openssl 3.0.0 compatible erlang version

[satya-rajesh]

While compiling observed that erlang is not compatible with openssl 3.0.0.

Erlang is using deprecated APIs which are not present in openssl 3.0.0 (alpha).

Build status:
Build Failed due to RSA_, HMAC_, ENGINE_* etc deprecated APIs

Please provide erlang release compatible to openssl 3.0.0

[HansN]

Yes, support for OpenSSL 3.0 API is planned, but not before OTP-25.0.

[satya-rajesh]

Unable to load crypto library. Failed with error:
"load_failed, Failed to load NIF library: '/usr/lib/erlang/lib/crypto-4.8/priv/lib/crypto.so: undefined symbol: FIPS_mode'"

FIPS_mode APIs will be deprecated in openssl 3.0.0 and will no longer be compatible for erlang

[satya-rajesh]

erlang team,
since openssl beta1 is released, could we have the milestone for the erlang release ?

[ymtszw]

For Homebrew users in mac:

openssl@3 is now installed if you invoke brew install openssl (without explicit version) and is linked to /usr/local/opt/openssl, which is one of the predefined standard locations of openssl.
In that situation, due to the FIPS_mode related error posted above, build of erlang/otp 24.0.6 (presumably other versions too) with crypto/ssl/ssh will fail.

For now we need to use --with-ssl=$(brew --prefix openssl@1.1) option (when using brew with kerl or asdf-erlang)

• I would avoid manually linking from /usr/local/opt/openssl to openssl@1.1 since it is Homebrew-managed symlink
• For asdf-erlang users see readme section about this issue

[Neustradamus]

To follow this ticket.

[HansN]

The crypto app in OTP can now be compiled, linked and used with the new OpenSSL 3.0 cryptolib.

The fix is merged to maint and master, and will be released in OTP-24.2 currently scheduled for the middle of December.

It has not yet been extensively tested and is not recommended for other usages than experiments and alpha testing. There are no guaranties that it works, not even together with other OTP applications like for example SSL and SSH, although there are no known errors.

Compiling and linking with OpenSSL 3.0 cryptolib in compatibility modes (for example to behave as 1.1.1) are not tested. It is not tested with external providers nor FIPS mode.

Deprecated functions in the OpenSSL 3.0 cryptolib must not be disabled as OTP/crypto still uses some of the deprecated API functions. The gcc flag -Wno-deprecated-declarations is set to prevent deprecation warnings to be printed when compiling.

The plan is now to gradually increase testing and to replace the deprecated APIs.

As usual are comments, error reports and pull requests welcome!

[HansN]

This first support will be released soon in OTP-24.2 and more later in OTP-24.3

[thiagomajesk]

I found the following cryptic error message using OTP version 24.2 in an Elixir application today:

** (MatchError) no match of right hand side value {:error, "Erlang error: :notsup"}

We solved it by upgrading the OTP version to 24.3.4, which seems to support OpenSSL v3 already.

[martasd]

Can we update the installation instructions to remove the the part advising to pin OpenSSL to version 1.1? Erlang 25.2.2 compiles fine for me with OpenSSL 3 now.