Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

openssl 3.0.0 compatible erlang version #4577

Closed
satya-rajesh opened this issue Mar 4, 2021 · 9 comments
Closed

openssl 3.0.0 compatible erlang version #4577

satya-rajesh opened this issue Mar 4, 2021 · 9 comments
Assignees

Comments

@satya-rajesh
Copy link

While compiling observed that erlang is not compatible with openssl 3.0.0.

Erlang is using deprecated APIs which are not present in openssl 3.0.0 (alpha).

Build status:
Build Failed due to RSA_, HMAC_, ENGINE_* etc deprecated APIs

Please provide erlang release compatible to openssl 3.0.0

@HansN
Copy link
Contributor

HansN commented Mar 4, 2021

Yes, support for OpenSSL 3.0 API is planned, but not before OTP-25.0.

@HansN HansN self-assigned this Mar 4, 2021
@HansN HansN added team:PS Assigned to OTP team PS priority:low stalled waiting for input by the Erlang/OTP team labels Mar 4, 2021
@satya-rajesh
Copy link
Author

satya-rajesh commented May 5, 2021

Unable to load crypto library. Failed with error:
"load_failed, Failed to load NIF library: '/usr/lib/erlang/lib/crypto-4.8/priv/lib/crypto.so: undefined symbol: FIPS_mode'"

FIPS_mode APIs will be deprecated in openssl 3.0.0 and will no longer be compatible for erlang

@satya-rajesh
Copy link
Author

erlang team,
since openssl beta1 is released, could we have the milestone for the erlang release ?

@ymtszw
Copy link

ymtszw commented Sep 23, 2021

For Homebrew users in mac:

openssl@3 is now installed if you invoke brew install openssl (without explicit version) and is linked to /usr/local/opt/openssl, which is one of the predefined standard locations of openssl.
In that situation, due to the FIPS_mode related error posted above, build of erlang/otp 24.0.6 (presumably other versions too) with crypto/ssl/ssh will fail.

For now we need to use --with-ssl=$(brew --prefix openssl@1.1) option (when using brew with kerl or asdf-erlang)

@Neustradamus
Copy link

To follow this ticket.

@HansN
Copy link
Contributor

HansN commented Oct 18, 2021

The crypto app in OTP can now be compiled, linked and used with the new OpenSSL 3.0 cryptolib.

The fix is merged to maint and master, and will be released in OTP-24.2 currently scheduled for the middle of December.

It has not yet been extensively tested and is not recommended for other usages than experiments and alpha testing. There are no guaranties that it works, not even together with other OTP applications like for example SSL and SSH, although there are no known errors.

Compiling and linking with OpenSSL 3.0 cryptolib in compatibility modes (for example to behave as 1.1.1) are not tested. It is not tested with external providers nor FIPS mode.

Deprecated functions in the OpenSSL 3.0 cryptolib must not be disabled as OTP/crypto still uses some of the deprecated API functions. The gcc flag -Wno-deprecated-declarations is set to prevent deprecation warnings to be printed when compiling.

The plan is now to gradually increase testing and to replace the deprecated APIs.

As usual are comments, error reports and pull requests welcome!

@HansN HansN added in progress priority:medium and removed stalled waiting for input by the Erlang/OTP team priority:low labels Oct 28, 2021
@HansN
Copy link
Contributor

HansN commented Dec 8, 2021

This first support will be released soon in OTP-24.2 and more later in OTP-24.3

@HansN HansN closed this as completed Dec 8, 2021
@thiagomajesk
Copy link

thiagomajesk commented Jun 1, 2022

I found the following cryptic error message using OTP version 24.2 in an Elixir application today:

** (MatchError) no match of right hand side value {:error, "Erlang error: :notsup"}

We solved it by upgrading the OTP version to 24.3.4, which seems to support OpenSSL v3 already.

@martasd
Copy link

martasd commented May 15, 2023

Can we update the installation instructions to remove the the part advising to pin OpenSSL to version 1.1? Erlang 25.2.2 compiles fine for me with OpenSSL 3 now.

# for free to join this conversation on GitHub. Already have an account? # to comment
Projects
None yet
Development

No branches or pull requests

6 participants