[erlang-questions] Erlang Crypto R16+ and Centos 6.4+ incompatibility

[John Doe]

At the moment it is impossible to run crypto app from Erlang R16+ on recent Centos versions (6.4 or newer) and likely on newer versions of Fedora and RHEL as well.

openssl 1.0.1 is installed.

Unable to load crypto library. Failed with error:

"load_failed, Failed to load NIF library: 'crypto.so: undefined symbol: EC_GROUP_new_curve_GF2m'"







Crypto from R15B03 works with no problems

[Matt Lewandowsky]

The RHEL OpenSSL changes have been a subject of conversation on a variety of lists lately.

 

http://rhn.redhat.com/errata/RHBA-2013-1751.html is (I believe) the appropriate errata for what you are seeing and Red Hat’s current packages should correct it. If CentOS has the same packages as what is available via RHN, it might be interesting to know what happens if you roll back your OpenSSL package a month or so (to before the FIPS changes). It’s entirely possible that there are still issues which need RH Bugzilla entries.

 

I haven’t built Erlang on an RHEL 6 clone since the OpenSSL changes have occurred. However, crypto seemed to work fine the last time I did. (I’d say about 6 weeks ago.)

 

--Matt

 

--

Matt Lewandowsky

Big Geek

Greenviolet

ma...@greenviolet.net http://www.greenviolet.net

+1 415 578 5782 (US) +44 844 484 8254 (UK)

[mayamatakeshi]

Actually, it seems the problem is with the new openssl package.

Before its release (CentOS 6.5), it was OK to build erlang R16XXX on CentOS 6.4.

Small discussion from the yaws-list:
http://sourceforge.net/mailarchive/message.php?msg_id=31759076

_______________________________________________
erlang-questions mailing list
erlang-q...@erlang.org
http://erlang.org/mailman/listinfo/erlang-questions

[Evgeny M]

Yeah, I see

Seems like the latest openssl does not announce anymore elliptic curves which are not supported. And crypto fails to start even if it does not use these curves.

I'd say this is quite serious problem, as about half of cheap VPS/Dedicated servers are run on Centos - this is the only distro supported by CPanel afaik. Suddenly as more and more hosting companies start roll on the latest Centos, their clients will not be able to use recent erlang with crypto no more.

I think crypto should be patched so that it could be started even if some functionality from openssl is not available.

вторник, 17 декабря 2013 г., 4:20:48 UTC+4 пользователь Matt Lewandowsky написал:

[Andreas Schultz]

Hi,

----- Original Message -----
> At the moment it is impossible to run crypto app from Erlang R16+ on recent
> Centos versions (6.4 or newer) and likely on newer versions of Fedora and
> RHEL as well.
> openssl 1.0.1 is installed.
>
> Unable to load crypto library. Failed with error:
> "load_failed, Failed to load NIF library: 'crypto.so: undefined symbol:
> EC_GROUP_new_curve_GF2m'"

That is not an Erlang problem itself. The binary Erlang packet you installed
was build on an system that had a OpenSSL with EC support enabled while the
system you are trying to install one, has OpenSSL with EC support disabled.

So basically the Erlang packet was build on an incompatible build host.
IMHO, you should report this as a bug to the package builder you got the Erlang
package from.

Regards
Andreas

>
>
> Crypto from R15B03 works with no problems
>

> _______________________________________________
> erlang-questions mailing list
> erlang-q...@erlang.org
> http://erlang.org/mailman/listinfo/erlang-questions
>

--
--
Dipl. Inform.
Andreas Schultz

[Andreas Schultz]

Hi,

----- Original Message -----
> Yeah, I see
> Seems like the latest openssl does not announce anymore elliptic curves which
> are not supported.

No, that is Centos/Redhat stupidity. OpenSSL by default does EC, but Redhat choose
to disabled EC so that the NSA can better spy on you.

Andreas

[Evgeny M]

>That is not an Erlang problem itself. The binary Erlang packet you installed 

>was build on an system that had a OpenSSL with EC support enabled while the 

>system you are trying to install one, has OpenSSL with EC support disabled. 

Nope, I compiled erlang from sources, and it throws the error in crypto:start(). Seems like ./configure does not detect missing curves.

>No, that is Centos/Redhat stupidity. OpenSSL by default does EC, but Redhat choose

>to disabled EC so that the NSA can better spy on you.

Sure it's not erlang fault, but still do we really want to ditch half of potential user base? Or suggest everyone to install outdated R15, as it still works?

[Andreas Schultz]

Hi,

----- Original Message -----
>
>

> >That is not an Erlang problem itself. The binary Erlang packet you
> installed
> >was build on an system that had a OpenSSL with EC support enabled while
> the
> >system you are trying to install one, has OpenSSL with EC support
> disabled.
>
> Nope, I compiled erlang from sources, and it throws the error in
> crypto:start(). Seems like ./configure does not detect missing curves.

configure has nothing to do with it. When openssl is configured and build
a file named opensslconf.h is generated (on Ubuntu it's installed to
/usr/include/x86_64-linux-gnu/openssl/opensslconf.h)

That file is indirectly included though the other openssl headers and
specifies at compile time what ciphers are supported. That your Erlang
was compiled with EC support when your openssl seems to be missing
support for it, means that that config header must be broken.

Would be great to know how that happened.

Andreas

> >No, that is Centos/Redhat stupidity. OpenSSL by default does EC, but
> Redhat choose
>
> >to disabled EC so that the NSA can better spy on you.
>
> Sure it's not erlang fault, but still do we really want to ditch half of
> potential user base? Or suggest everyone to install outdated R15, as it
> still works?
>
>

[Andreas Schultz]

Hi,

Found it, Centos 6.5 disables EC only partly. Most EC functions
are there, only the support for GF2m curves has been disabled
(that means all the sectXXXr1 and r2 curves won't work).

The corresponding OpenSSL define OPENSSL_NO_EC2M is set.

The simplest (untested) workaround would be to put a "-DOPENSSL_NO_EC=1"
into CFLAGS, e.g.:

CFLAGS="-DOPENSSL_NO_EC=1" ./configure

Alternatively, you could edit lib/crypto/c_src/crypto.c and change:

#if OPENSSL_VERSION_NUMBER >= 0x009080ffL \
&& !defined(OPENSSL_NO_EC) \
&& !defined(OPENSSL_NO_ECDH) \
&& !defined(OPENSSL_NO_ECDSA)
# define HAVE_EC
#endif

to

#if OPENSSL_VERSION_NUMBER >= 0x009080ffL \
&& !defined(OPENSSL_NO_EC) \
&& !defined(OPENSSL_NO_EC2M) \
&& !defined(OPENSSL_NO_ECDH) \
&& !defined(OPENSSL_NO_ECDSA)
# define HAVE_EC
#endif

Both will disable EC completely.

Andreas

[Matt Lewandowsky]

Hi,

It happened because he built with an OpenSSL which doesn’t incorporate Red Hat's errata, most likely. This was an issue with a great many products for all of like a week or two while the broken packages were being delivered. ‎

It's not Erlang's fault. And Red Hat fixed their packages. The only two likely options are that the distro (or, more likely, system) does not have the current packages; or, there is a new bug which needs to be filed with Red Hat (less likely).‎

--Matt

--
Matt Lewandowsky
Big Geek
Greenviolet
ma...@greenviolet.net http://www.greenviolet.net
+1 415 578 5782 (US) +44 844 484 8254 (UK)

Sent from my BlackBerry 10 smartphone.

From: Andreas Schultz Sent: Tuesday, December 17, 2013 08:15 To: Evgeny M Cc: erlang-pr...@googlegroups.com; erlang-q...@erlang.org Subject: Re: [erlang-questions] Erlang Crypto R16+ and Centos 6.4+ incompatibility