Problem with Openssl

[maury77]

What to investigate
Traceback (most recent call last):
File “/mnt/dietpi_userdata/homeassistant/deps/lib/python3.8/site-packages/pyatv/support/init.py”, line 29, in error_handler
return await func(*args, **kwargs)
File “/mnt/dietpi_userdata/homeassistant/deps/lib/python3.8/site-packages/pyatv/mrp/auth.py”, line 32, in start_pairing
self.srp.initialize()
File “/mnt/dietpi_userdata/homeassistant/deps/lib/python3.8/site-packages/pyatv/mrp/srp.py”, line 98, in initialize
self._signing_key = Ed25519PrivateKey.from_private_bytes(os.urandom(32))
File “/home/homeassistant/.pyenv/versions/3.8.0/lib/python3.8/site-packages/cryptography/hazmat/primitives/asymmetric/ed25519.py”, line 61, in from_private_bytes
raise UnsupportedAlgorithm(
cryptography.exceptions.UnsupportedAlgorithm: ed25519 is not supported by this version of OpenSSL.

the my version of openssl is

/usr/bin# openssl version
OpenSSL 1.1.1d 10 Sep 2019

Expected outcome

[postlund]

I believe the OpenSSL version is good enough but it wasn't compiled with support for ed25519. How to fix that depends on your distribution. I have never done such an upgrade myself, so I can't really help that much. The distribution community is probably your best bet.

[kingtao1024]

I have meet the same situation:

Logger: custom_components.apple_tv.config_flow
Source: custom_components/apple_tv/config_flow.py:271
Integration: Apple TV (documentation)
First occurred: 下午1:08:32 (2 occurrences)
Last logged: 下午1:08:38

Authentication problem
Traceback (most recent call last):
File "/srv/homeassistant/lib/python3.8/site-packages/pyatv/support/init.py", line 29, in error_handler
return await func(*args, **kwargs)
File "/srv/homeassistant/lib/python3.8/site-packages/pyatv/mrp/auth.py", line 32, in start_pairing
self.srp.initialize()
File "/srv/homeassistant/lib/python3.8/site-packages/pyatv/mrp/srp.py", line 98, in initialize
self._signing_key = Ed25519PrivateKey.from_private_bytes(os.urandom(32))
File "/srv/homeassistant/lib/python3.8/site-packages/cryptography/hazmat/primitives/asymmetric/ed25519.py", line 61, in from_private_bytes
raise UnsupportedAlgorithm(
cryptography.exceptions.UnsupportedAlgorithm: ed25519 is not supported by this version of OpenSSL.

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "/home/homeassistant/.homeassistant/custom_components/apple_tv/config_flow.py", line 271, in async_begin_pairing
await self.pairing.begin()
File "/srv/homeassistant/lib/python3.8/site-packages/pyatv/support/init.py", line 37, in error_handler
raise fallback(str(ex)) from ex
pyatv.exceptions.PairingError: ed25519 is not supported by this version of OpenSSL.

I upgrade my OpenSSL to OpenSSL 1.1.1g 21 Apr 2020, but it doesn't work

[kingtao1024]

@postlund how to solve this problem？Can you help me？Please give me some advice！Thank you very much！

[postlund]

@kingtao1024 Your version of OpenSSL is probably new enough but it wasn't compiled with support for ed25519. I have never had to compile OpenSSL to fix this myself. But perhaps if you pass --enable-ed25519? It will probably say something about ED25519 when you configure OpenSSL, if it succeeded or not.

[kingtao1024]

I am not sure how to use --enable-ed25519
I install ed25519: pip install ed25519
it success, but the problem still exist.

[kingtao1024]

[postlund]

The problem isn't the python library, it's the version of OpenSSL shipped with your distribution (or however you run Home Assistant). cryptography, the library I use for crypto just wraps and calls functions in OpenSSL directly for performance reasons (instead of implementing it in python, which is really slow). So you need to re-compile or get a version of OpenSSL that supports ed25519 as MRP requires it. I will have to refer you to the community of your distribution for that, I'm not of much help in the matter I'm afraid.

[kingtao1024]

OK，which version of OpenSSL do you recommend？I will try again.

[postlund]

You should probably take the latest stable one. That's what I would have chosen.

[kingtao1024]

I have tried 1.1.1d, 1.1.1g, & google can't help me either.
I can't do anything about it, only give up it.
thank you anyway

[postlund]

I recommend that you run via docker, that version works.

[maury77]

I need use a normal distribution and not a docker with raspberry

I have try to upgrade

• Operation System. -> Buster
• Version Openssl -> 1.1.1d
• Version python -> 3.8.5

any other idea?

[postlund]

Can you paste the output you get when configuring OpenSSL?

[maury77]

What configuration do you need? I have updated the version by updating the operating system, but if necessary I can try to compile it

I try a generate a certifcate with this encryption

openssl genpkey -algorithm ed25519 -outform PEM -out test25519.pem
ls -al
total 32
drwxr-xr-x 2 root root 4096 Sep 21 22:23 .
drwxr-xr-x 7 root root 4096 Sep 3 19:07 ..
-rw-r--r-- 1 root root 57 Dec 31 2018 openhab2.list
-rw------- 1 root root 265 Sep 21 22:22 privkey.pem
-rw-r--r-- 1 root root 59 Sep 3 18:57 raspi.list
-rw-r--r-- 1 root root 53 Dec 31 2018 raspotify.list
-rw------- 1 root root 119 Sep 21 22:23 test25519.pem
-rw-r--r-- 1 root root 54 Sep 21 10:49 testing.list

It doesn't seem like one that doesn't support this

[postlund]

The version provided by the OS doesn't seem to support ES25519, so I guess you need to roll your own. I'm not sure which build system they use, but I think it's autoconf. So what's interesting is what ./configure produces as that will tell you if ED25519 is compiled or not (and why it isn't in case it's not).

[maury77]

this as a script for install

#!/bin/bash -eu

OPENSSL_VER=1.1.1g

mkdir openssl
cd openssl
wget https://www.openssl.org/source/openssl-${OPENSSL_VER}.tar.gz
tar xf openssl-${OPENSSL_VER}.tar.gz
cd openssl-${OPENSSL_VER}
./config zlib shared no-ssl3
make -j4
sudo make install

try ?

[postlund]

Sure, might work. But look at the output from ./config ... and make sure that it doesn't say that ED25519 isn't excluded.

[maury77]

./config zlib shared no-ssl3
Operating system: armv7l-whatever-linux2
Configuring OpenSSL version 1.1.1g (0x1010107fL) for linux-armv4
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile

ommand line (with current working directory = .):

/usr/bin/perl ./Configure linux-armv4 zlib shared no-ssl3

Perl information:

/usr/bin/perl
5.28.1 for arm-linux-gnueabihf-thread-multi-64int

Enabled features:

afalgeng
aria
asm
async
autoalginit
autoerrinit
autoload-config
bf
blake2
buildtest-c\+\+
camellia
capieng
cast
chacha
cmac
cms
comp
ct
deprecated
des
dgram
dh
dsa
dso
dtls
dynamic-engine
ec
ec2m
ecdh
ecdsa
engine
err
filenames
gost
hw(-.+)?
idea
makedepend
md4
mdc2
multiblock
nextprotoneg
pinshared
ocb
ocsp
pic
poly1305
posix-io
psk
rc2
rc4
rdrand
rfc3779
rmd160
scrypt
seed
shared
siphash
sm2
sm3
sm4
sock
srp
srtp
sse2
ssl
static-engine
stdio
tests
threads
tls
ts
ui-console
whirlpool
zlib
tls1
tls1-method
tls1_1
tls1_1-method
tls1_2
tls1_2-method
tls1_3
dtls1
dtls1-method
dtls1_2
dtls1_2-method

Disabled features:

asan                    [default] OPENSSL_NO_ASAN
crypto-mdebug           [default] OPENSSL_NO_CRYPTO_MDEBUG
crypto-mdebug-backtrace [default] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
devcryptoeng            [default] OPENSSL_NO_DEVCRYPTOENG
ec_nistp_64_gcc_128     [default] OPENSSL_NO_EC_NISTP_64_GCC_128
egd                     [default] OPENSSL_NO_EGD
external-tests          [default] OPENSSL_NO_EXTERNAL_TESTS
fuzz-libfuzzer          [default] OPENSSL_NO_FUZZ_LIBFUZZER
fuzz-afl                [default] OPENSSL_NO_FUZZ_AFL
heartbeats              [default] OPENSSL_NO_HEARTBEATS
md2                     [default] OPENSSL_NO_MD2 (skip crypto/md2)
msan                    [default] OPENSSL_NO_MSAN
rc5                     [default] OPENSSL_NO_RC5 (skip crypto/rc5)
sctp                    [default] OPENSSL_NO_SCTP
ssl-trace               [default] OPENSSL_NO_SSL_TRACE
ubsan                   [default] OPENSSL_NO_UBSAN
unit-test               [default] OPENSSL_NO_UNIT_TEST
weak-ssl-ciphers        [default] OPENSSL_NO_WEAK_SSL_CIPHERS
zlib-dynamic            [default] 
ssl3                    [option]  OPENSSL_NO_SSL3
ssl3-method             [default] OPENSSL_NO_SSL3_METHOD

Config target attributes:

AR => "ar",
ARFLAGS => "r",
CC => "gcc",
CFLAGS => "-Wall -O3",
CXX => "g++",
CXXFLAGS => "-Wall -O3",
HASHBANGPERL => "/usr/bin/env perl",
RANLIB => "ranlib",
RC => "windres",
aes_asm_src => "aes_cbc.c aes-armv4.S bsaes-armv7.S aesv8-armx.S",
aes_obj => "aes_cbc.o aes-armv4.o bsaes-armv7.o aesv8-armx.o",
apps_aux_src => "",
apps_init_src => "",
apps_obj => "",
bf_asm_src => "bf_enc.c",
bf_obj => "bf_enc.o",
bn_asm_src => "bn_asm.c armv4-mont.S armv4-gf2m.S",
bn_obj => "bn_asm.o armv4-mont.o armv4-gf2m.o",
bn_ops => "BN_LLONG RC4_CHAR",
build_file => "Makefile",
build_scheme => [ "unified", "unix" ],
cast_asm_src => "c_enc.c",
cast_obj => "c_enc.o",
cflags => "-pthread",
chacha_asm_src => "chacha-armv4.S",
chacha_obj => "chacha-armv4.o",
cmll_asm_src => "camellia.c cmll_misc.c cmll_cbc.c",
cmll_obj => "camellia.o cmll_misc.o cmll_cbc.o",
cppflags => "",
cpuid_asm_src => "armcap.c armv4cpuid.S",
cpuid_obj => "armcap.o armv4cpuid.o",
cxxflags => "-std=c++11 -pthread",
defines => [ "ZLIB" ],
des_asm_src => "des_enc.c fcrypt_b.c",
des_obj => "des_enc.o fcrypt_b.o",
disable => [  ],
dso_extension => ".so",
dso_scheme => "dlfcn",
ec_asm_src => "ecp_nistz256.c ecp_nistz256-armv4.S",
ec_obj => "ecp_nistz256.o ecp_nistz256-armv4.o",
enable => [ "afalgeng" ],
ex_libs => "-lz -ldl -pthread",
exe_extension => "",
includes => [  ],
keccak1600_asm_src => "keccak1600-armv4.S",
keccak1600_obj => "keccak1600-armv4.o",
lflags => "",
lib_cflags => "",
lib_cppflags => "-DOPENSSL_USE_NODELETE",
lib_defines => [  ],
md5_asm_src => "",
md5_obj => "",
modes_asm_src => "ghash-armv4.S ghashv8-armx.S",
modes_obj => "ghash-armv4.o ghashv8-armx.o",
module_cflags => "-fPIC",
module_cxxflags => "",
module_ldflags => "-Wl,-znodelete -shared -Wl,-Bsymbolic",
padlock_asm_src => "",
padlock_obj => "",
perlasm_scheme => "linux32",
poly1305_asm_src => "poly1305-armv4.S",
poly1305_obj => "poly1305-armv4.o",
rc4_asm_src => "rc4_enc.c rc4_skey.c",
rc4_obj => "rc4_enc.o rc4_skey.o",
rc5_asm_src => "rc5_enc.c",
rc5_obj => "rc5_enc.o",
rmd160_asm_src => "",
rmd160_obj => "",
sha1_asm_src => "sha1-armv4-large.S sha256-armv4.S sha512-armv4.S",
sha1_obj => "sha1-armv4-large.o sha256-armv4.o sha512-armv4.o",
shared_cflag => "-fPIC",
shared_defflag => "-Wl,--version-script=",
shared_defines => [  ],
shared_extension => ".so.\$(SHLIB_VERSION_NUMBER)",
shared_extension_simple => ".so",
shared_ldflag => "-Wl,-znodelete -shared -Wl,-Bsymbolic",
shared_rcflag => "",
shared_sonameflag => "-Wl,-soname=",
shared_target => "linux-shared",
thread_defines => [  ],
thread_scheme => "pthreads",
unistd => "<unistd.h>",
uplink_aux_src => "",
uplink_obj => "",
wp_asm_src => "wp_block.c",
wp_obj => "wp_block.o",

Recorded environment:

AR = 
ARFLAGS = 
AS = 
ASFLAGS = 
BUILDFILE = 
CC = 
CFLAGS = 
CPP = 
CPPDEFINES = 
CPPFLAGS = 
CPPINCLUDES = 
CROSS_COMPILE = 
CXX = 
CXXFLAGS = 
HASHBANGPERL = 
LD = 
LDFLAGS = 
LDLIBS = 
MT = 
MTFLAGS = 
OPENSSL_LOCAL_CONFIG_DIR = 
PERL = 
RANLIB = 
RC = 
RCFLAGS = 
RM = 
WINDRES = 
__CNF_CFLAGS =  -march=armv7-a
__CNF_CPPDEFINES = 
__CNF_CPPFLAGS = 
__CNF_CPPINCLUDES = 
__CNF_CXXFLAGS =  -march=armv7-a
__CNF_LDFLAGS = 
__CNF_LDLIBS = 

Makevars:

AR              = ar
ARFLAGS         = r
CC              = gcc
CFLAGS          = -Wall -O3
CPPDEFINES      = 
CPPFLAGS        = 
CPPINCLUDES     = 
CXX             = g++
CXXFLAGS        = -Wall -O3
HASHBANGPERL    = /usr/bin/env perl
LDFLAGS         = 
LDLIBS          = 
PERL            = /usr/bin/perl
RANLIB          = ranlib
RC              = windres
RCFLAGS         = 

NOTE: These variables only represent the configuration view. The build file
template may have processed these variables further, please have a look at the
build file for more exact data:
Makefile

build file:

Makefile

build file templates:

Configurations/common0.tmpl
Configurations/unix-Makefile.tmpl
Configurations/common.tmpl

[kingtao1024]

I install homeassistant by HASSOS, and ATV integration going to work in Hassio.

[maury77]

I install homeassistant by HASSOS, and ATV integration going to work in Hassio.

I would like to use my current installation , other idea?

[maury77]

sorry
I closed by mistake

[postlund]

I tried to find any descriptions regarding what needs to be done to "enable" it in OpenSSL, but couldn't find anything useful. I guess you can try to build your own and see what happens. I have never worked with OpenSSL so I'm kinda out of ideas. Maybe you can write a support issue if you can't get it to work when compiling yourself?

[MichaIng]

Please see OP post which shows that this OpenSSL does support Ed22519 very well: #831 (comment)
No error message during execution and the file size is exactly what it should be. I did myself and got a working Ed22519 key:

root@micha:/tmp# openssl genpkey -algorithm ed25519 -outform PEM -out test25519.pem
root@micha:/tmp# l
-rw------- 1 root root  119 Sep 22 22:33 test25519.pem
root@micha:/tmp# cat test25519.pem
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIBeDq82u5p0gqTV6SaY42v4HZlF7PatwJpBGIEZqVAuS
-----END PRIVATE KEY-----

Otherwise you'd get an error:

2020-09-22 22:44:00 root@micha:/tmp# openssl genpkey -algorithm unsupported -outform PEM -out test25519.pem
Algorithm unsupported not found

So I am pretty sure it has nothing to do with the OS-level OpenSSL but with the Python environment, probably the cryptography module.

[postlund]

Ok, that wasn't very obvious to me. My best guess is multiple installations of OpenSSL exists, one of them supports ED25519 but the wrong one is loaded with the python interpreter? Or at least cryptograhy finds the wrong one, but should be because of the same reason.

[MichaIng]

It is the default Debian Buster openssl package btw: https://packages.debian.org/buster/openssl

My best guess is multiple installations of OpenSSL exists

Not sure how Python or cryptography access those exactly, I guess not the executable directly but via libssl? https://packages.debian.org/buster/libssl1.1

@maury77
Could you check the following:

which -a openssl
dpkg -l | grep ssl # This will show more than we want but assures we wont miss a package ;)

---

While investigating the issue over in our repo, I found e.g.:

.pyenv/versions/3.8.0/lib/python3.8/site-packages/cryptography/hazmat/backends/openssl/

I'm not sure if this means that cryptography has the backends (openssl) builtin somehow or those are only the wrapper/handler scripts?

I then identified the exact function which is responsible for the "not supported" error message and it basically checks the OpenSSL version only against 1.1.1b: MichaIng/DietPi#3764 (comment)
I then tried to call this function manually and added logging and it always returned "false" meaning the OpenSSL version is not lower than 1.1.1b and it would hence not cause that error.
But since I am no expert in Python I am not sure if I missed something. Would be great if someone had an Apple TV to try replication. Since it's a pyenv environment it "should" be completely portable (between Linux distros) and behave exactly the same.

---

@maury77
Another try, does probably updating cryptography to latest version solve the issue?

systemctl stop home-assistant
sudo -u homeassistant bash
. /home/homeassistant/pyenv-activate.sh
pip3 install -U cryptography
exit
systemctl start home-assistant

I'm just trying this myself to see if HA even starts then or attempts to satisfy it's hardcoded dependency automatically 😉.
EDIT: Works fine. A big warning that is named "ERROR" about the changing pip dependency resolution from October on but upgrade works fine and HA starts up fine. At least worth to give it a shot.

[maury77]

GREAT!!! the problem was solved

[MichaIng]

That is great and I am a bid pizzled why not more users ran into this since the cryptography version is hardcoded in HA.

I'll open a PR to raise the version, at least a quick walk through the web UI doesn't show any issues.

[MichaIng]

PR opened to request the update: home-assistant/core#40479

[kingtao1024]

great!

[nick2525]

my ha also says ed25519 is not supported by this version of OpenSSL

[nick2525]

doesn't work on OpenSSL 1.1.1f, cryptography-3.3.1, python 3.9

[nick2525]

Also, manual install did't work for me openssl/openssl#11227

[nick2525]

remove python cache ./.cache/pip/wheels/ and reinstall cryptography fixes it

[fuzunspm]

I have the same issue, clearing cache and reinstalling won't help I'm getting ed25519 is not supported by this version of OpenSSL error message on pairing process