.js.org/plugins/hashed-module-ids-plugin/

Load OpenSSL 3.0 Legacy provider if OpenSSL major version isn't below 3 to be inline with older OpenSSL major versions and support the default hashFunction MD4 of webpack. Fixes: nodejs#40948 Refs: https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html Refs: https://webpack.js.org/plugins/hashed-module-ids-plugin/ Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>

Load OpenSSL 3.0 Legacy provider if OpenSSL major version isn't below 3 to be inline with older OpenSSL major versions and support the default hashFunction MD4 of webpack. Fixes: nodejs#40948 Refs: https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html Refs: https://webpack.js.org/plugins/hashed-module-ids-plugin/

This commit adds an option to Node.js named --openssl-legacy-provider and if specified will load OpenSSL 3.0 Legacy provider when dynamically linking Node.js v16.x with OpenSSL 3.0. Building: $ ./configure --shared-openssl \ --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \ --shared-openssl-includes=/path/openssl_quic-3.0/include \ --shared-openssl-libname=crypto,ssl $ make -j8 Verify options is available: $ ./node --help ... --openssl-legacy-provider enable OpenSSL 3.0 legacy provider Usage: $ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64 $ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/ $ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf $ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")' Hash { _options: undefined, [Symbol(kHandle)]: Hash {}, [Symbol(kState)]: { [Symbol(kFinalized)]: false } } Fixes: #40948 Refs: #40455 PR-URL: #40478 Backport-PR-URL: #42972 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Michael Dawson <midawson@redhat.com>

This commit adds an option to Node.js named --openssl-legacy-provider and if specified will load OpenSSL 3.0 Legacy provider when dynamically linking Node.js v16.x with OpenSSL 3.0. Building: $ ./configure --shared-openssl \ --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \ --shared-openssl-includes=/path/openssl_quic-3.0/include \ --shared-openssl-libname=crypto,ssl $ make -j8 Verify options is available: $ ./node --help ... --openssl-legacy-provider enable OpenSSL 3.0 legacy provider Usage: $ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64 $ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/ $ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf $ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")' Hash { _options: undefined, [Symbol(kHandle)]: Hash {}, [Symbol(kState)]: { [Symbol(kFinalized)]: false } } Fixes: nodejs#40948 Refs: nodejs#40455 PR-URL: nodejs#40478 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>

No longer have support for MD4, the default hashFunction. Mess with webpack to use sha256. This solution is from: webpack/webpack#13572 (comment) And was added to phosphor-webui here: openbmc/phosphor-webui@8588400 Ideally --openssl-legacy-provider would work as webpack/webpack#14532 describes but Node 16 supports linking with SSL 3.0 but doesn't support openssl-legacy-provider. See nodejs/node#40948. This should enable the new Yocto bump to pass. Tested: Build Witherspoon Tacoma with https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/48473 and the 3 and this change. The webui looked good. Change-Id: I66f2cc45af85096f9abe935d269838c6a680bc9b Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

iamahuman · 2022-07-11T09:08:28Z

If anyone is suffering from this issue on *nix, compiling the following code as a shared library and putting it into LD_PRELOAD environment variable may work as a stopgap measure:

#define _GNU_SOURCE
#include <stddef.h>
#include <stdint.h>
#include <dlfcn.h>
#include <openssl/ssl.h>
#include <openssl/provider.h>

int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
{
	static int once;
	static int (*orig_OPENSSL_init_ssl)(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
	if (!__atomic_exchange_n(&once, 1, __ATOMIC_ACQ_REL))
	{
		*(void **)&orig_OPENSSL_init_ssl = dlsym(RTLD_NEXT, "OPENSSL_init_ssl");
		OSSL_PROVIDER_load(NULL, "legacy");
	}
	return (*orig_OPENSSL_init_ssl)(opts, settings);
}

This commit adds an option to Node.js named --openssl-legacy-provider and if specified will load OpenSSL 3.0 Legacy provider when dynamically linking Node.js v16.x with OpenSSL 3.0. Building: $ ./configure --shared-openssl \ --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \ --shared-openssl-includes=/path/openssl_quic-3.0/include \ --shared-openssl-libname=crypto,ssl $ make -j8 Verify options is available: $ ./node --help ... --openssl-legacy-provider enable OpenSSL 3.0 legacy provider Usage: $ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64 $ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/ $ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf $ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")' Hash { _options: undefined, [Symbol(kHandle)]: Hash {}, [Symbol(kState)]: { [Symbol(kFinalized)]: false } } Fixes: #40948 Refs: #40455 PR-URL: #40478 Backport-PR-URL: #42972 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>

targos · 2022-07-18T10:30:34Z

Fixed in #42972

This commit adds an option to Node.js named --openssl-legacy-provider and if specified will load OpenSSL 3.0 Legacy provider when dynamically linking Node.js v16.x with OpenSSL 3.0. Building: $ ./configure --shared-openssl \ --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \ --shared-openssl-includes=/path/openssl_quic-3.0/include \ --shared-openssl-libname=crypto,ssl $ make -j8 Verify options is available: $ ./node --help ... --openssl-legacy-provider enable OpenSSL 3.0 legacy provider Usage: $ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64 $ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/ $ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf $ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")' Hash { _options: undefined, [Symbol(kHandle)]: Hash {}, [Symbol(kState)]: { [Symbol(kFinalized)]: false } } Fixes: #40948 Refs: #40455 PR-URL: #40478 Backport-PR-URL: #42972 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>

This commit adds an option to Node.js named --openssl-legacy-provider and if specified will load OpenSSL 3.0 Legacy provider when dynamically linking Node.js v16.x with OpenSSL 3.0. Building: $ ./configure --shared-openssl \ --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \ --shared-openssl-includes=/path/openssl_quic-3.0/include \ --shared-openssl-libname=crypto,ssl $ make -j8 Verify options is available: $ ./node --help ... --openssl-legacy-provider enable OpenSSL 3.0 legacy provider Usage: $ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64 $ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/ $ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf $ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")' Hash { _options: undefined, [Symbol(kHandle)]: Hash {}, [Symbol(kState)]: { [Symbol(kFinalized)]: false } } Fixes: nodejs/node#40948 Refs: nodejs/node#40455 PR-URL: nodejs/node#40478 Backport-PR-URL: nodejs/node#42972 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>

Node.js 16+ supports dynamically linking with OpenSSL 3.0, however, that results in 'error:0308010C:digital envelope routines::unsupported' error. To work-around that with the legacy Webpack 4.0 we use, one needs to enable the OpenSSL 3.0 Legacy provider by setting: NODE_OPTIONS=--openssl-legacy-provider For more info, see: - webpack/webpack#14532 - nodejs/node#40455 - nodejs/node#40948

VoltrexKeyva added the openssl Issues and PRs related to the OpenSSL dependency. label Nov 25, 2021

herbrechtsmeier added a commit to weidmueller/node that referenced this issue Mar 11, 2022

src: load OpenSSL 3.0 Legacy provider

cd6129b

Load OpenSSL 3.0 Legacy provider if OpenSSL major version isn't below 3 to be compatible with older OpenSSL major versions and resolve nodejs#40948.

richardlau mentioned this issue May 4, 2022

End-of-Life dates of Node.js 16 and OpenSSL 1.1.1 do not align nodejs/TSC#1222

Closed

richardlau added the v16.x label May 4, 2022

danbev self-assigned this May 5, 2022

danbev mentioned this issue May 5, 2022

[v16.x] src: add --openssl-legacy-provider option #42972

Closed

pimzand mentioned this issue Jun 12, 2022

navidrome build fails when nodejs 16 is built against OpenSSL 3.0 navidrome/navidrome#1768

Closed

targos closed this as completed Jul 18, 2022

tjanez mentioned this issue Mar 17, 2023

Add work-around to ensure building works with Node.js 16+ oasisprotocol/oasis-wallet-ext#305

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support OpenSSL 3.0 Legacy provider in version 16 #40948

Support OpenSSL 3.0 Legacy provider in version 16 #40948

herbrechtsmeier commented Nov 24, 2021

iamahuman commented Jul 11, 2022

targos commented Jul 18, 2022

Support OpenSSL 3.0 Legacy provider in version 16 #40948

Support OpenSSL 3.0 Legacy provider in version 16 #40948

Comments

herbrechtsmeier commented Nov 24, 2021

iamahuman commented Jul 11, 2022

targos commented Jul 18, 2022