Investigate loading legacy provider with OpenSSL 3.0 #40455
Comments
|
@danbev It looks like we don't build at least |
|
@richardlau Thanks, I'll take a look. These gypi files are generated and perhaps we are missing, or reading the wrong source list from configdata.pm. |
This commit adds a missing OpenSSL 3.0 source file, legacyprov.c. Refs: nodejs#40455
This commit adds a configuration time flag to enable OpenSSL legacy
module to be built.
For example, the following will build the legacy module:
$ ./configure --openssl-legacy-module
To enable the default provider one has currently has to update the
OpenSSL configuration file, openssl.cnf:
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
This module can then be used by specifying the environment variable
OPENSSL_MODULES like this:
$ env OPENSSL_MODULES= \
$PWD/out/Release/obj.target/deps/openssl/lib/openssl-modules \
OPENSSL_CONF=out/Release/obj.target/deps/openssl/openssl.cnf \
./node -p 'crypto.createHash("md4")'
Hash {
_options: undefined,
[Symbol(kHandle)]: Hash {},
[Symbol(kState)]: { [Symbol(kFinalized)]: false }
Refs: nodejs#40455
|
FWIW This hack appears to allow the legacy provider to be statically compiled and loaded: diff --git a/deps/openssl/config/archs/linux-x86_64/asm/openssl.gypi b/deps/openssl/config/archs/linux-x86_64/asm/openssl.gypi
index 46cc9b2b4a..13b6d6eb96 100644
--- a/deps/openssl/config/archs/linux-x86_64/asm/openssl.gypi
+++ b/deps/openssl/config/archs/linux-x86_64/asm/openssl.gypi
@@ -775,6 +775,7 @@
'openssl/engines/e_padlock.c',
'openssl/providers/baseprov.c',
'openssl/providers/defltprov.c',
+ 'openssl/providers/legacyprov.c',
'openssl/providers/nullprov.c',
'openssl/providers/prov_running.c',
'openssl/providers/common/der/der_rsa_sig.c',
diff --git a/deps/openssl/config/archs/linux-x86_64/asm_avx2/openssl.gypi b/deps/openssl/config/archs/linux-x86_64/asm_avx2/openssl.gypi
index cb90c57338..4f5a640dd8 100644
--- a/deps/openssl/config/archs/linux-x86_64/asm_avx2/openssl.gypi
+++ b/deps/openssl/config/archs/linux-x86_64/asm_avx2/openssl.gypi
@@ -775,6 +775,7 @@
'openssl/engines/e_padlock.c',
'openssl/providers/baseprov.c',
'openssl/providers/defltprov.c',
+ 'openssl/providers/legacyprov.c',
'openssl/providers/nullprov.c',
'openssl/providers/prov_running.c',
'openssl/providers/common/der/der_rsa_sig.c',
diff --git a/deps/openssl/config/archs/linux-x86_64/no-asm/openssl.gypi b/deps/openssl/config/archs/linux-x86_64/no-asm/openssl.gypi
index 647092c410..279a4d27c3 100644
--- a/deps/openssl/config/archs/linux-x86_64/no-asm/openssl.gypi
+++ b/deps/openssl/config/archs/linux-x86_64/no-asm/openssl.gypi
@@ -782,6 +782,7 @@
'openssl/engines/e_padlock.c',
'openssl/providers/baseprov.c',
'openssl/providers/defltprov.c',
+ 'openssl/providers/legacyprov.c',
'openssl/providers/nullprov.c',
'openssl/providers/prov_running.c',
'openssl/providers/common/der/der_rsa_sig.c',
diff --git a/deps/openssl/openssl.gyp b/deps/openssl/openssl.gyp
index 4d4e6f2801..d178ffaa61 100644
--- a/deps/openssl/openssl.gyp
+++ b/deps/openssl/openssl.gyp
@@ -29,6 +29,7 @@
# is able to create a malicious DLL in one of the default search paths.
'OPENSSL_NO_HW',
'OPENSSL_API_COMPAT=0x10100001L',
+ 'STATIC_LEGACY',
#'OPENSSL_NO_DEPRECATED',
],
'conditions': [
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 7e0c8ba3eb..c1fe6fb6ac 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -170,6 +170,16 @@ void InitCryptoOnce() {
ENGINE_load_builtin_engines();
#endif // !OPENSSL_NO_ENGINE
+#if OPENSSL_VERSION_MAJOR >= 3
+ // Put behind a flag?
+ {
+ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
+ if (legacy_provider == nullptr) {
+ fprintf(stderr, "Unable to load legacy provider.\n");
+ }
+ }
+#endif
+
NodeBIO::GetMethod();
}I'm not entirely sure how to get |
This commit adds a configuration time flag to enable OpenSSL legacy
module to be built.
For example, the following will build the legacy module:
$ ./configure --openssl-legacy-module
To enable the default provider one has currently has to update the
OpenSSL configuration file, openssl.cnf:
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
This module can then be used by specifying the environment variable
OPENSSL_MODULES like this:
$ env OPENSSL_MODULES= \
$PWD/out/Release/obj.target/deps/openssl/lib/openssl-modules \
OPENSSL_CONF=out/Release/obj.target/deps/openssl/openssl.cnf \
./node -p 'crypto.createHash("md4")'
Hash {
_options: undefined,
[Symbol(kHandle)]: Hash {},
[Symbol(kState)]: { [Symbol(kFinalized)]: false }
Refs: nodejs#40455
This commit adds an option to Node.js named --openssl-legacy-module and
if specified will load OpenSSL 3.0 Legacy provider.
$ ./node --help
...
--openssl-legacy-module enable OpenSSL 3.0 legacy module
Example usage:
$ ./node --openssl-legacy-module -p 'crypto.createHash("md4")'
Hash {
_options: undefined,
[Symbol(kHandle)]: Hash {},
[Symbol(kState)]: { [Symbol(kFinalized)]: false }
}
Co-authored-by: Richard Lau <rlau@redhat.com>
Refs: nodejs#40455
|
This sounds good to me and if we can do that and not have to mess around with openssl.cnf that is great.
Yeah, I was not sure about this either. We need to add this to generate_gypi.pl. The easiest way to try this out it to update that file and then run I've opened a pull request based on your suggestion: #40478. I've added you as Co-author which I hope is alright. |
This commit adds an option to Node.js named --openssl-legacy-provider
and if specified will load OpenSSL 3.0 Legacy provider.
$ ./node --help
...
--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
Example usage:
$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
Hash {
_options: undefined,
[Symbol(kHandle)]: Hash {},
[Symbol(kState)]: { [Symbol(kFinalized)]: false }
}
Co-authored-by: Richard Lau <rlau@redhat.com>
Refs: nodejs#40455
This commit adds an option to Node.js named --openssl-legacy-provider
and if specified will load OpenSSL 3.0 Legacy provider.
$ ./node --help
...
--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
Example usage:
$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
Hash {
_options: undefined,
[Symbol(kHandle)]: Hash {},
[Symbol(kState)]: { [Symbol(kFinalized)]: false }
}
Co-authored-by: Richard Lau <rlau@redhat.com>
Refs: #40455
PR-URL: #40478
Refs: #40455
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Modify the build matrix to add Node 17 to the environments under test. The GCC setup from Node 16 is reused here. As a workaround for a bug caused by Node 17 switching to OpenSSL 3, we add the `--openssl-legacy-provider` option to the `NODE_OPTIONS` environment variable. See [this node issue][node] and [this webpack issue][webpack] for details. [node]: nodejs/node#40455 [webpack]: webpack/webpack#14532
Modify the build matrix to add Node 17 to the environments under test. The GCC setup from Node 16 is reused here. As a workaround for a bug caused by Node 17 switching to OpenSSL 3, we add the `--openssl-legacy-provider` option to the `NODE_OPTIONS` environment variable. See [this node issue][node] and [this webpack issue][webpack] for details. [node]: nodejs/node#40455 [webpack]: webpack/webpack#14532
Modify the build matrix to add Node 17 to the environments under test. The GCC setup from Node 16 is reused here. As a workaround for a bug caused by Node 17 switching to OpenSSL 3, we add the `--openssl-legacy-provider` option to the `NODE_OPTIONS` environment variable. See [this node issue][node] and [this webpack issue][webpack] for details. [node]: nodejs/node#40455 [webpack]: webpack/webpack#14532
This commit adds an option to Node.js named --openssl-legacy-provider
and if specified will load OpenSSL 3.0 Legacy provider when dynamically
linking Node.js v16.x with OpenSSL 3.0.
Building:
$ ./configure --shared-openssl \
--shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \
--shared-openssl-includes=/path/openssl_quic-3.0/include \
--shared-openssl-libname=crypto,ssl
$ make -j8
Verify options is available:
$ ./node --help
...
--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
Usage:
$ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64
$ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/
$ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf
$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
Hash {
_options: undefined,
[Symbol(kHandle)]: Hash {},
[Symbol(kState)]: { [Symbol(kFinalized)]: false }
}
Fixes: nodejs#40948
Refs: nodejs#40455
PR-URL: nodejs#40478
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
This commit adds an option to Node.js named --openssl-legacy-provider
and if specified will load OpenSSL 3.0 Legacy provider when dynamically
linking Node.js v16.x with OpenSSL 3.0.
Building:
$ ./configure --shared-openssl \
--shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \
--shared-openssl-includes=/path/openssl_quic-3.0/include \
--shared-openssl-libname=crypto,ssl
$ make -j8
Verify options is available:
$ ./node --help
...
--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
Usage:
$ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64
$ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/
$ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf
$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
Hash {
_options: undefined,
[Symbol(kHandle)]: Hash {},
[Symbol(kState)]: { [Symbol(kFinalized)]: false }
}
Fixes: #40948
Refs: #40455
PR-URL: #40478
Backport-PR-URL: #42972
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
This commit adds an option to Node.js named --openssl-legacy-provider
and if specified will load OpenSSL 3.0 Legacy provider when dynamically
linking Node.js v16.x with OpenSSL 3.0.
Building:
$ ./configure --shared-openssl \
--shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \
--shared-openssl-includes=/path/openssl_quic-3.0/include \
--shared-openssl-libname=crypto,ssl
$ make -j8
Verify options is available:
$ ./node --help
...
--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
Usage:
$ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64
$ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/
$ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf
$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
Hash {
_options: undefined,
[Symbol(kHandle)]: Hash {},
[Symbol(kState)]: { [Symbol(kFinalized)]: false }
}
Fixes: #40948
Refs: #40455
PR-URL: #40478
Backport-PR-URL: #42972
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
use nodejs 17, which supports --openssl-legacy-provider options which seems to be needed for openssl3. This option is not backported to nodejs 16. ref: webpack/webpack#14532 ref: nodejs/node#40455
This commit adds an option to Node.js named --openssl-legacy-provider
and if specified will load OpenSSL 3.0 Legacy provider when dynamically
linking Node.js v16.x with OpenSSL 3.0.
Building:
$ ./configure --shared-openssl \
--shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \
--shared-openssl-includes=/path/openssl_quic-3.0/include \
--shared-openssl-libname=crypto,ssl
$ make -j8
Verify options is available:
$ ./node --help
...
--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
Usage:
$ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64
$ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/
$ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf
$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
Hash {
_options: undefined,
[Symbol(kHandle)]: Hash {},
[Symbol(kState)]: { [Symbol(kFinalized)]: false }
}
Fixes: nodejs/node#40948
Refs: nodejs/node#40455
PR-URL: nodejs/node#40478
Backport-PR-URL: nodejs/node#42972
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Node.js 16+ supports dynamically linking with OpenSSL 3.0, however, that results in 'error:0308010C:digital envelope routines::unsupported' error. To work-around that with the legacy Webpack 4.0 we use, one needs to enable the OpenSSL 3.0 Legacy provider by setting: NODE_OPTIONS=--openssl-legacy-provider For more info, see: - webpack/webpack#14532 - nodejs/node#40455 - nodejs/node#40948
Node.js 16+ supports dynamically linking with OpenSSL 3.0, however, that results in 'error:0308010C:digital envelope routines::unsupported' error. To work-around that with the legacy Webpack 4.0 we use, one needs to enable the OpenSSL 3.0 Legacy provider by setting: NODE_OPTIONS=--openssl-legacy-provider For more info, see: - webpack/webpack#14532 - nodejs/node#40455 - nodejs/node#40948
In my case I had some webpack commands which failed
and would need an NODE OPTION set for every command/task, which looks ugly: So I was looking for a solution how to set this "globally" at least per project.
After reading the documentation, it seems that we can set node options this way: So when I add the following to my maybe this helps someone else, migrating from NODE 14/16 to NODE >16 |
|
PS D:\Work Area------\admin> ng serve Error: error:0308010C:digital envelope routines::unsupported Node.js v18.19.1 i'm facing this issue in angular , even it's Node v20 |
I though it would be possible to enable it but updating openssl.cnf like this:
But that does not work:
This issue should take a closer look at how the legacy provider can be enabled.
Refs: #40119 (comment)
The text was updated successfully, but these errors were encountered: