Re: Question about OpenSSL 3.0 and static linking

2022-02-21 Thread pauli 
There is a define to allow this: STATIC_LEGACY but I don't remember how 
to specify it on the configuration command line.

We should probably turn this on in a no-shared build.


Pauli

On 22/2/22 5:37 pm, Shunichi Shinohara wrote:

Hi List,

I have a question about OpenSSL 3.0 and static linking.

Short version: Is it possible to include the legacy provider in libcrypt.a?

Somewhat long version below.
As a background of the question I'm using OpenSSL with Erlang/OTP [1] on Linux
and want to static link OpenSSL library.  With OpenSSL 1.1.1, it works nice,
but I couldn't make it work well with OpenSSL 3.0.1.

Build steps:

  curl -LO https://www.openssl.org/source/openssl-3.0.1.tar.gz
  tar xvfz openssl-3.0.1.tar.gz
  cd openssl-3.0.1
  ./config --prefix=$HOME/local/openssl-3.0.1 no-shared
  make -j && make install_sw

After Building Erlang/OTP with it and moving $HOME/local/openssl-3.0.1/lib64 to
$HOME/tmp, my (Erlang) code fails at OSSL_PROVIDER_load(NULL, "legacy"):
https://github.com/erlang/otp/blob/OTP-25.0-rc1/lib/crypto/c_src/crypto.c#L224

What I found are:
- there are two library files under $HOME/local/openssl-3.0.1/lib64, libcrypt.a
   and ossl-modules/legacy.so, and
- if I pass the environment variable OPENSSL_MODULES=$HOME/tmp in
launching Erlang,
   all work well.
   
https://github.com/openssl/openssl/blob/b19fcc66d382357617744690dc3363947de2cb6f/doc/man3/OSSL_PROVIDER.pod

So, copying legacy.so and adding an environment variable can be an option.
Before going with the option, I want to confirm whether including legacy in
libcrypt.a in possible or not.

[1] https://www.erlang.org/

Thanks in advance!
Shino

Question about OpenSSL 3.0 and static linking

2022-02-21 Thread Shunichi Shinohara 
Hi List,

I have a question about OpenSSL 3.0 and static linking.

Short version: Is it possible to include the legacy provider in libcrypt.a?

Somewhat long version below.
As a background of the question I'm using OpenSSL with Erlang/OTP [1] on Linux
and want to static link OpenSSL library.  With OpenSSL 1.1.1, it works nice,
but I couldn't make it work well with OpenSSL 3.0.1.

Build steps:

 curl -LO https://www.openssl.org/source/openssl-3.0.1.tar.gz
 tar xvfz openssl-3.0.1.tar.gz
 cd openssl-3.0.1
 ./config --prefix=$HOME/local/openssl-3.0.1 no-shared
 make -j && make install_sw

After Building Erlang/OTP with it and moving $HOME/local/openssl-3.0.1/lib64 to
$HOME/tmp, my (Erlang) code fails at OSSL_PROVIDER_load(NULL, "legacy"):
https://github.com/erlang/otp/blob/OTP-25.0-rc1/lib/crypto/c_src/crypto.c#L224

What I found are:
- there are two library files under $HOME/local/openssl-3.0.1/lib64, libcrypt.a
  and ossl-modules/legacy.so, and
- if I pass the environment variable OPENSSL_MODULES=$HOME/tmp in
launching Erlang,
  all work well.
  
https://github.com/openssl/openssl/blob/b19fcc66d382357617744690dc3363947de2cb6f/doc/man3/OSSL_PROVIDER.pod

So, copying legacy.so and adding an environment variable can be an option.
Before going with the option, I want to confirm whether including legacy in
libcrypt.a in possible or not.

[1] https://www.erlang.org/

Thanks in advance!
Shino

Re: Error: write EPROTO 0006601201000000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:880

2022-02-21 Thread Matt Caswell 




On 18/02/2022 19:53, Brian Pilati wrote:

I am receiving this error

Error: write EPROTO 000660120100:error:0A000152:SSL 
routines:final_renegotiate:unsafe legacy renegotiation 
disabled:ssl/statem/extensions.c:880


after upgrading to macOS Monterey v12.2.1

I am running Nodejs v16.13.2

Can someone please give me detailed instructions on how to allow unsafe 
legacy renegotiation?



This error means that you are running as a client attempting to connect 
to a server that has not been patched against CVE-2009-3555. Connection 
attempts to servers that do not support secure renegotiation (the 
mitigation against that CVE) are now aborted by default in OpenSSL 3.0.


If the server has not been patched against a CVE issued 13 years ago 
then it is unlikely to be patched against many other CVEs and you should 
strongly question whether you really want to connect to such a server.


You can read more about this in the "SECURE RENEGOTIATION" section of 
this page:


https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html

If you *really* want to still connect to the server then you can do this 
by setting the SSL_OP_LEGACY_SERVER_CONNECT option. I am not a Nodejs 
person, so I don't know how/if this option is exposed in Nodejs.


Matt




I have attempted " process.env.NODE_OPTIONS = '--tls-min-v1.0';" in my 
node script.


Thanks,
Brian


--Brian Pilati
http://www.linkedin.com/in/brianpilati 



/The information contained in this communication is confidential. This 
communication is intended only for the use of the addressee. If you are 
not the intended recipient, please notify me promptly and delete the 
message. Any distribution or copying of this message without my prior 
consent is prohibited./