Amazon Linux 2022 release candidate 0 (2022.0.20220728.1) uses OpenSSL 3.0 by default

Question

Amazon Linux 2022 release candidate 0 (2022.0.20220728.1) uses OpenSSL 3.0 by default

Darth-Bobo opened this issue 2 years ago · 7 comments

Darth-Bobo commented 2 years ago

Amazon have changed the base OpenSSL package to v3 and now erlang will not install because of a dependency problem:

e.g.:

nothing provides libcrypto.so.1.1()(64bit) needed by erlang-25.0.3-1.el8.x86_64
nothing provides libcrypto.so.1.1(OPENSSL_1_1_0)(64bit) needed by erlang-25.0.3-1.el8.x86_64
nothing provides libcrypto.so.1.1(OPENSSL_1_1_1)(64bit) needed by erlang-25.0.3-1.el8.x86_64

In theory this could be resolved by downgrading OpenSSL, but that feels like the wrong way to go.

Answer 1 · 2022-08-10T10:13:59.000Z

Erlang 25 may or may not be ready for OpenSSL 3.0, which is very new. Using OpenSSL 1.1 is perfectly fine, the vast majority of software in the world uses 1.1.x.

I don't think we have the capacity on this team to work on Amazon Linux-specific issues and OpenSSL 3.0 at least until RabbitMQ 3.11 ships this fall.

This is open source software, so you are welcome to dive in and report how compatible Erlang's TLS implementation is with 3.0, and add a build artifact for AL 2022. The images used to produce the RPMs are available as part of this repository.

Answer 2 · 2022-08-10T12:48:15.000Z

A quick search in the Erlang/OTP repository returns this discussion:

erlang/otp#4577 (comment)

You will have to compile Erlang 25 from source to use OpenSSL 3.0.

Downgrading to OpenSSL 1.1 is perfectly acceptable as well.

Answer 3 · 2022-08-10T14:00:32.000Z

Assuming that Erlang 25's OpenSSL 3.0 support is robust, we can produce a new package type, al2022 or something, that would build the package on AL 2022. That should be enough. It feels weird to special case a single vendor-specific distribution but given the scale and reach of AWS, we may not have a lot of options.

Answer 4 · 2022-08-10T14:11:08.000Z

I found that I could install openssl1.1 from the Fedora dev repo (https://fedora.mirrorservice.org/fedora/linux/development/rawhide/Everything/x86_64/os) and that has allowed erlang and rabbit to install so I now have a test node up and running.

Meanwhile I've also raised this with the AL 2022 development project since the previews all included OpenSSL 1.1

Answer 5 · 2022-10-10T17:28:06.000Z

I faced the same issue when tried Amazon Linux 2022 and the solution is to get el9 instead of el8.

After that I successfully installed the latest Erlang and RabbitMQ on a top of OpenSLL 3.0

Answer 6 · 2022-10-11T11:59:03.000Z

I will make sure the README does mention this difference.

Now that Erlang 25.1 has made OpenSSL 3 support "officially production ready" we may consider to move to use OpenSSL 3 in CentOS Stream 9 builds.

Answer 7 · 2023-04-09T21:57:14.000Z

This is no longer relevant as of Erlang/OTP 25.3 and #119.