-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NodeJS should not use openssl library default configuration (openssl_conf) or not read openssl.cnf at all #40366
Comments
@danbev what is your take on this? |
@mhdawson This is how it currently how it works using the environment variable $ cat out/Release/obj.target/deps/openssl/openssl2.cnf
[default
$ ./node --openssl-config=out/Release/obj.target/deps/openssl/openssl2.cnf -p 'crypto.createHash("md4")'
OPENSSL_CONF:
openssl-config: out/Release/obj.target/deps/openssl/openssl2.cnf
OpenSSL configuration error:
808725745B7F0000:error:07000064:configuration file routines:def_load_bio:missing close square bracket:../deps/openssl/openssl/crypto/conf/conf_def.c:366:line 1 But if this is causing issues, which it obviously is and I'm sorry about that, I think we should look closer at how this is done and how it can be improved. I like the idea of using a specific section name for Node.js which I was not aware it was possible. |
|
found this when I was searching for a fix to my npm issue. currently don't know enough about the OpenSSL config set up and how it relates to node or npm. Think you may be correct in your assertion that it should use it own native command since in my comp it seems to be looking for files in postgres, which I do not have installed currently. Could it have been me updating to the newest node? sry if this is off topic. |
This commit adds the setting of an appname (configuration section name), 'nodejs_conf', to be used when reading OpenSSL configuration files. The motivation for this is that currently the default OpenSSL configuration, 'openssl_conf', element will be used which may be undesirable as it might configure OpenSSL in unwanted ways. With this commit it is still possible to use a default openssl.cnf file but the only section that Node.js will read from is a section named 'nodejs_conf'. Refs: nodejs#40366
This commit adds the setting of an appname (configuration section name), 'nodejs_conf', to be used when reading OpenSSL configuration files. The motivation for this is that currently the default OpenSSL configuration, 'openssl_conf', element will be used which may be undesirable as it might configure OpenSSL in unwanted ways. With this commit it is still possible to use a default openssl.cnf file but the only section that Node.js will read from is a section named 'nodejs_conf'. Refs: nodejs#40366
This commit adds the setting of an appname (configuration section name), 'nodejs_conf', to be used when reading OpenSSL configuration files. The motivation for this is that currently the default OpenSSL configuration, 'openssl_conf', element will be used which may be undesirable as it might configure OpenSSL in unwanted ways. With this commit it is still possible to use a default openssl.cnf file but the only section that Node.js will read from is a section named 'nodejs_conf'. Refs: nodejs#40366
This commit adds the setting of an appname (configuration section name), 'nodejs_conf', to be used when reading OpenSSL configuration files. The motivation for this is that currently the default OpenSSL configuration, 'openssl_conf', element will be used which may be undesirable as it might configure OpenSSL in unwanted ways. With this commit it is still possible to use a default openssl.cnf file but the only section that Node.js will read from is a section named 'nodejs_conf'. Refs: nodejs#40366
This commit adds the setting of an appname (configuration section name), 'nodejs_conf', to be used when reading OpenSSL configuration files. The motivation for this is that currently the default OpenSSL configuration, 'openssl_conf', element will be used which may be undesirable as it might configure OpenSSL in unwanted ways. With this commit it is still possible to use a default openssl.cnf file but the only section that Node.js will read from is a section named 'nodejs_conf'. PR-URL: #43124 Refs: #40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: #43124 Refs: #40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
Closing this as I believe #43124 has dealt with this issue. |
This commit adds the setting of an appname (configuration section name), 'nodejs_conf', to be used when reading OpenSSL configuration files. The motivation for this is that currently the default OpenSSL configuration, 'openssl_conf', element will be used which may be undesirable as it might configure OpenSSL in unwanted ways. With this commit it is still possible to use a default openssl.cnf file but the only section that Node.js will read from is a section named 'nodejs_conf'. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds the setting of an appname (configuration section name), 'nodejs_conf', to be used when reading OpenSSL configuration files. The motivation for this is that currently the default OpenSSL configuration, 'openssl_conf', element will be used which may be undesirable as it might configure OpenSSL in unwanted ways. With this commit it is still possible to use a default openssl.cnf file but the only section that Node.js will read from is a section named 'nodejs_conf'. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds the setting of an appname (configuration section name), 'nodejs_conf', to be used when reading OpenSSL configuration files. The motivation for this is that currently the default OpenSSL configuration, 'openssl_conf', element will be used which may be undesirable as it might configure OpenSSL in unwanted ways. With this commit it is still possible to use a default openssl.cnf file but the only section that Node.js will read from is a section named 'nodejs_conf'. PR-URL: #43124 Refs: #40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: #43124 Refs: #40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds the setting of an appname (configuration section name), 'nodejs_conf', to be used when reading OpenSSL configuration files. The motivation for this is that currently the default OpenSSL configuration, 'openssl_conf', element will be used which may be undesirable as it might configure OpenSSL in unwanted ways. With this commit it is still possible to use a default openssl.cnf file but the only section that Node.js will read from is a section named 'nodejs_conf'. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds the setting of an appname (configuration section name), 'nodejs_conf', to be used when reading OpenSSL configuration files. The motivation for this is that currently the default OpenSSL configuration, 'openssl_conf', element will be used which may be undesirable as it might configure OpenSSL in unwanted ways. With this commit it is still possible to use a default openssl.cnf file but the only section that Node.js will read from is a section named 'nodejs_conf'. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds the setting of an appname (configuration section name), 'nodejs_conf', to be used when reading OpenSSL configuration files. The motivation for this is that currently the default OpenSSL configuration, 'openssl_conf', element will be used which may be undesirable as it might configure OpenSSL in unwanted ways. With this commit it is still possible to use a default openssl.cnf file but the only section that Node.js will read from is a section named 'nodejs_conf'. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds the setting of an appname (configuration section name), 'nodejs_conf', to be used when reading OpenSSL configuration files. The motivation for this is that currently the default OpenSSL configuration, 'openssl_conf', element will be used which may be undesirable as it might configure OpenSSL in unwanted ways. With this commit it is still possible to use a default openssl.cnf file but the only section that Node.js will read from is a section named 'nodejs_conf'. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds the setting of an appname (configuration section name), 'nodejs_conf', to be used when reading OpenSSL configuration files. The motivation for this is that currently the default OpenSSL configuration, 'openssl_conf', element will be used which may be undesirable as it might configure OpenSSL in unwanted ways. With this commit it is still possible to use a default openssl.cnf file but the only section that Node.js will read from is a section named 'nodejs_conf'. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Backport-PR-URL: nodejs#43124
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Backport-PR-URL: nodejs#43782
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Backport-PR-URL: nodejs#43782
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Backport-PR-URL: nodejs#43782
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: nodejs#43124 Refs: nodejs#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Backport-PR: nodejs#43892
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: #43124 Backport-PR-URL: #43892 Refs: #40366 Refs: nodejs/nodejs.org#4713 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: #43124 Refs: #40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Backport-PR-URL: #43782 Refs: nodejs/nodejs.org#4713 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Richard Lau <[email protected]>
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: #43124 Backport-PR-URL: #43892 Refs: #40366 Refs: nodejs/nodejs.org#4713 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds the setting of an appname (configuration section name), 'nodejs_conf', to be used when reading OpenSSL configuration files. The motivation for this is that currently the default OpenSSL configuration, 'openssl_conf', element will be used which may be undesirable as it might configure OpenSSL in unwanted ways. With this commit it is still possible to use a default openssl.cnf file but the only section that Node.js will read from is a section named 'nodejs_conf'. PR-URL: nodejs/node#43124 Backport-PR-URL: nodejs/node#43545 Refs: nodejs/node#40366 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
This commit adds a new command line option named '--openssl-shared-config' intended to allow reverting to the old OpenSSL configuration behavior where Node.js would use the configuration section name (called appname in OpenSSL) 'openssl_conf' which could potentially be used my other applications.. PR-URL: nodejs/node#43124 Backport-PR-URL: nodejs/node#43892 Refs: nodejs/node#40366 Refs: nodejs/nodejs.org#4713 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
Version
16.10.0, 14.18.0, 12.22.6 (and older)
Platform
Microsoft Windows NT 10.0.19043.0 x64
Subsystem
crypto
What steps will reproduce the bug?
have an environment variable pointing to a file openssl.cnf:
export OPENSSL_CONF=`pwd`/openssl.cnf
put an invalid file there:
How often does it reproduce? Is there a required condition?
always
What is the expected behavior?
Should output "true"
What do you see instead?
"false"
(true only for valid file content
)
Additional information
Well, actually I came here to suggest that NodeJS should use its "own" default section (see openssl_conf in https://www.openssl.org/docs/man1.1.1/man5/config.html). Now I would prefer that NodeJS isn't following env:OPENSSL_CONF and/or reading its target at all.
I had the default openssl.cnf from OpenSSL3 (even if NodeJS does not support it, this problem is completely unrelated).
The file contains these lines (among others):
Now it seems, due to the environment variable (see step to reproduce above), NodeJS (or one of the libraries it uses) is reading openssl.cnf and via openssl_conf/openssl_init it tries to load a library "providers.dll" which fails because it is does not exist. Don't know what happens if it would be found. Maybe at least code in DLL Entrypoint is executed?
Failing to load "providers.dll" crypto.sign (see code snippet) failed.
According to OpenSSL documentation (https://www.openssl.org/docs/man1.1.1/man5/config.html), openssl_conf is used by the openssl utility, while other applications may (should!) use an alternative name.
So I suggest either use an application specific section name (nodejs_conf?) and be tolerant with format errors or disable reading of openssl.cnf at all. For the first, mistakes or unknown entries in openssl.cnf don't break NodeJS while it could be configured if necessary. But - can there be such need anyway?
I think it's a big problem that a rather unrelated file may break NodeJS execution (needless to mention it took me some time to figure this out...)
The text was updated successfully, but these errors were encountered: