Ubuntu
openssl package

  1. Bug #1979639
  2. Comment #0

Comment 0 for bug 1979639

Revision history for this message
David Zuelke (dzuelke) wrote : openssl 3.0.3-7 needs port from sid to jammy

~ $ lsb-release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04 LTS
Release: 22.04
Codename: jammy

https://launchpad.net/debian/+source/openssl/3.0.3-7 includes a single change, https://sources.debian.org/src/openssl/3.0.3-8/debian/patches/Remove-the-provider-section.patch/

That patch solves a problem with programs that use OpenSSL v1 (statically or dynamically linked); these still read /etc/ssl/openssl.cnf, but the v3-specific sections in the sid/jammy default config may cause a failure.

One example: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011051

Another example: a (non-Ubuntu) Node.js v16 (OpenSSL compiled statically) hits an error in its crypto lib:

~ $ node
Welcome to Node.js v16.15.0.
Type ".help" for more information.
> const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });

> var sign = crypto.createSign('RSA-SHA256')

> sign.update(Buffer.from("hello"))

> sign.sign(privateKey.export({type: 'pkcs1', format: 'pem'}))
 Uncaught:
Error: error:25066067:DSO support routines:dlfcn_load:could not load the shared library
    at Sign.sign (node:internal/crypto/sig:131:29) {
  opensslErrorStack: [
    'error:0E076071:configuration file routines:module_run:unknown module name',
    'error:0E07506E:configuration file routines:module_load_dso:error loading dso',
    'error:25070067:DSO support routines:DSO_load:could not load the shared library'
  ],
  library: 'DSO support routines',
  function: 'dlfcn_load',
  reason: 'could not load the shared library',
  code: 'ERR_OSSL_DSO_COULD_NOT_LOAD_THE_SHARED_LIBRARY'
}

Removing the relevant provider section lines (the Debian patch doesn't apply cleanly, hence the use of sed) fixes it:

~ $ sed -i '/_sect\b/s/^/# /' /etc/ssl/openssl.cnf
~ $ node
Welcome to Node.js v16.15.0.
Type ".help" for more information.
> const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });

> var sign = crypto.createSign('RSA-SHA256')

> sign.update(Buffer.from("hello"))

> sign.sign(privateKey.export({type: 'pkcs1', format: 'pem'}))
 <Buffer c5 e7 ba 01 5a 33 3f 26 43 bb 4e 47 99 49 e4 c7 60 41 be c6 91 63 c6 5d 0a af 78 5c 15 4a 9f 1a e7 24 99 ce 6a f0 05 b5 48 96 4e 59 b8 d5 69 df 3c bc ... 206 more bytes>

I realize there is no libssl1.1 on jammy, but a statically linked OpenSSL is not uncommon (Node.js being a very prominent example).

Would it be possible to get this Debian sid change ported to jammy?