OpenSSL library API incompatability errors using --openssl-legacy-provider flag.

[whitingjr]

Version

v18.1.0

Platform

Linux xxxxxxxxx 5.18.9-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Jul 2 15:56:43 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Subsystem

crypto digital envelope routines

What steps will reproduce the bug?

Using a VM that is running Fedora36. Then building a Java project called Horreum. Sorry this a lazy answer for the time being. I will endeavour to create a simple reproducer.
$ sudo dnf install -y yarnpkg.noarch
$ sudo dnf update -y maven.noarch node npm openssl
$ git clone https://github.com/phillip-kruger/members
$ cd members; mvn package -DskipTests

How often does it reproduce? Is there a required condition?

Every time.

What is the expected behavior?

Whereas on Fedora35 the build process of the Horreum project completes. Fedora35 uses these versions of node, npm and openssl. This combination works as expected......

$ node --version
v16.14.0
$ npm --version
8.3.1
$ openssl version
OpenSSL 1.1.1o  FIPS 3 May 2022
$

What do you see instead?

On Fedora36 I see this error during the build

[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager] > node@0.1.0 build
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager] > react-scripts build --output-hashing=all --prod --aot --configuration=production --openssl-legacy-provider
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager] Creating an optimized production build...
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager] Error: error:0308010C:digital envelope routines::unsupported
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at new Hash (node:internal/crypto/hash:67:19)
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at Object.createHash (node:crypto:130:10)
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at module.exports (/home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/webpack/lib/util/createHash.js:135:53)
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at NormalModule._initBuildHash (/home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/webpack/lib/NormalModule.js:417:16)
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at handleParseError (/home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/webpack/lib/NormalModule.js:471:10)
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at /home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/webpack/lib/NormalModule.js:503:5
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at /home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/webpack/lib/NormalModule.js:358:12
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at /home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/loader-runner/lib/LoaderRunner.js:373:3
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at iterateNormalLoaders (/home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/loader-runner/lib/LoaderRunner.js:214:10)
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at iterateNormalLoaders (/home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/loader-runner/lib/LoaderRunner.js:221:10)
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at /home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/loader-runner/lib/LoaderRunner.js:236:3
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at runSyncOrAsync (/home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/loader-runner/lib/LoaderRunner.js:130:11)
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at iterateNormalLoaders (/home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/loader-runner/lib/LoaderRunner.js:232:2)
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at Array.<anonymous> (/home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/loader-runner/lib/LoaderRunner.js:205:4)
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at Storage.finished (/home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:55:16)
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at /home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:91:9
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager] /home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/react-scripts/scripts/build.js:19
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]   throw err;
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]   ^
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager] Error: error:0308010C:digital envelope routines::unsupported
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at new Hash (node:internal/crypto/hash:67:19)
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at Object.createHash (node:crypto:130:10)
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at module.exports (/home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/webpack/lib/util/createHash.js:135:53)
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at NormalModule._initBuildHash (/home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/webpack/lib/NormalModule.js:417:16)
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at /home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/webpack/lib/NormalModule.js:452:10
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at /home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/webpack/lib/NormalModule.js:323:13
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at /home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/loader-runner/lib/LoaderRunner.js:367:11
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at /home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/loader-runner/lib/LoaderRunner.js:233:18
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at context.callback (/home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/loader-runner/lib/LoaderRunner.js:111:13)
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]     at /home/whitingjr/thebounty/work/redhat/java/Horreum/worktree/add-servlet-spec-tests-issue-#182/webapp/node_modules/babel-loader/lib/index.js:59:103 {
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]   opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]   library: 'digital envelope routines',
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]   reason: 'unsupported',
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager]   code: 'ERR_OSSL_EVP_UNSUPPORTED'
[INFO] [io.quarkiverse.quinoa.deployment.PackageManager] }

Additional information

$ ./webapp/node/node --version
v18.1.0
$ ./webapp/node/npm --version
8.8.0
$ openssl version
OpenSSL 3.0.3 3 May 2022 (Library: OpenSSL 3.0.3 3 May 2022)
$ java -version
openjdk version "11.0.15" 2022-04-19
OpenJDK Runtime Environment 18.9 (build 11.0.15+10)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.15+10, mixed mode, sharing)
$

[mscdex]

--openssl-legacy-provider is currently only available on node v18.x. There is a PR to backport it to v16.x.

[whitingjr]

@mscdex this issue is raised with 18.1.0 being the problem.

[mscdex]

Did you check /etc/ssl/openssl.cnf to see if the legacy provider is listed and enabled properly there?

[richardlau]

[INFO] [io.quarkiverse.quinoa.deployment.PackageManager] > react-scripts build --output-hashing=all --prod --aot --configuration=production --openssl-legacy-provider

Have you tried with --openssl-legacy-provider before the build argument?
i.e.

react-scripts --openssl-legacy-provider build --output-hashing=all --prod --aot --configuration=production

?

[whitingjr]

Did you check /etc/ssl/openssl.cnf to see if the legacy provider is listed and enabled properly there?

I hadn't done that even though it was suggested here.
I tried adding after your suggestion. It didn't make any difference.

[whitingjr]

Have you tried with --openssl-legacy-provider before the build argument?

Tried that but an error was reported.

/usr/bin/node: bad option: --openssl-legacy-provider

then I tried

react-scripts build --output-hashing=all --prod --aot --configuration=production --openssl-legacy-provider

but that also threw the error for ERR_OSSL_EVP_UNSUPPORTED

[richardlau]

Have you tried with --openssl-legacy-provider before the build argument?

Tried that but an error was reported.

/usr/bin/node: bad option: --openssl-legacy-provider

That suggests either that it's not running Node.js 18 (which should support that option) or Fedora's Node.js 18 builds differ from the ones provided from http://nodejs.org.

[mscdex]

Your build script(s) are probably using the wrong node binary. It appears your /usr/bin/node is the v16.x binary, but your v18.x binary seems to be at "./webapp/node/node".

[whitingjr]

@richardlau your comment prompted me to check for sources of different versions.
@mscdex Yes I found there is another installed version of node supplied from the platform.

$ node --version
v16.14.0

Sorry for this wild goose chase.

[whitingjr]

waiting for #42972 to arrive.

[mysticaltech]

Hey folks, just FYI. @mscdex put me on the right track, thank you! I just had to uncomment a few lines in /etc/ssl/openssl.cnf on my Linux Fedora 36 box, for the --openssl-legacy-provider is not allowed in NODE_OPTIONS to go away! Finally.

The section in question in the openssl.conf after un-commenting should be like this:

[whitingjr]

@mysticaltech yes can confirm this works for me too (after a platform reboot).