`OPENSSL_1.0.2' not found

[dirkritters]

Wenn building the PHP 7.1 Layer and using it on Lambda, I receive the following error from Lambda:

/opt/bin/php: /lib64/libcrypto.so.10: version `OPENSSL_1.0.2' not found (required by /opt/bin/php)

php71.zip is compiled with your make-script on AWS Linux

[txase]

It's possible this is related to: https://aws.amazon.com/blogs/compute/upcoming-updates-to-the-aws-lambda-execution-environment/. In short, we may need to build against a new lambdci docker image that is updated for the new Lambda OS layer.

@dirkritters Can you try updating the build script to see if using the lambci/lambda:build-provided layer fixes things?

[dirkritters]

I will try this tomorrow. What looks strange to me: When getting the openssl-version of the AWS Linux AMI it's 1.0.2 - when doing the same on lambda it's 1.0.1 - I always thought that underneeth of lambda AWS is using the AWS Linux.

[dirkritters]

Just tried it: same problem. The Lambda-Build-Provided Layer comes with OpenSSL in version 1.0.2k-fips 26 Jan 201 whilst the underlying system of AWS-Lambda at location Frankfurt only offers 1.0.1. But PHP 7.X relys on the OpenSSL-Version it was build with.

[txase]

Can you try this, to confirm that it's unrelated to the OS updates: Add a second layer to your function with the arn: arn:aws:lambda:::awslayer:AmazonLinux1703. If this fixes things, then it's related to the OS updates.

[dirkritters]

I will test this today. But just to clearify: When you compile the layers on your side (e.g. arn:aws:lambda::887080169480:layer:php71:9) - what OpenSSL Version do you compile against? When I unpack the lambci/lambda:build-nodejs8.10, it doesn't supply any OpenSSL. So I think, Docker takes it from the local installation, when starting the container.

[txase]

When you build the layer, it installs all the dependency packages from a few RPM repositories. The OpenSSL libraries likely are installed as part of the dependencies. It shouldn't have anything to do with the version of OpenSSL running on the local machine hosting Docker.

What has possibly happened is a divergence between the libraries available from the PHP Remi repos and what is available in the Lambda environment. That said, the Lambda environment is changing over the next month, so we'll need to refigure this all out...

[dirkritters]

You are right, the OpenSSL comes with the PHP-Repo as a dependency. What I found out: Depending on what runtime you choose, AWS Lambda has OpenSSL 1.0.1 or 1.0.2 installed. When you choose custom runtime at Frankfurt location, you'll get an underlying machine with openSSL 1.0.1 - when you choose Python 3.7 you'll get one with OpenSSL 1.0.2 installed. And I found a way to compile a PHP-Layer for each of them. If you need one for OpenSSL 1.0.1 (as I did) you have to add/change the build.sh-Script like:

yum -y --releasever=2017.03 downgrade libcurl curl openssh libcurl-devel openssh-clients python27-libs python27-libs python36-libs python27 python27-devel // these have to be downgraded in the docker container, as they all rely on OpenSSL 1.0.2 in the actual installation
yum -y remove python36-libs // a "far enough" downgrade with those repos from 2017.03 to make it run with OpenSSL 1.0.2 is not possible - so remove it.
yum -y --releasever=2017.03 downgrade openssl-devel-1.0.1k openssl-1.0.1k
yum -y --releasever=2017.03 install php71-mbstring.x86_64 zip php71-pgsql php71-mysqli // it's very important to use the PHP7.1 installation from the same repo, as it would load OpenSSL 1.0.2. otherwise as a dependency

The Version for OpenSSL 1.0.2 compiles without any changes of the build.sh as the actual repos all come with the dependency on that OpenSSL version.

Now it's running on my side. But that might help others having the same issues.