Open SantosC95 opened 1 month ago
aBurmeseDev
commented
1 month ago Hi @SantosC95 - thanks for reaching out and apology for the wait.
Can you please provide a minimal reproducible code without any sensitive information? I couldn't find any similar reports to this and wasn't able to reproduce it on my end. Any additional details that you can provide would be helpful for us.
Here're issues I think is related:
SantosC95
commented
1 month ago Hi @aBurmeseDev
Sorry for the late response,
Here you have a code snippet we already shared with the AWS tech support team:
const { SQSClient, SendMessageCommand } = require('@aws-sdk/client-sqs');
const sqsClient = new SQSClient({ region: 'us-east-1' });
exports.handler = async (event) => {
const params = {
QueueUrl: '<<A-valid-SQS-url>>',
MessageBody: JSON.stringify({
message: 'Hello from Lambda!',
}),
};
try {
const data = await sqsClient.send(new SendMessageCommand(params));
console.log('Message sent successfully:', data.MessageId);
return {
statusCode: 200,
body: JSON.stringify({ messageId: data.MessageId }),
};
} catch (error) {
console.error('Error sending message:', error);
return {
statusCode: 500,
body: JSON.stringify({ error }),
};
}
};Environment variables:
OPENSSL_CONF=/opt/ssl/openssl_fips.cnf
OPENSSL_MODULES=/opt/openssl/lib64/ossl-modules
LD_LIBRARY_PATH=/opt/openssl/lib64:$LD_LIBRARY_PATHPlease, use the attached .zip as a lambda layer. qrvey_fips_layer.zip
Thanks for your help.
Sepehr-Qrvey
commented
1 month ago Hi @aBurmeseDev,
We found the issue was due to the md5 checksum that the SQS SDK uses, since md5 is not a FIPS-supported algorithm.
Related issues: Aws::SQS::Client in GovCloud fails for use of MD5 -> disabled for fips #74 MD5 checksum crash in AWS SQS receive messages #4717
Seems like an md5: false option was added to the v3 SQS SDK in April, but we feel that the checksum should support - or even use by default - a non-md5 algorithm as well, since this option only disables the checksum altogether.
In addition, for readers in the near future, the md5: false option is not available yet in the GovCloud Lambda environment because the default version of the SDK that is present in the node.js 18.x GovCloud Lambda runtime is older than April. You will need to include a newer version of the SDK in a layer to be able to use this option.
aBurmeseDev
commented
3 weeks ago @Sepehr-Qrvey - thanks for sharing!
Seems like an md5: false option was added to the v3 SQS SDK in April, but we feel that the checksum should support - or even use by default - a non-md5 algorithm as well, since this option only disables the checksum altogether.
This's correct, and is documented in our UPGRADING.md.
To skip computation of MD5 checksums of message bodies, set md5=false on the configuration object. Otherwise, by default the SDK will calculate the checksum for sending messages, as well as validating the checksum for retrieved messages.
// Example: skip md5 checksum in SQS. import { SQS } from "@aws-sdk/client-sqs";
new SQS({ md5: false, // Note: only available in v3.547.0 and higher. });
Checkboxes for prior research
Describe the bug
Summary
I am encountering an
ERR_OSSL_EVP_UNSUPPORTEDerror when sending a message to SQS in a Node.js 18 Lambda function. Despite the error, the message is still successfully pushed into the queue. The Lambda function is running in a FIPS-compliant GovCloud environment and has a custom OpenSSL layer (3.0.8).Error Details
We believe the line of code where the error occurs is here.
Environment Details
SDK version number
@aws-sdk/middleware-sdk
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
Node.js 18.x
Reproduction Steps
Observed Behavior
Expected Behavior
No error should be thrown when sending a message to SQS.
Possible Solution
No response
Additional Information/Context
Please let me know if any additional information is needed.