Runtime: Interop+Crypto+OpenSslCryptographicException: error:0E076071:configuration file routines:MODULE_RUN:unknown module name
Hello.
Since a few days I'm getting rather weird situation of internal OpenSSL failures on my machine. In particular, this is the exception that I'm encountering since a few days:
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
---> System.TypeInitializationException: The type initializer for 'SslMethods' threw an exception.
---> System.TypeInitializationException: The type initializer for 'Ssl' threw an exception.
---> System.TypeInitializationException: The type initializer for 'SslInitializer' threw an exception.
---> Interop+Crypto+OpenSslCryptographicException: error:0E076071:configuration file routines:MODULE_RUN:unknown module name
at Interop.SslInitializer..cctor()
--- End of inner exception stack trace ---
at Interop.SslInitializer.Initialize()
at Interop.Ssl..cctor()
--- End of inner exception stack trace ---
at Interop.Ssl.SslV2_3Method()
at Interop.Ssl.SslMethods..cctor()
--- End of inner exception stack trace ---
at Interop.OpenSsl.AllocateSslContext(SslProtocols protocols, SafeX509Handle certHandle, SafeEvpPKeyHandle certKeyHandle, EncryptionPolicy policy, SslAuthenticationOptions sslAuthenticationOptions)
at System.Net.Security.SafeDeleteSslContext..ctor(SafeFreeSslCredentials credential, SslAuthenticationOptions sslAuthenticationOptions)
at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
--- End of inner exception stack trace ---
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.BeginAuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__47_0(SslClientAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2](Func`5 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
at System.Net.Security.SslStream.AuthenticateAsClientAsync(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken)
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask`1 creationTask)
at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.DecompressionHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
at ArchiSteamFarm.WebBrowser.InternalRequest(Uri requestUri, HttpMethod httpMethod, IReadOnlyCollection`1 data, String referer, HttpCompletionOption httpCompletionOption, Byte maxRedirections)
I've tried to solve this issue through various ways. Using CLR_OPENSSL_VERSION_OVERRIDE=1.1 I'm getting a different one:
Cannot get required symbol CRYPTO_add_lock from libssl
Aborted
Using DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0 fixed the problem I was having. CURL and OpenSSL work fine on my machine, I can make all usual https requests and my .NET Core app also has no issues doing them with curl handler.
I've managed to reproduce this on two different machines, both running Debian 10 (testing) x64, second machine being clean VM install. I suspect that this problem might be caused by some Debian libraries update, in particular libssl1.1 package (even though I see no reason why it'd break 1.0.2 usage, but it's the only library that dotnet depends on that got updated recently). For reference:
+++-=================-============-============-===============================================
ii libssl1.0.2:amd64 1.0.2o-1 amd64 Secure Sockets Layer toolkit - shared libraries
ii libssl1.1:amd64 1.1.1-2 amd64 Secure Sockets Layer toolkit - shared libraries
I realize that Debian 10 is not supported as of yet, but this looks like some general libssl compatibility issue that you might be interested in looking into. You should have no problem trying to reproduce this issue on clean Debian Testing install, but if you'd need any further help from me, please let me know.
For completion, this was reproduced on two different SDK versions, latest stable and latest master:
.NET Core SDK (reflecting any global.json):
Version: 2.1.403
Commit: 04e15494b6
Runtime Environment:
OS Name: debian
OS Version:
OS Platform: Linux
RID: debian-x64
Base Path: /usr/share/dotnet/sdk/2.1.403/
Host (useful for support):
Version: 2.1.5
Commit: 290303f510
.NET Core SDKs installed:
2.1.403 [/usr/share/dotnet/sdk]
.NET Core runtimes installed:
Microsoft.AspNetCore.All 2.1.5 [/usr/share/dotnet/shared/Microsoft.AspNetCore.All]
Microsoft.AspNetCore.App 2.1.5 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 2.1.5 [/usr/share/dotnet/shared/Microsoft.NETCore.App]
To install additional .NET Core runtimes or SDKs:
https://aka.ms/dotnet-download
.NET Core SDK (reflecting any global.json):
Version: 3.0.100-alpha1-009708
Commit: ce09d64d8a
Runtime Environment:
OS Name: debian
OS Version:
OS Platform: Linux
RID: debian-x64
Base Path: /opt/dotnet-test/sdk/3.0.100-alpha1-009708/
Host (useful for support):
Version: 3.0.0-preview1-27029-03
Commit: 631e219c26
.NET Core SDKs installed:
3.0.100-alpha1-009708 [/opt/dotnet-test/sdk]
.NET Core runtimes installed:
Microsoft.AspNetCore.All 3.0.0-alpha1-10062 [/opt/dotnet-test/shared/Microsoft.AspNetCore.All]
Microsoft.AspNetCore.App 3.0.0-alpha1-10062 [/opt/dotnet-test/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 3.0.0-preview1-27029-03 [/opt/dotnet-test/shared/Microsoft.NETCore.App]
To install additional .NET Core runtimes or SDKs:
https://aka.ms/dotnet-download
Thank you for looking into my issue.
JustArchi
All 20 comments
@bartonjs is it a known problem?
karelz
on 1 Nov 2018
CLR_OPENSSL_VERSION_OVERRIDE=1.1 tricks the loader into loading libssl.so.1.1, which .NET Core 2.1 is not capable of working with.
The error is coming out of OpenSSL's initialization. Have you made any changes to /etc/ssl/openssl.cnf ?
bartonjs
on 1 Nov 2018
@bartonjs thank you for reply. Yes, I know that .NET Core isn't capable of using libssl.so.1.1 yet, I just mentioned it as a possibility.
I didn't do any changes to openssl.cnf, this is stock Debian install. Included full file for reference:
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# System default
openssl_conf = default_conf
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
dotnet/corefx#1.organizationName = Second Organization Name (eg, company)
dotnet/corefx#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1)
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2
Thanks!
JustArchi
on 1 Nov 2018
I've done a diff of openssl.cnf between stable (stretch, 1.1.0f-3+deb9u2) and testing (buster, 1.1.1-2), here are the results:
5a6,9
> # Note that you can include other files from the main configuration
> # file using the .include directive.
> #.include filename
>
14a19,21
> # System default
> openssl_conf = default_conf
>
346a354,364
> ess_cert_id_alg = sha1 # algorithm to compute certificate
> # identifier (optional, default: sha1)
> [default_conf]
> ssl_conf = ssl_sect
>
> [ssl_sect]
> system_default = system_default_sect
>
> [system_default_sect]
> MinProtocol = TLSv1.2
> CipherString = DEFAULT@SECLEVEL=2
Could it be related to MinProtocol = TLSv1.2? Perhaps Debian decided to no longer supply (build openssl with) SSLv3 and .NET Core can't find appropriate SSLv2_v3 symbol? Just my blind uneducated guess, trying to help.
JustArchi
on 1 Nov 2018
Looks like the ssl_conf directive, actually.
If you comment out the line
ssl_conf = ssl_sect
Then .NET (and OpenSSL 1.0) will start working again, but the security choices that Debian made will then be ignored.
(Using that openssl.cnf file on Ubuntu 16.04 produces
$ openssl s_client -connect www.microsoft.com:443
Error configuring OpenSSL
139661852980888:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory
139661852980888:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
139661852980888:error:0E07506E:configuration file routines:MODULE_LOAD_DSO:error loading dso:conf_mod.c:271:module=ssl_conf, path=ssl_conf
139661852980888:error:0E076071:configuration file routines:MODULE_RUN:unknown module name:conf_mod.c:212:module=ssl_conf
, commenting out ssl_conf makes it succeed)
I'm not sure what a good change on our side would be for 2.1 without just backporting the OpenSSL 1.1 support.
bartonjs
on 1 Nov 2018
I can confirm that commenting out ssl_conf fixed the issue for me. Thank you so much @bartonjs for help, I really appreciate it.
I'll keep the issue open in case you'd want to add some fix in the .NET Core regarding this. If by any chance you're not interested in doing any of that, please feel free to close the issue at anytime.
Once again thank you! 鉂わ笍
JustArchi
on 1 Nov 2018
I can confirm that this workaround has also solved the issue for me, but would definitely rather see proper library support rather than this workaround. Please see the issue I referenced above to see an example of the impact of this issue.
cwebster2
on 6 Nov 2018
I had problems connecting to a mssql instance in docker, however this solved that issue.
netbrain
on 20 Nov 2018
Support for OpenSSL 1.1 was/is-being backported to the 2.1 series with https://github.com/dotnet/corefx/pull/34443; so once a build with that change is available a different workaround would be to set the 1.1 opt-in environment variable.
bartonjs
on 25 Feb 2019
@bartonjs What is the state of 2.2 series? Is my understanding correct that we can use stock openssl.cnf file with ssl_conf = ssl_sect included as long as CLR_OPENSSL_VERSION_OVERRIDE=1.1 environment variable is specified (which won't be needed in 3.0, as 3.0+ will prefer 1.1 by default)?
Thank you in advance for answering.
JustArchi
on 25 Feb 2019
@JustArchi 2.2 should automatically get the change from 2.1, if I understand the branch flows correctly. So it, too, should be able to use OpenSSL 1.1.x starting in the next update.
bartonjs
on 25 Feb 2019
So what's the proper fix here? Does a released version of 2.1 or 2.2 have this fix?
Daniel15
on 8 Jul 2019
CLR_OPENSSL_VERSION_OVERRIDE=1.1 is the most appropriate workaround for net core 2.2.
JustArchi
on 8 Jul 2019
CLR_OPENSSL_VERSION_OVERRIDE=1.1 on 2.2.4+ (or 2.1.10+)
bartonjs
on 8 Jul 2019
@bartonjs @JustArchi where to I put CLR_OPENSSL_VERSION_OVERRIDE=1.1 in order to get it to work?
pockets3407
on 2 Aug 2019
@pockets3407 See the wiki entry for my program, as it applies to the whole OS - https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Compatibility#debian-buster-upgrade
JustArchi
on 2 Aug 2019
@pockets3407 It's an environment variable. For bash you can set it for your command shell
$ export CLR_OPENSSL_VERSION_OVERRIDE=1.1
$ dotnet run
Or you can apply it to one process invocation:
$ CLR_OPENSSL_VERSION_OVERRIDE=1.1 dotnet run
Or you can set it (and export it) via ~/.bashrc, ~/.bash_profile, /etc/profile, et cetera.
bartonjs
on 2 Aug 2019
@bartonjs I entered that in and it said "Cannot get required symbol CRYPTO_add_lock from libsll." Any way to fix this. I am trying to run a program through my raspberry pi 3b+
pockets3407
on 2 Aug 2019
@bartonjs I entered that in and it said "Cannot get required symbol CRYPTO_add_lock from libsll." Any way to fix this. I am trying to run a program through my raspberry pi 3b+
Same here. I'm trying to run the azure pipeline agent in a debian10 container. I installed dotnet runtime 3.0-preview9 hoping this would be be resolved, but I hit the same issue :
root@4a8f001fae84:/azp# apt list --installed | grep ssl
libssl1.1/stable,now 1.1.1c-1 amd64 [installed]
openssl/stable,now 1.1.1c-1 amd64 [installed,automatic]
root@4a8f001fae84:/azp# ./start.sh
1. Determining matching Azure Pipelines agent...
2. Downloading and installing Azure Pipelines agent...
3. Configuring Azure Pipelines agent...
>> Connect:
No usable version of the libssl was found
./config.sh: line 86: 66 Aborted ./bin/Agent.Listener configure "$@"
root@4a8f001fae84:/azp# export CLR_OPENSSL_VERSION_OVERRIDE=1.1
root@4a8f001fae84:/azp# ./start.sh
1. Determining matching Azure Pipelines agent...
2. Downloading and installing Azure Pipelines agent...
3. Configuring Azure Pipelines agent...
>> Connect:
Cannot get required symbol CRYPTO_add_lock from libssl
./config.sh: line 86: 134 Aborted ./bin/Agent.Listener configure "$@"
# commenting out the ssl_conf = ssl_sect
root@4a8f001fae84:/azp# sed -i -e's/ssl_conf = ssl_sect/# ssl_conf = ssl_sect/' /etc/ssl/openssl.cnf
root@4a8f001fae84:/azp# grep 'ssl_conf = ssl_sect' /etc/ssl/openssl.cnf
# ssl_conf = ssl_sect
root@4a8f001fae84:/azp# ./start.sh
1. Determining matching Azure Pipelines agent...
2. Downloading and installing Azure Pipelines agent...
3. Configuring Azure Pipelines agent...
>> Connect:
Cannot get required symbol CRYPTO_add_lock from libssl
./config.sh: line 86: 208 Aborted ./bin/Agent.Listener configure "$@"
serbrech
on 6 Sep 2019
Looks like the
ssl_confdirective, actually.If you comment out the line
ssl_conf = ssl_sectThen .NET (and OpenSSL 1.0) will start working again, but the security choices that Debian made will then be ignored.
(Using that openssl.cnf file on Ubuntu 16.04 produces
$ openssl s_client -connect www.microsoft.com:443 Error configuring OpenSSL 139661852980888:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory 139661852980888:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233: 139661852980888:error:0E07506E:configuration file routines:MODULE_LOAD_DSO:error loading dso:conf_mod.c:271:module=ssl_conf, path=ssl_conf 139661852980888:error:0E076071:configuration file routines:MODULE_RUN:unknown module name:conf_mod.c:212:module=ssl_conf, commenting out ssl_conf makes it succeed)
I'm not sure what a good change on our side would be for 2.1 without just backporting the OpenSSL 1.1 support.
This was exactly the solution for my case! Thanks
agbarbosa
on 18 Aug 2020
Related issues
jchannon
路
3Comments
aggieben
路
3Comments
Timovzl
路
3Comments
jzabroski
路
3Comments
jkotas
路
3Comments
Most helpful comment
Looks like the
ssl_confdirective, actually.If you comment out the line
Then .NET (and OpenSSL 1.0) will start working again, but the security choices that Debian made will then be ignored.
(Using that openssl.cnf file on Ubuntu 16.04 produces
, commenting out ssl_conf makes it succeed)
I'm not sure what a good change on our side would be for 2.1 without just backporting the OpenSSL 1.1 support.