-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
# Backport This will backport the following commits from `main` to `8.10`: - [[node] Enable openssl legacy provider (#163190)](#163190) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Jon","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-08-30T18:51:10Z","message":"[node] Enable openssl legacy provider (#163190)\n\nThis is to prevent a breaking change in a minor release of Kibana due to\r\nan underlying upgrade of Node.js to v18.\r\nThe legacy provider can be disabled by removing\r\n`--openssl-legacy-provider` in `config/node.options`.\r\n\r\n[Node.js\r\ndocumentation](https://nodejs.org/docs/latest-v18.x/api/cli.html#--openssl-legacy-provider)\r\n[OpenSSL\r\ndocumentation](https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html)\r\n\r\n---------\r\n\r\nCo-authored-by: Thomas Watson <[email protected]>","sha":"aebd6f392384b4e36241f1a1ad5f3c615b42bcca","branchLabelMapping":{"^v8.11.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Operations","release_note:skip","auto-backport","ci:build-all-platforms","ci:cloud-deploy","v8.10.0","v7.17.13","v8.11.0"],"number":163190,"url":"https://github.com/elastic/kibana/pull/163190","mergeCommit":{"message":"[node] Enable openssl legacy provider (#163190)\n\nThis is to prevent a breaking change in a minor release of Kibana due to\r\nan underlying upgrade of Node.js to v18.\r\nThe legacy provider can be disabled by removing\r\n`--openssl-legacy-provider` in `config/node.options`.\r\n\r\n[Node.js\r\ndocumentation](https://nodejs.org/docs/latest-v18.x/api/cli.html#--openssl-legacy-provider)\r\n[OpenSSL\r\ndocumentation](https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html)\r\n\r\n---------\r\n\r\nCo-authored-by: Thomas Watson <[email protected]>","sha":"aebd6f392384b4e36241f1a1ad5f3c615b42bcca"}},"sourceBranch":"main","suggestedTargetBranches":["8.10","7.17"],"targetPullRequestStates":[{"branch":"8.10","label":"v8.10.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"7.17","label":"v7.17.13","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.11.0","labelRegex":"^v8.11.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/163190","number":163190,"mergeCommit":{"message":"[node] Enable openssl legacy provider (#163190)\n\nThis is to prevent a breaking change in a minor release of Kibana due to\r\nan underlying upgrade of Node.js to v18.\r\nThe legacy provider can be disabled by removing\r\n`--openssl-legacy-provider` in `config/node.options`.\r\n\r\n[Node.js\r\ndocumentation](https://nodejs.org/docs/latest-v18.x/api/cli.html#--openssl-legacy-provider)\r\n[OpenSSL\r\ndocumentation](https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html)\r\n\r\n---------\r\n\r\nCo-authored-by: Thomas Watson <[email protected]>","sha":"aebd6f392384b4e36241f1a1ad5f3c615b42bcca"}}]}] BACKPORT--> --------- Co-authored-by: Jon <[email protected]>
- Loading branch information
1 parent
00554f6
commit a307a0f
Showing
10 changed files
with
132 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0 and the Server Side Public License, v 1; you may not use this file except | ||
* in compliance with, at your election, the Elastic License 2.0 or the Server | ||
* Side Public License, v 1. | ||
*/ | ||
var branch = require('../../../package.json').branch; | ||
var docsBranch = branch.match(/^\d\.\d\d?$/) || 'current'; | ||
var openSSLLegacyProviderEnabled = require('./openssl_legacy_provider_enabled')(); | ||
|
||
if (openSSLLegacyProviderEnabled) { | ||
console.log( | ||
'Kibana is currently running with legacy OpenSSL providers enabled! For details and instructions on how to disable see https://www.elastic.co/guide/en/kibana/' + | ||
docsBranch + | ||
'/production.html#openssl-legacy-provider' | ||
); | ||
} |
14 changes: 14 additions & 0 deletions
14
src/setup_node_env/openssl_legacy_provider/openssl_legacy_provider_enabled.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0 and the Server Side Public License, v 1; you may not use this file except | ||
* in compliance with, at your election, the Elastic License 2.0 or the Server | ||
* Side Public License, v 1. | ||
*/ | ||
|
||
var crypto = require('crypto'); | ||
|
||
// The blowfish cipher is only available when node is running with the --openssl-legacy-provider flag | ||
module.exports = function () { | ||
return crypto.getCiphers().includes('blowfish'); | ||
}; |
78 changes: 78 additions & 0 deletions
78
src/setup_node_env/openssl_legacy_provider/openssl_legacy_provider_enabled.test.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0 and the Server Side Public License, v 1; you may not use this file except | ||
* in compliance with, at your election, the Elastic License 2.0 or the Server | ||
* Side Public License, v 1. | ||
*/ | ||
|
||
var spawnSync = require('child_process').spawnSync; | ||
|
||
describe('openSSLLegacyProviderEnabled', function () { | ||
function runLegacyProviderCheck(execOptions, nodeOptions) { | ||
var result = spawnSync( | ||
process.execPath, | ||
(execOptions ? execOptions.split(' ') : []).concat([ | ||
'-p', | ||
"require('./openssl_legacy_provider_enabled')()", | ||
]), | ||
{ | ||
env: { | ||
NODE_OPTIONS: nodeOptions || '', | ||
}, | ||
encoding: 'utf-8', | ||
cwd: __dirname, | ||
} | ||
); | ||
var stdout = result.stdout.trim(); | ||
return stdout === 'true'; | ||
} | ||
|
||
it('should be disabled by default', function () { | ||
expect(runLegacyProviderCheck()).toBe(false); | ||
}); | ||
|
||
describe('using NODE_OPTIONS', function () { | ||
it('should be enabled when --openssl-legacy-provider is set', function () { | ||
expect(runLegacyProviderCheck(null, '--openssl-legacy-provider')).toBe(true); | ||
}); | ||
|
||
it('should be enabled when --openssl-legacy-provider is set after --no-openssl-legacy-provider', function () { | ||
expect( | ||
runLegacyProviderCheck(null, '--no-openssl-legacy-provider --openssl-legacy-provider') | ||
).toBe(true); | ||
}); | ||
|
||
it('should be disabled when --no-openssl-legacy-provider is set', function () { | ||
expect(runLegacyProviderCheck(null, '--no-openssl-legacy-provider')).toBe(false); | ||
}); | ||
|
||
it('should be disabled when --no-openssl-legacy-provider is set after --openssl-legacy-provider', function () { | ||
expect( | ||
runLegacyProviderCheck(null, '--openssl-legacy-provider --no-openssl-legacy-provider') | ||
).toBe(false); | ||
}); | ||
}); | ||
|
||
describe('using exec arguments', function () { | ||
it('should be enabled when --openssl-legacy-provider is set', function () { | ||
expect(runLegacyProviderCheck('--openssl-legacy-provider')).toBe(true); | ||
}); | ||
|
||
it('should be enabled when --openssl-legacy-provider is set after --no-openssl-legacy-provider', function () { | ||
expect(runLegacyProviderCheck('--no-openssl-legacy-provider --openssl-legacy-provider')).toBe( | ||
true | ||
); | ||
}); | ||
|
||
it('should be disabled when --no-openssl-legacy-provider is set', function () { | ||
expect(runLegacyProviderCheck('--no-openssl-legacy-provider')).toBe(false); | ||
}); | ||
|
||
it('should be disabled when --no-openssl-legacy-provider is set after --openssl-legacy-provider', function () { | ||
expect(runLegacyProviderCheck('--openssl-legacy-provider --no-openssl-legacy-provider')).toBe( | ||
false | ||
); | ||
}); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,6 +6,7 @@ | |
"include": [ | ||
"harden/**/*", | ||
"root/**/*", | ||
"openssl_legacy_provider/**/*", | ||
"*.js", | ||
"*.ts", | ||
], | ||
|