Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support OpenSSL 3.0 Legacy provider in version 16 #40948

Closed
herbrechtsmeier opened this issue Nov 24, 2021 · 2 comments
Closed

Support OpenSSL 3.0 Legacy provider in version 16 #40948

herbrechtsmeier opened this issue Nov 24, 2021 · 2 comments
Assignees
Labels
openssl Issues and PRs related to the OpenSSL dependency.

Comments

@herbrechtsmeier
Copy link

Node v16 supports dynamically linking with OpenSSL 3.0 (#29817) but doesn't support OpenSSL 3.0 Legacy provider (#40455). Please backport 86d1c0c or always load the legacy provider for OpenSSL 3.0.

@VoltrexKeyva VoltrexKeyva added the openssl Issues and PRs related to the OpenSSL dependency. label Nov 25, 2021
bradbishop pushed a commit to openbmc/webui-vue that referenced this issue Jan 18, 2022
No longer have support for MD4, the default hashFunction.
Mess with webpack to use sha256.

This solution is from:
webpack/webpack#13572 (comment)

And was added to phosphor-webui here:
openbmc/phosphor-webui@8588400

Ideally --openssl-legacy-provider would work as
webpack/webpack#14532 describes but Node 16
supports linking with SSL 3.0 but doesn't support
openssl-legacy-provider. See
nodejs/node#40948.

This should enable the new Yocto bump to pass.

Tested: Build Witherspoon Tacoma with
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/48473 and the 3
and this change. The webui looked good.

Change-Id: I66f2cc45af85096f9abe935d269838c6a680bc9b
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
herbrechtsmeier added a commit to weidmueller/node that referenced this issue Mar 11, 2022
Load OpenSSL 3.0 Legacy provider if OpenSSL major version isn't below 3
to be compatible with older OpenSSL major versions and resolve nodejs#40948.
herbrechtsmeier added a commit to weidmueller/node that referenced this issue Mar 11, 2022
Load OpenSSL 3.0 Legacy provider if OpenSSL major version isn't below 3
to be inline with older OpenSSL major versions and support the default
hashFunction MD4 of webpack.

Fixes: nodejs#40948
Refs: https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
Refs: https://webpack.js.org/plugins/hashed-module-ids-plugin/
herbrechtsmeier added a commit to weidmueller/node that referenced this issue Mar 11, 2022
Load OpenSSL 3.0 Legacy provider if OpenSSL major version isn't below 3
to be inline with older OpenSSL major versions and support the default
hashFunction MD4 of webpack.

Fixes: nodejs#40948
Refs: https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
Refs: https://webpack.js.org/plugins/hashed-module-ids-plugin/

Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
herbrechtsmeier added a commit to weidmueller/node that referenced this issue Mar 11, 2022
Load OpenSSL 3.0 Legacy provider if OpenSSL major version isn't below 3
to be inline with older OpenSSL major versions and support the default
hashFunction MD4 of webpack.

Fixes: nodejs#40948
Refs: https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
Refs: https://webpack.js.org/plugins/hashed-module-ids-plugin/
@danbev danbev self-assigned this May 5, 2022
juanarbol pushed a commit that referenced this issue Jun 1, 2022
This commit adds an option to Node.js named --openssl-legacy-provider
and if specified will load OpenSSL 3.0 Legacy provider when dynamically
linking Node.js v16.x with OpenSSL 3.0.

Building:
$ ./configure --shared-openssl \
 --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \
 --shared-openssl-includes=/path/openssl_quic-3.0/include \
 --shared-openssl-libname=crypto,ssl
$ make -j8

Verify options is available:
$ ./node --help
...
--openssl-legacy-provider  enable OpenSSL 3.0 legacy provider

Usage:
$ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64
$ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/
$ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf
$ ./node --openssl-legacy-provider  -p 'crypto.createHash("md4")'
Hash {
  _options: undefined,
  [Symbol(kHandle)]: Hash {},
  [Symbol(kState)]: { [Symbol(kFinalized)]: false }
}

Fixes: #40948

Refs: #40455
PR-URL: #40478
Backport-PR-URL: #42972
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Michael Dawson <midawson@redhat.com>
danbev added a commit to danbev/node that referenced this issue Jun 23, 2022
This commit adds an option to Node.js named --openssl-legacy-provider
and if specified will load OpenSSL 3.0 Legacy provider when dynamically
linking Node.js v16.x with OpenSSL 3.0.

Building:
$ ./configure --shared-openssl \
 --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \
 --shared-openssl-includes=/path/openssl_quic-3.0/include \
 --shared-openssl-libname=crypto,ssl
$ make -j8

Verify options is available:
$ ./node --help
...
--openssl-legacy-provider  enable OpenSSL 3.0 legacy provider

Usage:
$ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64
$ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/
$ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf
$ ./node --openssl-legacy-provider  -p 'crypto.createHash("md4")'
Hash {
  _options: undefined,
  [Symbol(kHandle)]: Hash {},
  [Symbol(kState)]: { [Symbol(kFinalized)]: false }
}

Fixes: nodejs#40948

Refs: nodejs#40455
PR-URL: nodejs#40478
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
rfrandse pushed a commit to ibm-openbmc/webui-vue that referenced this issue Jun 30, 2022
No longer have support for MD4, the default hashFunction.
Mess with webpack to use sha256.

This solution is from:
webpack/webpack#13572 (comment)

And was added to phosphor-webui here:
openbmc/phosphor-webui@8588400

Ideally --openssl-legacy-provider would work as
webpack/webpack#14532 describes but Node 16
supports linking with SSL 3.0 but doesn't support
openssl-legacy-provider. See
nodejs/node#40948.

This should enable the new Yocto bump to pass.

Tested: Build Witherspoon Tacoma with
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/48473 and the 3
and this change. The webui looked good.

Change-Id: I66f2cc45af85096f9abe935d269838c6a680bc9b
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
@iamahuman
Copy link

If anyone is suffering from this issue on *nix, compiling the following code as a shared library and putting it into LD_PRELOAD environment variable may work as a stopgap measure:

#define _GNU_SOURCE
#include <stddef.h>
#include <stdint.h>
#include <dlfcn.h>
#include <openssl/ssl.h>
#include <openssl/provider.h>

int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
{
	static int once;
	static int (*orig_OPENSSL_init_ssl)(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
	if (!__atomic_exchange_n(&once, 1, __ATOMIC_ACQ_REL))
	{
		*(void **)&orig_OPENSSL_init_ssl = dlsym(RTLD_NEXT, "OPENSSL_init_ssl");
		OSSL_PROVIDER_load(NULL, "legacy");
	}
	return (*orig_OPENSSL_init_ssl)(opts, settings);
}

targos pushed a commit that referenced this issue Jul 18, 2022
This commit adds an option to Node.js named --openssl-legacy-provider
and if specified will load OpenSSL 3.0 Legacy provider when dynamically
linking Node.js v16.x with OpenSSL 3.0.

Building:
$ ./configure --shared-openssl \
 --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \
 --shared-openssl-includes=/path/openssl_quic-3.0/include \
 --shared-openssl-libname=crypto,ssl
$ make -j8

Verify options is available:
$ ./node --help
...
--openssl-legacy-provider  enable OpenSSL 3.0 legacy provider

Usage:
$ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64
$ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/
$ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf
$ ./node --openssl-legacy-provider  -p 'crypto.createHash("md4")'
Hash {
  _options: undefined,
  [Symbol(kHandle)]: Hash {},
  [Symbol(kState)]: { [Symbol(kFinalized)]: false }
}

Fixes: #40948

Refs: #40455
PR-URL: #40478
Backport-PR-URL: #42972
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
@targos
Copy link
Member

targos commented Jul 18, 2022

Fixed in #42972

@targos targos closed this as completed Jul 18, 2022
targos pushed a commit that referenced this issue Jul 31, 2022
This commit adds an option to Node.js named --openssl-legacy-provider
and if specified will load OpenSSL 3.0 Legacy provider when dynamically
linking Node.js v16.x with OpenSSL 3.0.

Building:
$ ./configure --shared-openssl \
 --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \
 --shared-openssl-includes=/path/openssl_quic-3.0/include \
 --shared-openssl-libname=crypto,ssl
$ make -j8

Verify options is available:
$ ./node --help
...
--openssl-legacy-provider  enable OpenSSL 3.0 legacy provider

Usage:
$ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64
$ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/
$ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf
$ ./node --openssl-legacy-provider  -p 'crypto.createHash("md4")'
Hash {
  _options: undefined,
  [Symbol(kHandle)]: Hash {},
  [Symbol(kState)]: { [Symbol(kFinalized)]: false }
}

Fixes: #40948

Refs: #40455
PR-URL: #40478
Backport-PR-URL: #42972
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
guangwong pushed a commit to noslate-project/node that referenced this issue Oct 10, 2022
This commit adds an option to Node.js named --openssl-legacy-provider
and if specified will load OpenSSL 3.0 Legacy provider when dynamically
linking Node.js v16.x with OpenSSL 3.0.

Building:
$ ./configure --shared-openssl \
 --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \
 --shared-openssl-includes=/path/openssl_quic-3.0/include \
 --shared-openssl-libname=crypto,ssl
$ make -j8

Verify options is available:
$ ./node --help
...
--openssl-legacy-provider  enable OpenSSL 3.0 legacy provider

Usage:
$ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64
$ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/
$ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf
$ ./node --openssl-legacy-provider  -p 'crypto.createHash("md4")'
Hash {
  _options: undefined,
  [Symbol(kHandle)]: Hash {},
  [Symbol(kState)]: { [Symbol(kFinalized)]: false }
}

Fixes: nodejs/node#40948

Refs: nodejs/node#40455
PR-URL: nodejs/node#40478
Backport-PR-URL: nodejs/node#42972
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
tjanez added a commit to oasisprotocol/oasis-wallet-ext that referenced this issue Mar 17, 2023
Node.js 16+ supports dynamically linking with OpenSSL 3.0, however, that
results in 'error:0308010C:digital envelope routines::unsupported' error.

To work-around that with the legacy Webpack 4.0 we use, one needs to
enable the OpenSSL 3.0 Legacy provider by setting:
NODE_OPTIONS=--openssl-legacy-provider

For more info, see:
- webpack/webpack#14532
- nodejs/node#40455
- nodejs/node#40948
buberdds pushed a commit to buberdds/oasis-wallet-ext that referenced this issue Apr 21, 2023
Node.js 16+ supports dynamically linking with OpenSSL 3.0, however, that
results in 'error:0308010C:digital envelope routines::unsupported' error.

To work-around that with the legacy Webpack 4.0 we use, one needs to
enable the OpenSSL 3.0 Legacy provider by setting:
NODE_OPTIONS=--openssl-legacy-provider

For more info, see:
- webpack/webpack#14532
- nodejs/node#40455
- nodejs/node#40948
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Development

No branches or pull requests

6 participants