Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot use Openssl 1.1.1f with netty-tcnative, we get UnsatisfiedLinkError: .. libssl.so.1.0.0 #551

Open
keshava88 opened this issue Jun 9, 2020 · 6 comments
Open

Cannot use Openssl 1.1.1f with netty-tcnative, we get UnsatisfiedLinkError: .. libssl.so.1.0.0 #551

keshava88 opened this issue Jun 9, 2020 · 6 comments

Comments

@keshava88
Copy link

keshava88 commented Jun 9, 2020
edited
Loading

We have an application that uses netty to build a SSL context with Openssl as the SSL provider.
We are planning to upgrade from Openssl 1.1.0 to Openssl 1.1.1 to get the TLS 1.3 support.

So we tried setting up a server SSL context using OpenSSL 1.1.1 in a ubuntu 20.04 linux release and we are getting the below errors

Suppressed: java.lang.UnsatisfiedLinkError: /tmp/libnetty_tcnative6745395350932048529.so: libssl.so.1.0.0: cannot open shared object file: No such file or directory

The full stacktrace is here https://github.com/keshava88/netty-tcnative-with-openssl1.1.1f/blob/master/tls1.3/src/test/resources/stacktrace
also attached here
stacktrace.txt

The TLS server code is here (it is based on netty's secure chat example) https://github.com/keshava88/netty-tcnative-with-openssl1.1.1f/blob/master/tls1.3/src/main/java/tls/securechat/SecureChatServer.java
also attached here SecureChatServer.java.txt

The installed libraries in the ubuntu machine are below

$ openssl version
OpenSSL 1.1.1f  31 Mar 2020
$ sudo apt list --installed  | grep -i libssl

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libssl-dev/focal,now 1.1.1f-1ubuntu2 amd64 [installed]
libssl1.1/focal,now 1.1.1f-1ubuntu2 amd64 [installed]
$ sudo apt list --installed  | grep -i apr

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libapr1-dev/focal,now 1.6.5-1ubuntu1 amd64 [installed]
libapr1/focal,now 1.6.5-1ubuntu1 amd64 [installed]
libaprutil1/focal,now 1.6.1-4ubuntu2 amd64 [installed]

Following are the netty dependencies i am using

<dependency>
	<groupId>io.netty</groupId>
	<artifactId>netty-tcnative</artifactId>
	<classifier>linux-x86_64</classifier>
	<version>2.0.30.Final</version>
</dependency>
<dependency>
	<groupId>io.netty</groupId>
	<artifactId>netty-handler</artifactId>
	<version>4.1.50.Final</version>
</dependency>
<dependency>
	<groupId>io.netty</groupId>
	<artifactId>netty-transport</artifactId>
	<version>4.1.50.Final</version>
</dependency>

What is that I am missing here? why is tcnative looking for libssl.so.1.0.0 , it should look for libssl1.1.so , right?
@hyperxpro
Copy link
Contributor

You're using a dynamically linked version of netty-tcnative. Did you successfully completed the build process?

@lostk1ng
Copy link

I have the same problem with the newest version. Do you have any idea how to solve this?

@dlorych
Copy link

dlorych commented Sep 15, 2021

Depends what are you trying to solve...
If it is enabling TLSv1.3, the viable workaround is to use netty-tcnative-boringssl-static, which is statically linked version of the library using BoringSSL instead of OpenSSL. You can have a look at these docs: https://netty.io/wiki/forked-tomcat-native.html

If it is enabling OpenSSL 1.1 specifically, than someone would have to contribute to the project. Due to breaking changes in OpenSSL API between 1.0 and 1.1, either another netty-tcnative version for dynamically linked OpenSSL 1.1 should be created, or some kind of adapter which could handle different API versions of the OpenSSL (but I'm not expert on JNI bindings at all, so that possibly makes no sense).

@lostk1ng
Copy link

Depends what are you trying to solve...
If it is enabling TLSv1.3, the viable workaround is to use netty-tcnative-boringssl-static, which is statically linked version of the library using BoringSSL instead of OpenSSL. You can have a look at these docs: https://netty.io/wiki/forked-tomcat-native.html

If it is enabling OpenSSL 1.1 specifically, than someone would have to contribute to the project. Due to breaking changes in OpenSSL API between 1.0 and 1.1, either another netty-tcnative version for dynamically linked OpenSSL 1.1 should be created, or some kind of adapter which could handle different API versions of the OpenSSL (but I'm not expert on JNI bindings at all, so that possibly makes no sense).

Thanks for your reply. I have enabled TLSv1.3 successfully with netty-tcnative-boringssl-static.

However, I still have some questions with enabling OpenSSL1.1.1 with netty-tcnative. I find the following post and merge:
https://netty.io/news/2018/10/30/4-1-31-Final.html
https://github.com/netty/netty-tcnative/pull/389/files

Is it means netty-tcnative in the maven cental repo is already support OpenSSL1.1.1? Or I have to compile netty-tcnative by myself with some configuration or change the code?

@dlorych
Copy link

dlorych commented Sep 16, 2021

Ok, you're right, JNI bindings are ready for it.

In that case, as I understand:
It looks that netty-tcnative (openssl-dynamic) artifact is build against OpenSSL 1.0 - have a look at Docker files describing the build.

I can see two ways to solve that:

  • use openssl-static project to build library with your version of openssl. See How to build section of https://netty.io/wiki/forked-tomcat-native.html#wiki-h2-7 (I haven't run through that myself).
  • modify build pipelines (one of Docker files) to download the latest version of OpenSSL and try to build against that (I haven't tested it though)

It would be interesting to get in touch with maintainer to get more information about the official build pipeline - which Dockerfile is used for official release.... and also about possible contribution with changes.
It will require update of netty Wiki and possibly new minor (or even major) version as new release build against openssl 1.1 could potentially break existing systems.

@reta reta mentioned this issue Nov 2, 2022
Closed
3 tasks
@SercanKaraoglu
Copy link

SercanKaraoglu commented Feb 27, 2024
edited
Loading

Netty with OpenSSL 1.1.1 support is a bit tricky now

I wanted to provide a few suggestions on how you can to get this working:

First, make sure you have OpenSSL 1.1.1 installed from source in a custom location:

./configure --prefix=/opt/openssl/1.1.1e
make && sudo make install

you are going to need to install apr as well:

yum install -y apr-devel

Then when building netty-tcnative, set the compile flags to point the build to this custom OpenSSL:

export CPPFLAGS="-I/opt/openssl/1.1.1/include" 
export LDFLAGS="-Wl,-rpath=/opt/openssl/1.1.1e/lib -L/opt/openssl/1.1.1e/lib -lssl -lcrypto -lcrypto_mb -lIPSec_MB"

This will make sure the headers and libraries are picked up from that prefix path.
Finally, you can build netty-tcnative against this:

mvn -Dmaven.javadoc.skip=true clean install -am -pl openssl-dynamic -DaprArmHome=/usr/local/apr -DopensslArmHome=/opt/openssl/1.1.1e

Then basically all you need is to reference the locally built snapshot version in your application:

<dependency>
  <groupId>io.netty</groupId>
  <artifactId>netty-tcnative</artifactId> 
  <version>2.0.64.Final-SNAPSHOT</version>
</dependency>

Hopefully that helps! Let me know if you'd like any clarification or have additional challenges with this approach!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dlorych @SercanKaraoglu @keshava88 @lostk1ng @hyperxpro