OpenSSL version check fails on Debian-based distros for OpenSSL 3

[bedroge]

Even though my host system had OpenSSL 3 installed, EB was still trying to build it from source instead of wrapping the system libraries. It turns out that it does find the two required libraries, but it fails to determine the version of one of them:

== 2024-05-23 12:51:35,977 openssl_wrapper.py:97 DEBUG Requiring minimum OpenSSL version: 3.0.0
== 2024-05-23 12:51:35,986 openssl_wrapper.py:137 INFO Matrix of version library names: [['libssl.so.3', 'libcrypto.so.3']]
== 2024-05-23 12:51:35,987 openssl_wrapper.py:145 INFO Target OpenSSL libraries: ['libssl.so.3', 'libcrypto.so.3']
== 2024-05-23 12:51:36,004 systemtools.py:1123 INFO Found absolute path to libssl.so.3: /usr/lib/riscv64-linux-gnu/libssl.so.3
== 2024-05-23 12:51:36,017 openssl_wrapper.py:195 DEBUG Could not detect the full version of system OpenSSL library: /usr/lib/riscv64-linux-gnu/libssl.so.3
== 2024-05-23 12:51:36,018 openssl_wrapper.py:203 DEBUG System OpenSSL library '/usr/lib/riscv64-linux-gnu/libssl.so.3' with version 0 is older than requested version 3.0.0
== 2024-05-23 12:51:36,033 systemtools.py:1123 INFO Found absolute path to libcrypto.so.3: /usr/lib/riscv64-linux-gnu/libcrypto.so.3
== 2024-05-23 12:51:36,113 openssl_wrapper.py:199 DEBUG System OpenSSL library '/usr/lib/riscv64-linux-gnu/libcrypto.so.3' with version 3.0.7 fulfills requested version 3.0.0
== 2024-05-23 12:51:36,114 openssl_wrapper.py:222 INFO OpenSSL library not found in host system, falling back to OpenSSL in EasyBuild

The filenames don't provide the version here (libssl-dev is installed), so EB will try to find the version by reading the file itself and looking for some string (https://github.com/easybuilders/easybuild-easyblocks/blob/develop/easybuild/easyblocks/o/openssl_wrapper.py#L104). This works for libcrypto.so.3, but it apparently this doesn't for libssl.so.3 anymore in OpenSSL 3:

root@533ab7ae6861:/# grep PRETTY_NAME /etc/os-release 
PRETTY_NAME="Ubuntu 24.04 LTS"
root@533ab7ae6861:/# strings /usr/lib/x86_64-linux-gnu/libcrypto.so.3 | grep "OpenSSL 3"
OpenSSL 3.0.13 30 Jan 2024
root@533ab7ae6861:/# strings /usr/lib/x86_64-linux-gnu/libssl.so.3 | grep "OpenSSL 3"
root@533ab7ae6861:/# 

[bedroge]

It does have the following:

$ strings libssl.so.3 | grep "OPENSSL_3"
OPENSSL_3.0.0
OPENSSL_3.0.3

But this doesn't fully match the installed version (which is 3.0.2).

[boegel]

@lexming or @SebastianAchilles, can you take a look at this?

[SebastianAchilles]

Would a solution be to modify the Regex? E.g.

-        openssl_version_regex = re.compile(r'OpenSSL\s+([0-9]+\.[0-9]+(\.[0-9]+[a-z]?)*)', re.M)
+        openssl_version_regex = re.compile(r'(?i)OpenSSL[\s_]+([0-9]+\.[0-9]+(\.[0-9]+[a-z]?)*)', re.M)

[SebastianAchilles]

Yes, the Regex works, but then I get on Ubuntu 23.10:

System OpenSSL header version '3.0.10' doesn not match library version '3.0.0'

And on Ubuntu 24.04:

System OpenSSL header version '3.0.13' doesn not match library version '3.0.0'

So, we also would have to modify this check in https://github.com/easybuilders/easybuild-easyblocks/blob/develop/easybuild/easyblocks/o/openssl_wrapper.py#L262:

if header_version == self.system_ssl['version']:

Would it make sense to only compare the major version?

[SebastianAchilles]

I made a proposal to improve the OpenSSL version check for OpenSSL 3 in https://github.com/easybuilders/easybuild-easyblocks/pull/3340

[lexming]

Those on Debian-based systems with OpenSSL 3, can you check the following?

1. in opensslv.h: what is the value of OPENSSL_VERSION_TEXT, OPENSSL_VERSION_STR and OPENSSL_FULL_VERSION_STR, do they match?
2. in libssl.so.3: what is the output of strings libssl.so.3 | grep -i "OPENSSL"?

[lexming]

Instead of checking that the major version of the headers is >= 3, we should compare it with the minimum required version of OpenSSL set in the easyconfig. Then we don't need specific code per OpenSSL version while allowing mismatched version between library and header files.