[GemStone-Smalltalk] GBS8.7.1 + VW 9.3.1 + TLS/SSL external library conflicts on linux?
Norm Green
norm.green at gemtalksystems.com
Fri Jun 7 09:09:24 PDT 2024
Hi David,
This sounds like a symbol visibility problem.
GemStone builds OpenSSL from source and ships it in a shared library in
$GEMSTONE/lib, which we load when the libgcirpc is loaded.
In v3.6.x this was still OpenSSL v1.1.x but in v3.7.x it's OpenSSL v3.0.x .
So probably what is happening is:
1) GS OpenSSL lib (v1.1.x) gets loaded at login
2) VW resolves an OpenSSL symbol and expects v3.0.x but gets 1.1.x
loaded in #1.
3) Things go sideways from there.
Glad you found a simple workaround.
Norm Green
On 6/7/2024 8:53 AM, David Shaffer via GemStone-Smalltalk wrote:
> I’m getting a walkback when making TLS/SSL requests in an image that
> also happens to be interacting with GemStone via RPC. I’ve included a
> Smalltalk code fragment that reliably reproduces the problem in the
> latest Ubuntu docker image but I’m guessing that it has nothing to do
> with docker or ubuntu, in particular.
>
> To reproduce the problem, make sure that your ubuntu install includes
> libcrypto.so <http://libcrypto.so> and libssl.so
> <http://libssl.so> and set up VW as instructed in the VW docs:
>
> export VW_LIBCRYPTO=“/path/to/libcrypto.so <http://libcrypto.so>”
> export LD_LIBRARY_PATH=“/path/to”
>
>
> Note that setting LD_LIBRARY_PATH is required so that the version of
> libcrypto that VW loads will correctly load libssl. In my experience
> this problem is not sensitive to these settings so as long as you have
> HTTPS working in your VW image, you can probably still reproduce this
> problem. Run a fresh VW 9.3.1 image and load the following parcels
> (the error does not seem sensitive to which parcels are loaded but for
> reproducibility’s sake best to load them as listed):
>
> GbsRuntime
> TLS-Plugin
> HTTPS
> GemBuilderPatches — attached, includes a fix for missing
> #connectorsList method
> External-Cryptography
>
> Start up a fresh GemStone database (version doesn’t seem to matter,
> I’m using 3.6.5 in production so I mostly tested there). Run the
> following adjusting host names, ports and library names as needed.
>
> |p|
> Transcript
> show: (Crypto.LibCryptoEVPInterface versionString ifNil:
> ['nil']);
> cr;
> show: (Crypto.LibCryptoEVPInterface openSSLDir ifNil:
> ['nil']);
> cr.
> TLSPlugin.TLSLinuxCertificate trustedCACerts:
> '/etc/ssl/certs/ca-certificates.crt’. “Needed for HTTPS to google"
> (GbsConfiguration default)
> alwaysUseGemCursor: false;
> confirm: false;
> generateClassConnectors: false;
> libraryName: './libgcirpc-3.6.5-64.so';
> removeInvalidConnectors: true;
> verbose: false;
> apply.
> p := GbsSessionParameters
> newWithGemStoneName: ‘!@localhost#netldi:40055!gs64stone'
> username: 'SystemUser'
> password: 'swordfish'.
> p gemService: '!@172.17.0.3#netldi:40055!gemnetobject'.
> p login.
> Transcript show: 'https://www.google.com' asURI get
> printString; cr.
> ObjectMemory quit.
>
>
> You should get an error during closing of the HTTPS socket connected
> to google. This problem is not particular to who you are making the
> HTTPS connection to so I just used google for simplicity. In my
> experimentation, making EITHER of the following changes fixes the problem:
>
> 1) copy the statement that causes HTTPS get request so that it occurs
> before the #login. After that, all HTTPS requests will work fine.
>
> 2) Remove the initial two references and message sends to
> Crypto.LibCryptoEVPInterface.
>
>
> This problem does not seem to occur in VW 9.1.1 and Cincom updated VW
> to use openssl3 somewhere between 9.1.1 and 9.3.1 so my /guess/ is
> that there is now an issue in resolution of external function calls to
> the libssl loaded by VW and the one loaded by GBS.
>
> If anyone else is experiencing these problems the workaround is
> simple: make a successful SSL request (to anywhere) before logging
> into a GemStone DB.
>
> Best,
>
> David
>
>
>
>
> _______________________________________________
> GemStone-Smalltalk mailing list
> GemStone-Smalltalk at lists.gemtalksystems.com
> https://lists.gemtalksystems.com/mailman/listinfo/gemstone-smalltalk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gemtalksystems.com/mailman/archives/gemstone-smalltalk/attachments/20240607/6af02146/attachment.htm>
More information about the GemStone-Smalltalk
mailing list