FWIW: nodejs error when it fails to load openssl errors is also a bit confusing and needs OPENSSL_MODULES export: https://lists.openembedded.org/g/openembedded-devel/message/96799
On Thu, Sep 15, 2022 at 1:26 PM Mikko Rapeli <mikko.rap...@linaro.org> wrote: > Hi, > > On Thu, 15 Sept 2022 at 14:18, Ross Burton <ross.bur...@arm.com> wrote: > > > > On 14 Sep 2022, at 09:09, Mikko Rapeli via lists.openembedded.org > <mikko.rapeli=linaro....@lists.openembedded.org> wrote: > > > Found the root cause. As suggested on #pyco too maybe native openssl > > > was mising legacy support. > > > It wasn't but loading the on purpose hidden openssl legacy.so was > > > failing. It is located in > > > recipe-sysroot-native/usr/lib/ossl-modules/legacy.so and only found > > > via OPENSSL_MODULES > > > variable which wasn't set for python3-native users. These custom > > > variables are set in the native openssl > > > wrapper script and this also fixes the not found openssl.cnf. Now I > > > could send a patch which sets > > > the OPENSSL_CONF, OPENSSL_ENGINES and OPENSSL_MODULES paths for python3 > > > users via python3native.bbclass: > > > > I’m glad this was root-caused before it was merged, because yes, this is > the ‘correct’ (best known) fix right now: > > > > ~/Yocto/meta-arm % git grep "export OPENSSL_MODULES" > > meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.6.0.bb:export > OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" > > meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb:export > OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" > > meta-arm/recipes-security/optee/optee.inc:export > OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules” > > > > A better solution is needed for sure. At least when the certificates > can’t be found you get somewhat understandable errors, the python3-crypto > error is opaque at best. > > > > OpenSSL supporting runtime-relocation with a single variable would be > nice, but iirc from glancing at the source code previously not a trivial > change. That said it does cause sufficient pain that maybe we just have to > carry the patch. > > > > Alternatively, we extend the magic relocation to native recipes. Even > less trivial… > > I'm working on the relocation patches but they are quite ugly, as are > the various code paths inside openssl > which handle these env variables and which fall back to compile time > defaults. > > Though I suspect that openssl developers may not want see the patches > resolving "OpenSSL_version" symbol > at runtime for finding the config file paths... But it's still better > than exporting these environment variables everywhere > to get relocation working. > > Cheers, > > -Mikko > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#170692): https://lists.openembedded.org/g/openembedded-core/message/170692 Mute This Topic: https://lists.openembedded.org/mt/93651845/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-