New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support initializing OpenSSL 1.1 #37772
Conversation
salt-call fails to run with OpenSSL 1.1: Traceback (most recent call last): File "/usr/bin/salt-call", line 11, in <module> salt_call() File "/usr/lib/python2.7/dist-packages/salt/scripts.py", line 346, in salt_call import salt.cli.call File "/usr/lib/python2.7/dist-packages/salt/cli/call.py", line 6, in <module> from salt.utils import parsers File "/usr/lib/python2.7/dist-packages/salt/utils/parsers.py", line 28, in <module> import salt.config as config File "/usr/lib/python2.7/dist-packages/salt/config/__init__.py", line 41, in <module> import salt.utils.sdb File "/usr/lib/python2.7/dist-packages/salt/utils/sdb.py", line 9, in <module> import salt.loader File "/usr/lib/python2.7/dist-packages/salt/loader.py", line 30, in <module> import salt.utils.event File "/usr/lib/python2.7/dist-packages/salt/utils/event.py", line 72, in <module> import salt.payload File "/usr/lib/python2.7/dist-packages/salt/payload.py", line 17, in <module> import salt.crypt File "/usr/lib/python2.7/dist-packages/salt/crypt.py", line 42, in <module> import salt.utils.rsax931 File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 69, in <module> libcrypto = _init_libcrypto() File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 63, in _init_libcrypto libcrypto.OPENSSL_no_config() File "/usr/lib/python2.7/ctypes/__init__.py", line 375, in __getattr__ func = self.__getitem__(name) File "/usr/lib/python2.7/ctypes/__init__.py", line 380, in __getitem__ func = self._FuncPtr((name_or_ordinal, self)) AttributeError: /lib/x86_64-linux-gnu/libcrypto.so.1.1: undefined symbol: OPENSSL_no_config OpenSSL 1.1 replaced the symbols OPENSSL_no_config and OPENSSL_add_all_algorithms_noconf by OPENSSL_init_crypto and added these definitions: OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL) OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL) These definitions can only be used when compiling the source code, but not when loading the symbols dynamically. Thus salt needs to adapt the initialization for OpenSSL 1.1. Try to use OPENSSL_init_crypto (which was introduced in OpenSSL 1.1) and fall back to the previous behavior for OpenSSL 1.0 and older (when OPENSSL_init_crypto is not found). You can easily reproduce the issue on Debian unstable by running apt install salt-master salt-call Bug-Debian: https://bugs.debian.org/844503
I confirm that I would need such a pull request, I cannot install stack on all devices running debian unstable for 3 days. Thank you ! |
+1 Nitpicking: All this misses is maybe a comment around the OpenSSL 1.1 init calls to make it easy for others to find and update just in case OpenSSL 1.1 initialization API isn't as stable as we think today, and also to help identify the legacy OpenSSL init in case the old OpenSSL gets deprecated for security reasons. Otherwise I love this. |
Seems this didn't make it into 2016.11.0. RC2 was working fine, though. |
Correction: Just got openssl-1.1 at the same time. RC2 is affected, too. |
Can we get this added to 2016.11.x? @rallytime |
In fact, it already is. It just hasn't been released, yet. |
While here, fix OpenSSL 1.1 compatibility PR: 214786 PR: 214998 PR: 215051 Submitted by: Christer Edwards <christer.edwards@gmail.com> (maintainer) Reported by: Melvyn Sopacua <m.r.sopacua@gmail.com> (214998) Obtained from: saltstack/salt#37772 (215051) git-svn-id: svn+ssh://svn.freebsd.org/ports/head@427901 35697150-7ecd-e111-bb59-0022644237b5
While here, fix OpenSSL 1.1 compatibility PR: 214786 PR: 214998 PR: 215051 Submitted by: Christer Edwards <christer.edwards@gmail.com> (maintainer) Reported by: Melvyn Sopacua <m.r.sopacua@gmail.com> (214998) Obtained from: saltstack/salt#37772 (215051)
Yeah, this has already been merged-forward to 2016.11. It will be available in the 2016.11.1 release. |
While here, fix OpenSSL 1.1 compatibility PR: 214786 PR: 214998 PR: 215051 Submitted by: Christer Edwards <christer.edwards@gmail.com> (maintainer) Reported by: Melvyn Sopacua <m.r.sopacua@gmail.com> (214998) Obtained from: saltstack/salt#37772 (215051)
Support initializing OpenSSL 1.1
While here, fix OpenSSL 1.1 compatibility PR: 214786 PR: 214998 PR: 215051 Submitted by: Christer Edwards <christer.edwards@gmail.com> (maintainer) Reported by: Melvyn Sopacua <m.r.sopacua@gmail.com> (214998) Obtained from: saltstack/salt#37772 (215051)
salt-call fails to run with OpenSSL 1.1:
OpenSSL 1.1 replaced the symbols OPENSSL_no_config and OPENSSL_add_all_algorithms_noconf by OPENSSL_init_crypto and added these definitions:
These definitions can only be used when compiling the source code, but not when loading the symbols dynamically. Thus salt needs to adapt the initialization for OpenSSL 1.1. Try to use OPENSSL_init_crypto (which was introduced in OpenSSL 1.1) and fall back to the previous behavior
for OpenSSL 1.0 and older (when OPENSSL_init_crypto is not found).
You can easily reproduce the issue on Debian unstable by running
Bug-Debian: https://bugs.debian.org/844503