[SERVER-65898] csfle library: initialization fails with OpenSSL error on RHEL 7.6, SLES 12 Created: 22/Apr/22  Updated: 29/Oct/23  Resolved: 04/May/22

Status: Closed
Project: Core Server
Component/s: Field Level Encryption
Affects Version/s: 6.0.0-rc1
Fix Version/s: 6.1.0-rc0

Type: Bug Priority: Major - P3
Reporter: Anna Henningsen Assignee: Sergey Galtsev (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
related to SERVER-63703 csfle library: remove unnecessary libs Closed
is related to SERVER-65902 csfle library: initialization segfaul... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

https://gist.github.com/addaleax/c3bdcab028a42d1f32455a9436a1c298 (ran this on a suse12-small evg spawn host)

Sprint: Security 2022-05-02, Security 2022-05-16
Participants:

 Description   

Initializing the csfle shared library fails on RHEL 7.6, SLES 12, and possibly others.

In a standalone binary that only loads the shared library, dlopen() fails with:

symbol SSL_CTX_get0_certificate, version OPENSSL_1.0.0 not defined in file libssl.so.1.0.0 with link time reference

In a Node.js process (where OpenSSL is statically linked in – tested with Node.js 14.19.1/OpenSSL 1.1.1n), lib_create() fails with:

csfle lib_create() failed: Global initialization failed :: caused by :: Can not set supported cipher suites with config string "HIGH:!EXPORT:!aNULL@STRENGTH": error:08064066:object identifier routines:OBJ_create:oid exists [Error 2, code 140]

This has some potential overlap with SERVER-63703 in that removing uses of OpenSSL inside the shared library seems like a good potential fix.


Generated at Thu Feb 08 06:03:56 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.