[OpenSSL 3.0 Support] - Current WinRM version does not support the latest OpenSSL version #340
Comments
|
FWIW, OpenSSL 1.1.x is EOL in September. |
|
Any updates on this fix? |
|
@mglogowski1 I don't think anything in the |
|
If I've caught up correctly, Ruby's So, I think it should be possible to update |
|
While using Ruby 3.3, I was able to resolve the issue with the gem by following these steps:
This process made the gem functional again for me. |
|
@smallfield i need to test this with the new AWS Codebuild Images. |
When running on stock Ruby >= 3.1, Bolt (running as a gem) cannot connect to Windows via WinRM. This is due to one of Bolt's dependencies, the WinRM gem, using a legacy cryptographic algorithm (MD4) no longer supported by newer versions of Ruby and OpenSSL.[1] Because of this incompatibility and the general recommendation to use a Bolt package rather than using Bolt as a gem[2], this commit removes Bolt from the project Gemfile and updates the environment variable used for task tests from GEM_BOLT to BOLT_TESTS. [1] WinRb/WinRM#340 [2] https://www.puppet.com/docs/bolt/latest/bolt_installing#install-bolt-as-a-gem
When running on stock Ruby >= 3.1, Bolt (running as a gem) cannot connect to Windows via WinRM. This is due to one of Bolt's dependencies, the WinRM gem, using a legacy cryptographic algorithm (MD4) no longer supported by newer versions of Ruby and OpenSSL.[1] Because of this incompatibility and the general recommendation to use a Bolt package rather than using Bolt as a gem[2], this commit removes Bolt from the project Gemfile and updates the environment variable used for task tests from GEM_BOLT to BOLT_TESTS. [1] WinRb/WinRM#340 [2] https://www.puppet.com/docs/bolt/latest/bolt_installing#install-bolt-as-a-gem
Internally, we have seen task acceptance tests start to fail when running Bolt as a gem on newer versions of Ruby with Windows targets. When running on stock Ruby >= 3.1, Bolt (running as a gem) cannot connect to Windows via WinRM. This is due to one of Bolt's dependencies, the WinRM gem, using a legacy cryptographic algorithm (MD4) no longer supported by newer versions of Ruby and OpenSSL.[1] Because of this incompatibility and the general recommendation to use a Bolt package rather than using Bolt as a gem[2], this commit removes Bolt from the project Gemfile and updates the environment variable used for task tests from GEM_BOLT to BOLT_TESTS. [1] WinRb/WinRM#340 [2] https://www.puppet.com/docs/bolt/latest/bolt_installing#install-bolt-as-a-gem
|
This should be addressed in rubyntlm v0.6.4 which was released yesterday. Thanks |
Hello @pmorton @sneal @mwrock
after the latest update of OpenSSL version to OpenSSL 3.0.x, WinRM component is not working anymore as intended. It occurs because with the latest OpenSSL version, maintainers decided to keep disable by default legacy protocols.
In particular, for some tools leveraging WinRM, as Evil-WinRM, when they call the WinRM component, an OpenSSL error arises.
The detailed explanation and reproduction of the issue is here: BlackArch/blackarch#3593
According to https://bugs.archlinux.org/task/76653?project=1&order=dateopened&sort=desc the user "loqs" states the following:
"NTLM v1 Authentication uses md4 [1]. The ruby ntlm gem as used by winrm uses the openssl gem to provide md4 [2]. With OpenSSSL 3 md4 in the legacy provider which is not enabled by default.
The ruby openssl gem does not currently provide a method to load a provider [3] so the provider has to be loaded using OpenSSL's configuration file.
Assuming evil-winrm / winrm are not run set-user-ID or set-group-ID the environment variable the environment variable OPENSSL_CONF can be used to specify an alternate location for OpenSSL's config. This avoids changing the default configuration. The variable can in set in a script file that then calls the real executable.
[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/464551a8-9fc4-428e-b3d3-bc5bfb2e73a5?redirectedfrom=MSDN
[2] https://github.com/macks/ruby-ntlm/blob/323ef447c04e130a31940fa6dabe96607677c22b/lib/ntlm/util.rb#L77
[3] https://github.com/ruby/openssl/issues/567"
Could you please add the support to OpenSSL 3.0.x for WinRM component please?
Thank you in advance.
The text was updated successfully, but these errors were encountered: