Problem with libcrypto on MacOS 11 (Big Sur)

[zaucker]

WARNING: /Users/zaucker/opt/rakudo-2020.10/bin/rakudo is loading libcrypto in an unsafe way See also https://github.com/jnthn/p6-io-socket-async-ssl/issues/60

[tgt]

I don't know much about this sort of thing, but I've had a little look and it seems that the issue is using dlopen to open an unversioned libcrypto under macOS Big Sur's new dynamic linker cache.

Using dlopen("libssl.dylib", RTLD_NOW | RTLD_GLOBAL) results in <program> is loading libcrypto in an unsafe way, whilst using dlopen("libssl.46.dylib", RTLD_NOW | RTLD_GLOBAL) works as expected. Big Sur no longer includes dylibs in /usr/lib/ so I used otool -L /usr/bin/openssl to see which version to load. I used Hopper to check for the error string in libssl.46.dylib and libssl.42.dylib (the latest version on macOS Catalina) and it only appears in the former.

Hardcoding a version into OpenSSL/NativeLib.pm6 would “solve” this in an extremely fragile way, but Apple doesn't support using the libraries provided with the system and hasn't since 2011.

Symlinking versions of libssl and libcrypto installed using Homebrew into /usr/local/lib fixes the issue, but I don't know what problems that could cause and it creates additional friction for users.

ln -s /usr/local/opt/openssl/lib/libssl.1.1.dylib /usr/local/lib/libssl.dylib
ln -s /usr/local/opt/openssl/lib/libcrypto.1.1.dylib /usr/local/lib/libcrypto.dylib

Is it possible for sergot/OpenSSL to specify a dependency on OpenSSL and then build, install and link with that version somehow?

Is there anything else I should try?

(I found this issue via https://github.com/rakudo/rakudo/issues/4112 and https://github.com/jnthn/p6-io-socket-async-ssl/issues/60)

[zaucker]

Symlinking versions of libssl and libcrypto installed using Homebrew into /usr/local/lib fixes the issue, but I don't know what problems that could cause and creates additional friction for users.

ln -s /usr/local/opt/openssl/lib/libssl.1.1.dylib /usr/local/lib/libssl.dylib
ln -s /usr/local/opt/openssl/lib/libcrypto.1.1.dylib /usr/local/lib/libcrypto.dylib

Thanks, just tried this successfully.

[skaji]

I think this issue has been resolved.

[lizmat]

@skaji https://github.com/lizmat/App-IRC-Log/runs/3894190703?check_suite_focus=true tells me otherwise :-(

[skaji]

brew's openssl is now an alias of openssl@3, while the macos environment of github action has [email protected] only.

So you need to

• install openssl@3 (i.e., brew install openssl), or
• execute zef with OPENSSL_PREFIX=$(brew --prefix --installed [email protected])

[lizmat]

@skaji so how would that translate to .github/workflows/test.yml ? As I don't see a way to do something MacOS specific there, and brew only exists on MacOS (presumably). Case in question: https://github.com/lizmat/App-IRC-Log/blob/main/.github/workflows/test.yml

[skaji]

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 8e5a019..2927799 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -24,6 +24,8 @@ jobs:
       - uses: Raku/setup-raku@v1
         with:
           raku-version: ${{ matrix.raku-version }}
+      - if: matrix.os == 'macOS-latest'
+        run: brew install openssl
       - name: Install Dependencies
         run: zef -v install --/test --test-depends --deps-only .
       - name: Run Tests

[lizmat]

@skaji Thank you very much, that did the trick! :-)

[sullerandras]

I ran into this issue on Macos 12 (Monterey). There was no /usr/local/lib folder on my computer, and i use asdf to install ruby, so i believe these are the commands that i executed to make it work:

sudo mkdir /usr/local/lib
sudo ln -s /Users/andras/.asdf/installs/ruby/2.7.5/openssl/lib/libssl.1.1.dylib /usr/local/lib/libssl.1.1.dylib
sudo ln -s /Users/andras/.asdf/installs/ruby/2.7.5/openssl/lib/libssl.1.1.dylib /usr/local/lib/libssl.dylib

Not sure what will happen if i need to install other ruby versions, but so far it works fine.

[jubilatious1]

#102