Skip to content

Commit

Permalink
[8.10] [node] Enable openssl legacy provider (#163190) (#165267)
Browse files Browse the repository at this point in the history
# Backport

This will backport the following commits from `main` to `8.10`:
- [[node] Enable openssl legacy provider
(#163190)](#163190)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT
[{"author":{"name":"Jon","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-08-30T18:51:10Z","message":"[node]
Enable openssl legacy provider (#163190)\n\nThis is to prevent a
breaking change in a minor release of Kibana due to\r\nan underlying
upgrade of Node.js to v18.\r\nThe legacy provider can be disabled by
removing\r\n`--openssl-legacy-provider` in
`config/node.options`.\r\n\r\n[Node.js\r\ndocumentation](https://nodejs.org/docs/latest-v18.x/api/cli.html#--openssl-legacy-provider)\r\n[OpenSSL\r\ndocumentation](https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html)\r\n\r\n---------\r\n\r\nCo-authored-by:
Thomas Watson
<[email protected]>","sha":"aebd6f392384b4e36241f1a1ad5f3c615b42bcca","branchLabelMapping":{"^v8.11.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Operations","release_note:skip","auto-backport","ci:build-all-platforms","ci:cloud-deploy","v8.10.0","v7.17.13","v8.11.0"],"number":163190,"url":"https://github.com/elastic/kibana/pull/163190","mergeCommit":{"message":"[node]
Enable openssl legacy provider (#163190)\n\nThis is to prevent a
breaking change in a minor release of Kibana due to\r\nan underlying
upgrade of Node.js to v18.\r\nThe legacy provider can be disabled by
removing\r\n`--openssl-legacy-provider` in
`config/node.options`.\r\n\r\n[Node.js\r\ndocumentation](https://nodejs.org/docs/latest-v18.x/api/cli.html#--openssl-legacy-provider)\r\n[OpenSSL\r\ndocumentation](https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html)\r\n\r\n---------\r\n\r\nCo-authored-by:
Thomas Watson
<[email protected]>","sha":"aebd6f392384b4e36241f1a1ad5f3c615b42bcca"}},"sourceBranch":"main","suggestedTargetBranches":["8.10","7.17"],"targetPullRequestStates":[{"branch":"8.10","label":"v8.10.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"7.17","label":"v7.17.13","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.11.0","labelRegex":"^v8.11.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/163190","number":163190,"mergeCommit":{"message":"[node]
Enable openssl legacy provider (#163190)\n\nThis is to prevent a
breaking change in a minor release of Kibana due to\r\nan underlying
upgrade of Node.js to v18.\r\nThe legacy provider can be disabled by
removing\r\n`--openssl-legacy-provider` in
`config/node.options`.\r\n\r\n[Node.js\r\ndocumentation](https://nodejs.org/docs/latest-v18.x/api/cli.html#--openssl-legacy-provider)\r\n[OpenSSL\r\ndocumentation](https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html)\r\n\r\n---------\r\n\r\nCo-authored-by:
Thomas Watson
<[email protected]>","sha":"aebd6f392384b4e36241f1a1ad5f3c615b42bcca"}}]}]
BACKPORT-->

---------

Co-authored-by: Jon <[email protected]>
  • Loading branch information
kibanamachine and jbudz authored Aug 30, 2023
1 parent 00554f6 commit a307a0f
Show file tree
Hide file tree
Showing 10 changed files with 132 additions and 2 deletions.
3 changes: 3 additions & 0 deletions config/node.options
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,6 @@

## restore < Node 16 default DNS lookup behavior
--dns-result-order=ipv4first

## enable OpenSSL 3 legacy provider
--openssl-legacy-provider
9 changes: 9 additions & 0 deletions docs/user/production-considerations/production.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -118,3 +118,12 @@ The option accepts a limit in MB:
--------
--max-old-space-size=2048
--------

[float]
[[openssl-legacy-provider]]
=== OpenSSL Legacy Provider

Starting in 8.10.0, {kib} has upgraded its runtime environment, Node.js, from version 16 to version 18 and with it the underlying version of OpenSSL to version 3.
Algorithms deemed legacy by OpenSSL 3 have been re-enabled to avoid potential breaking changes in a minor version release of {kib}.
If SSL certificates configured for {kib} are not using any of the legacy algorithms mentioned in the https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html[OpenSSL legacy provider documentation],
we recommend disabling this setting by removing `--openssl-legacy-provider` in the `node.options` config file.
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,8 @@ it('builds a generated plugin into a viable archive', async () => {
};

expect(filterLogs(generateProc.all)).toMatchInlineSnapshot(`
" succ 🎉
"Kibana is currently running with legacy OpenSSL providers enabled! For details and instructions on how to disable see https://www.elastic.co/guide/en/kibana/8.10/production.html#openssl-legacy-provider
succ 🎉
Your plugin has been created in plugins/foo_test_plugin
"
Expand All @@ -73,7 +74,8 @@ it('builds a generated plugin into a viable archive', async () => {
);

expect(filterLogs(buildProc.all)).toMatchInlineSnapshot(`
" info deleting the build and target directories
"Kibana is currently running with legacy OpenSSL providers enabled! For details and instructions on how to disable see https://www.elastic.co/guide/en/kibana/8.10/production.html#openssl-legacy-provider
info deleting the build and target directories
info run bazel and build required artifacts for the optimizer
succ bazel run successfully and artifacts were created
info running @kbn/optimizer
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,9 @@ COPY --chown=1000:0 config/serverless.es.yml /usr/share/kibana/config/serverless
COPY --chown=1000:0 config/serverless.oblt.yml /usr/share/kibana/config/serverless.oblt.yml
COPY --chown=1000:0 config/serverless.security.yml /usr/share/kibana/config/serverless.security.yml
{{/serverless}}
{{^opensslLegacyProvider}}
RUN sed 's/\(--openssl-legacy-provider\)/#\1/' -i config/node.options
{{/opensslLegacyProvider}}

# Add the launcher/wrapper script. It knows how to interpret environment
# variables and translate them to Kibana CLI options.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ function generator(options: TemplateContext) {
packageManager: options.baseImage.includes('ubi') ? 'microdnf' : 'apt-get',
ubi: options.baseImage.includes('ubi'),
ubuntu: options.baseImage === 'ubuntu',
opensslLegacyProvider: !(options.cloud || options.serverless),
...options,
});
}
Expand Down
18 changes: 18 additions & 0 deletions src/setup_node_env/openssl_legacy_provider/index.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0 and the Server Side Public License, v 1; you may not use this file except
* in compliance with, at your election, the Elastic License 2.0 or the Server
* Side Public License, v 1.
*/
var branch = require('../../../package.json').branch;
var docsBranch = branch.match(/^\d\.\d\d?$/) || 'current';
var openSSLLegacyProviderEnabled = require('./openssl_legacy_provider_enabled')();

if (openSSLLegacyProviderEnabled) {
console.log(
'Kibana is currently running with legacy OpenSSL providers enabled! For details and instructions on how to disable see https://www.elastic.co/guide/en/kibana/' +
docsBranch +
'/production.html#openssl-legacy-provider'
);
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0 and the Server Side Public License, v 1; you may not use this file except
* in compliance with, at your election, the Elastic License 2.0 or the Server
* Side Public License, v 1.
*/

var crypto = require('crypto');

// The blowfish cipher is only available when node is running with the --openssl-legacy-provider flag
module.exports = function () {
return crypto.getCiphers().includes('blowfish');
};
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0 and the Server Side Public License, v 1; you may not use this file except
* in compliance with, at your election, the Elastic License 2.0 or the Server
* Side Public License, v 1.
*/

var spawnSync = require('child_process').spawnSync;

describe('openSSLLegacyProviderEnabled', function () {
function runLegacyProviderCheck(execOptions, nodeOptions) {
var result = spawnSync(
process.execPath,
(execOptions ? execOptions.split(' ') : []).concat([
'-p',
"require('./openssl_legacy_provider_enabled')()",
]),
{
env: {
NODE_OPTIONS: nodeOptions || '',
},
encoding: 'utf-8',
cwd: __dirname,
}
);
var stdout = result.stdout.trim();
return stdout === 'true';
}

it('should be disabled by default', function () {
expect(runLegacyProviderCheck()).toBe(false);
});

describe('using NODE_OPTIONS', function () {
it('should be enabled when --openssl-legacy-provider is set', function () {
expect(runLegacyProviderCheck(null, '--openssl-legacy-provider')).toBe(true);
});

it('should be enabled when --openssl-legacy-provider is set after --no-openssl-legacy-provider', function () {
expect(
runLegacyProviderCheck(null, '--no-openssl-legacy-provider --openssl-legacy-provider')
).toBe(true);
});

it('should be disabled when --no-openssl-legacy-provider is set', function () {
expect(runLegacyProviderCheck(null, '--no-openssl-legacy-provider')).toBe(false);
});

it('should be disabled when --no-openssl-legacy-provider is set after --openssl-legacy-provider', function () {
expect(
runLegacyProviderCheck(null, '--openssl-legacy-provider --no-openssl-legacy-provider')
).toBe(false);
});
});

describe('using exec arguments', function () {
it('should be enabled when --openssl-legacy-provider is set', function () {
expect(runLegacyProviderCheck('--openssl-legacy-provider')).toBe(true);
});

it('should be enabled when --openssl-legacy-provider is set after --no-openssl-legacy-provider', function () {
expect(runLegacyProviderCheck('--no-openssl-legacy-provider --openssl-legacy-provider')).toBe(
true
);
});

it('should be disabled when --no-openssl-legacy-provider is set', function () {
expect(runLegacyProviderCheck('--no-openssl-legacy-provider')).toBe(false);
});

it('should be disabled when --no-openssl-legacy-provider is set after --openssl-legacy-provider', function () {
expect(runLegacyProviderCheck('--openssl-legacy-provider --no-openssl-legacy-provider')).toBe(
false
);
});
});
});
1 change: 1 addition & 0 deletions src/setup_node_env/setup_env.js
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,4 @@ require('./harden');
require('symbol-observable');
require('source-map-support').install();
require('./node_version_validator');
require('./openssl_legacy_provider');
1 change: 1 addition & 0 deletions src/setup_node_env/tsconfig.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"include": [
"harden/**/*",
"root/**/*",
"openssl_legacy_provider/**/*",
"*.js",
"*.ts",
],
Expand Down

0 comments on commit a307a0f

Please sign in to comment.