OpenSSL version 3.0.0-alpha1 published

Richard Levitte levitte at openssl.org
Fri May 1 04:27:32 UTC 2020 

On Fri, 01 May 2020 01:22:34 +0200,
Sam Roberts wrote:
> 
> On Fri, Apr 24, 2020 at 9:07 AM Nicola Tuveri <nic.tuv at gmail.com> wrote:
> > At https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers there was already an example of how to do this programmatically, and a link to the manpage for the config file syntax.
> 
> That's not working for me:
> 
> Failed to load Legacy provider: error:25000067:DSO support
> routines::could not load the shared library
> /home/sam/w/core/tls/./node[26693]: ../../src/node_crypto.cc:6804:void
> node::crypto::InitCryptoOnce(): Assertion `"Unreachable code reached"'
> failed.
>  1: 0x557630598d84 node::Abort() [/home/sam/w/core/tls/./node]
> 
> From:
>   /* Load Multiple providers into the default (NULL) library context */
>   auto legacy = OSSL_PROVIDER_load(0, "legacy");
>   if (legacy == nullptr) {
>     unsigned long err = ERR_get_error();
>     fprintf(stderr, "Failed to load Legacy provider: %s\n",
> ERR_error_string(err, nullptr));
>     UNREACHABLE();
>   }
>   auto deflt = OSSL_PROVIDER_load(0, "default");
>   if (deflt == nullptr) {
>     unsigned long err = ERR_get_error();
>     fprintf(stderr, "Failed to load Default provider: %s\n",
> ERR_error_string(err, nullptr));
>     OSSL_PROVIDER_unload(legacy);
>     UNREACHABLE();
>   }
> 
> 
> I notice that the legacy.so isn't in the same folder as the other .so
> files, so I tried:
> 
> LD_LIBRARY_PATH=/usr/local/stow/openssl-3.0.0-alpha1/lib:/usr/local/stow/openssl-3.0.0-alpha1/lib/ossl-modules
> 
> But that didn't work.
> 
> It looks like  adding this did work:
> 
> OSSL_PROVIDER_set_default_search_path(0,
>        "/usr/local/stow/openssl-3.0.0-alpha1/lib/ossl-modules");
> 
> What are the default values? I built with prefix set to /usr/local,
> but then installed to the DESTDIR directory above, is that what caused
> me trouble?

You can find out the default value with 'openssl info -modulesdir'
Yes, running from the DESTDIR "installation" gets you into trouble.
DESTDIR is intended to be a staging directory, i.e. a place to put
files that you want to put in an archive or package for more proper
(distribute) installation in the right place.  It can be used for
testing, of course, but you then need to know a little more what
you're doing.

I suggest having a look at doc/man7/openssl-env.pod, it contains a
complete enough catalogue of diverse environment variables that you
can use to affect OpenSSL's internal behaviour.  OPENSSL_MODULES is of
particular interest in this case.

Suggested command to read a .pod file comfortably:

    perldoc -o man doc/man7/openssl-env.pod

I suspect, btw, that people might wonder why we install provider modules
separately from engines.  The simple reason is that they are very
different beasts, but the major one is that provider modules are
intended to be fairly OpenSSL version agnostic, by design.  Engines
are unfortunately not version agnostic at all, acutely so since
OpenSSL 1.1.0.  So while provider modules do not need to be updated
for every OpenSSL version, engines do.

Cheers,
Richard

> 
> Cheers,
> Sam
> 
> 
> 
> > I just added also a minimal config file example to load both the default and the legacy provider in the default library context.
> >
> >
> > Cheers,
> >
> > Nicola
> >
> > On Fri, 24 Apr 2020 at 17:56, Sam Roberts <vieuxtech at gmail.com> wrote:
> >>
> >> On Fri, Apr 24, 2020 at 1:05 AM Matt Caswell <matt at openssl.org> wrote:
> >> > This one is interesting:
> >> >
> >> > ERR_OSSL_EVP_FETCH_FAILED
> >> >
> >> >
> >> > This means that the algorithm you are trying to use isn't available in
> >> > the loaded providers. Since you should be getting the default provider
> >> > loaded automatically it could be because some legacy algorithms were
> >> > moved to the legacy provider (MD2, MD4, MDC2, RMD160, CAST5, BF
> >> > (Blowfish), IDEA, SEED, RC2, RC4, RC5 and DES (but not 3DES)). If you're
> >> > using something from that list then that would explain it.
> >>
> >> Can we add the legacy provider, via configuration, or via code?
> 
-- 
Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/

More information about the openssl-users mailing list