Signal if there is an OpenSSL major version mismatch #99951
Comments
|
This could be done manually using the following code snippet. import ssl
assert ssl.OPENSSL_VERSION_INFO[:2] == ssl._OPENSSL_API_VERSION[:2], "OpenSSL major version mismatch!"Because I agree this could be useful to have this check globally when users are importing the |
Openssl already builds with symbol versioning to enable this. libssl3 should have symbols named I would argue this is a bug in Node.js, the openssl |
|
Node.js has always included a statically linked OpenSSL with re-exported symbols which are made available to its binary addons - this is part of its API. There are other ways to build it, but since the official binary packages (those by Nodesource) are built this way, mostly everyone else follows suit - to avoid shipping a version that won't be binary compatibly with the existing packages. On all systems that I checked, not only Node.js, but also the default, system-provided |
It's present in all systems that I checked, and having some value in the generated ld version script is not optional (it's hardcoded into I checked Debian, Ubuntu, Arch Linux, Alpine, and Fedora.
The way this works is that when libssl3 has versioned symbols, then:
So, if CPython is linked with a libssl that does versions, then there's simply nothing to check, cpython's If Node.js does versions in its internal ssl, then Node.js extensions linked to that should always be correct, regardless of whether CPython crashes. |
Off-topic rant: Node.js should not have done this, it causes huge dist 8000 ributor problems and also means that Node.js itself cannot upgrade OpenSSL except when the Node.js ABI itself changes. But they don't care about the former and the latter is considered an acceptable limitation. The people that pay are the ones building system Node.js that cannot conform to platform policy -- and also the people trying to embed Node.js in other software that already uses OpenSSL, or vice versa. Which is exactly what's happening here. What Node.js could have and should have done is wrapped the OpenSSL API in a node-specific API and re-exported that, so that node extensions don't link to openssl at all, they just link to node, and the actual version of openssl which node uses becomes an internal implementation detail that does not matter and can be freely swapped out by anyone that wants to. For example you could just build both python and node against the same libssl. Whatever, it is what it is and python as well as every other program out there just has to live with it if they want to interface with node. :( |
|
@eli-schwartz I will reproduce the crash and I will give you more details, my setup is The crash occurs in OpenSSL 1.1 code called by The Node.js decision is indeed somewhat controversial, but I have always liked it, because, as a binary addon author, it allows me to easily ship an addon that includes for example |
|
@eli-schwartz well, the answer is it does not work. My crash is The first point is that his can never actually work - there is no dynamic linker mechanism which allows you to load multiple versions of the same shared library. The versioning mechanism of The real question however is why the silent error - since in this particular case I did spend some time researching how versioned symbol resolving works - and the documentation is very scarce - so my only reference is this ancient document from Ulrich Drepper (the author of I have also found various Bottom line is, if your Python is compiled vs OpenSSL 3.0.0 - which is the case in most very recent Linux distributions and the macOS homebrew - than using embedded Python in an application compiled vs OpenSSL 1.x will lead to various random crashes. |
Feature or enhancement
Implement some kind of obvious warning or even fatal error when the runtime OpenSSL major version does not match the one Python was compiled against.
Pitch
This is especially valid when using the embedded interpreter. I am developing a Node.js/Python compatiblity layer (https://github.com/mmomtchev/pymport) and Node.js exports the OpenSSL symbols it was built with. Python on Ubuntu 22.04 was compiled with libssl3 and it can't be used in any software compiled with libssl1. There is no magic solution to this problem, but printing a warning or even quitting with a fatal error would avoid wasting many hours debugging very hard to find crashes.
As we are currently right in the middle of the painful switch from OpenSSL 1 to OpenSSL 3, I am sure many will be thankful for this feature.
Previous discussion
This is a two-liner
Linked PRs
The text was updated successfully, but these errors were encountered: