FWIW: nodejs error when it fails to load openssl errors is also a bit
confusing and needs OPENSSL_MODULES export:
https://lists.openembedded.org/g/openembedded-devel/message/96799
On Thu, Sep 15, 2022 at 1:26 PM Mikko Rapeli <mikko.rap...@linaro.org>
wrote:
> Hi,
>
> On Thu, 15 Sept 2022 at 14:18, Ross Burton <ross.bur...@arm.com> wrote:
> >
> > On 14 Sep 2022, at 09:09, Mikko Rapeli via lists.openembedded.org
> <mikko.rapeli=linaro....@lists.openembedded.org> wrote:
> > > Found the root cause. As suggested on #pyco too maybe native openssl
> > > was mising legacy support.
> > > It wasn't but loading the on purpose hidden openssl legacy.so was
> > > failing. It is located in
> > > recipe-sysroot-native/usr/lib/ossl-modules/legacy.so and only found
> > > via OPENSSL_MODULES
> > > variable which wasn't set for python3-native users. These custom
> > > variables are set in the native openssl
> > > wrapper script and this also fixes the not found openssl.cnf. Now I
> > > could send a patch which sets
> > > the OPENSSL_CONF, OPENSSL_ENGINES and OPENSSL_MODULES paths for python3
> > > users via python3native.bbclass:
> >
> > I’m glad this was root-caused before it was merged, because yes, this is
> the ‘correct’ (best known) fix right now:
> >
> > ~/Yocto/meta-arm % git grep "export OPENSSL_MODULES"
> > meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.6.0.bb:export
> OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
> > meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb:export
> OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
> > meta-arm/recipes-security/optee/optee.inc:export
> OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules”
> >
> > A better solution is needed for sure. At least when the certificates
> can’t be found you get somewhat understandable errors, the python3-crypto
> error is opaque at best.
> >
> > OpenSSL supporting runtime-relocation with a single variable would be
> nice, but iirc from glancing at the source code previously not a trivial
> change. That said it does cause sufficient pain that maybe we just have to
> carry the patch.
> >
> > Alternatively, we extend the magic relocation to native recipes. Even
> less trivial…
>
> I'm working on the relocation patches but they are quite ugly, as are
> the various code paths inside openssl
> which handle these env variables and which fall back to compile time
> defaults.
>
> Though I suspect that openssl developers may not want see the patches
> resolving "OpenSSL_version" symbol
> at runtime for finding the config file paths... But it's still better
> than exporting these environment variables everywhere
> to get relocation working.
>
> Cheers,
>
> -Mikko
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#170692):
https://lists.openembedded.org/g/openembedded-core/message/170692
Mute This Topic: https://lists.openembedded.org/mt/93651845/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
