You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Rakesh Radhakrishnan (Jira)" <ji...@apache.org> on 2020/03/23 12:38:00 UTC
[jira] [Comment Edited] (HADOOP-16647) Support OpenSSL 1.1.1 LTS
[ https://issues.apache.org/jira/browse/HADOOP-16647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17064762#comment-17064762 ]
Rakesh Radhakrishnan edited comment on HADOOP-16647 at 3/23/20, 12:37 PM:
--------------------------------------------------------------------------
*Reason for the failure:*
After checking the sources of openssl, I could see it's due to the changing of openssl implementation in their latest version. It seems that OpenSSL breaks its API with version 1.1.0+, {{CRYPTO_num_locks}} were in OpenSSL 1.0.2, but in 1.1.0+ they are macros so they no longer exist in the library.
[Openssl issue reference|https://github.com/openssl/openssl/issues/8726]
CRYPTO_num_locks function is available in older 1.0+ version [reference here,|https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/cryptlib.c#L236] but doesn’t exist in 1.1.0+ version, [reference here|https://github.com/openssl/openssl/blob/OpenSSL_1_1_0-stable/crypto/cryptlib.c]
Following three symbols no longer exists in 1.1.+ and to be taken care in hadoop {{OpensslSecureRandom.c}}
{code:java}
undefined reference to `CRYPTO_num_locks'
undefined reference to `CRYPTO_set_id_callback'
undefined reference to `CRYPTO_set_locking_callback
{code}
{code:java}
LOAD_DYNAMIC_SYMBOL(dlsym_CRYPTO_num_locks, env, openssl, "CRYPTO_num_locks");
LOAD_DYNAMIC_SYMBOL(dlsym_CRYPTO_set_locking_callback, \
env, openssl, "CRYPTO_set_locking_callback");
LOAD_DYNAMIC_SYMBOL(dlsym_CRYPTO_set_id_callback, env, \
openssl, "CRYPTO_set_id_callback");
{code}
was (Author: rakeshr):
*Reason for the failure:*
After checking the sources of openssl, I could see it's due to the changing of openssl implementation in their latest version. It seems that OpenSSL breaks its API with version 1.1.0+, {{CRYPTO_num_locks}} were in OpenSSL 1.0.2, but in 1.1.0+ they are macros so they no longer exist in the library.
[Openssl issue reference|https://github.com/openssl/openssl/issues/8726]
CRYPTO_num_locks function is available in older 1.0+ version [reference here,|https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/cryptlib.c#L236] but doesn’t exist in 1.1.0+ version, [reference here|https://github.com/openssl/openssl/blob/OpenSSL_1_1_0-stable/crypto/cryptlib.c]
> Support OpenSSL 1.1.1 LTS
> -------------------------
>
> Key: HADOOP-16647
> URL: https://issues.apache.org/jira/browse/HADOOP-16647
> Project: Hadoop Common
> Issue Type: Task
> Components: security
> Reporter: Wei-Chiu Chuang
> Priority: Critical
>
> See Hadoop user mailing list http://mail-archives.apache.org/mod_mbox/hadoop-user/201910.mbox/%3CCADiq6%3DweDFxHTL_7eGwDNnxVCza39y2QYQTSggfLn7mXhMLOdg%40mail.gmail.com%3E
> Hadoop 2 supports OpenSSL 1.0.2.
> Hadoop 3 supports OpenSSL 1.1.0 (HADOOP-14597) and I believe 1.0.2 too.
> Per OpenSSL blog https://www.openssl.org/policies/releasestrat.html
> * 1.1.0 is EOL 2019/09/11
> * 1.0.2 EOL 2019/12/31
> * 1.1.1 is EOL 2023/09/11 (LTS)
> Many Hadoop installation relies on the OpenSSL package provided by Linux distros, but it's not clear to me if Linux distros are going support 1.1.0/1.0.2 beyond this date.
> We should make sure Hadoop works with OpenSSL 1.1.1, as well as document the openssl version supported. File this jira to test/document/fix bugs.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org