undefined symbol: SSL_get_peer_certificate

[rashkov]

System information

v16.19.0
8.19.2
linux
6.1.8-arch1-1
x64

nodegit 0.27.0

I'm getting the following at runtime when trying to clone an https repository:

/usr/bin/node: symbol lookup error: ./node_modules/nodegit/build/Release/nodegit.node: undefined symbol: SSL_get_peer_certificate

Any tips?

Thanks for the awesome work on this repo.

[rashkov]

I've built the project from master, and running tests reproduces the error:

 Cherrypick
    ✓ can cherrypick a commit onto the index
    ✓ can cherrypick a commit onto another specified commit
    ✓ can cherrypick a stash to apply it

  Clone
    - can clone with http
/usr/bin/node: symbol lookup error: /home/mike/tmp/nodegit/build/Release/nodegit.node: undefined symbol: SSL_get_peer_certificate
error Command failed with exit code 127.

[weedz]

Don't know why it fails, but have you tried the latest alpha release (nodegit@next, 0.28.0-alpha.20)?

I'm on arch, with OpenSSL 3.0, using the latest alpha release and have always been able to clone with "https://".

I don't know if it matters but which SSL/TLS library are you using? OpenSSL, GnuTLS or something else. I think nodegit is statically linked against OpenSSL so probably shouldn't matter (?).

Might not be helpful, but output from ldd shows:

$ ldd build/Release/nodegit.node
	linux-vdso.so.1 (0x00007fff3657e000)
	libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00007f5ab21ac000)
	libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00007f5ab20d4000)
	libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00007f5ab20a6000)
	libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x00007f5ab2760000)
	libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f5ab1e00000)
	libm.so.6 => /usr/lib/libm.so.6 (0x00007f5ab1d18000)
	libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f5ab273e000)
	libc.so.6 => /usr/lib/libc.so.6 (0x00007f5ab1b31000)
	/usr/lib64/ld-linux-x86-64.so.2 (0x00007f5ab2795000)
	libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00007f5ab2098000)
	libkeyutils.so.1 => /usr/lib/libkeyutils.so.1 (0x00007f5ab2091000)
	libresolv.so.2 => /usr/lib/libresolv.so.2 (0x00007f5ab207f000)

(no "libssl")
And when built for electron@22:

$ ldd node_modules/nodegit/build/Release/nodegit.node
	linux-vdso.so.1 (0x00007ffeeb5d4000)
	libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00007f8ffe7f7000)
	libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00007f8ffe128000)
	libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00007f8ffe7c9000)
	libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x00007f8ffe7c3000)
	libcrypto.so.3 => /usr/lib/libcrypto.so.3 (0x00007f8ffdc00000)
	libssl.so.3 => /usr/lib/libssl.so.3 (0x00007f8ffe088000)
	libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f8ffd800000)
	libm.so.6 => /usr/lib/libm.so.6 (0x00007f8ffdb18000)
	libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f8ffe7a1000)
	libc.so.6 => /usr/lib/libc.so.6 (0x00007f8ffd619000)
	/usr/lib64/ld-linux-x86-64.so.2 (0x00007f8ffe87a000)
	libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00007f8ffe793000)
	libkeyutils.so.1 => /usr/lib/libkeyutils.so.1 (0x00007f8ffe78c000)
	libresolv.so.2 => /usr/lib/libresolv.so.2 (0x00007f8ffe778000)

("libssl.so.3")

[axkibe]

I have a dejavu, i had this error once, but can't remember the workaround.

I think it had something to do with not installed openssl dev package (for which the error message is certainly not pushing in the right direction), but can't be sure anymore.

Maybe nodejs/node-gyp#2576 helps?

[rashkov]

I successfully built and tested the latest alpha release. Will be investigating more next week. Appreciate the advice. Will update

[rashkov]

It seems like this might be relevant, assuming that nodegit is pulling in openssl greater than version 3:
/usr/include/openssl/ssl.h:

/* Deprecated in 3.0.0 */
#  ifndef OPENSSL_NO_DEPRECATED_3_0
#   define SSL_get_peer_certificate SSL_get1_peer_certificate
#  endif
# endif

-> % pacman -Qi openssl
Name            : openssl
Version         : 3.0.7-4
Architecture    : x86_64
Provides        : libcrypto.so=3-64  libssl.so=3-64

Solution might be to compile with macro OPENSSL_NO_DEPRECATED_3_0 set to true

Alternatively, I suppose this will not be a problem once the alpha branch is released

[rashkov]

Okay so this command works: LD_PRELOAD=/usr/lib/libssl.so.1.1 yarn test
While a simple yarn test does not

I think this function / symbol gets dynamically loaded at runtime. My /usr/lib has both libssl 3 and libssl 1.1.

My best guess is that on this system, libssl 3 has priority so it's getting loaded first on this system, but forcing libssl 1.1 via LD_PRELOAD fixes it