openssl version doesn't match live aws

[drzhouq]

The version on AWS Lambda is "OpenSSL 1.0.1k-fips 8 Jan 2015". with following function:

import subprocess
def lambda_handler(event, context=None):
    logger.debug(subprocess.check_output(['openssl', 'version']).decode("utf-8"))

The version in lambci/lambda:python3.6 is "OpenSSL 1.0.2k-fips 26 Jan 2017" (via command docker run --rm --entrypoint openssl lambci/lambda:python3.6 version)

[mhart]

I get:

OpenSSL 1.0.2k-fips  26 Jan 2017

I think you must still be running on the old system – this would have updated on your code already, but the timeline for the update recently got extended by AWS:

https://aws.amazon.com/blogs/compute/updated-timeframe-for-the-upcoming-aws-lambda-and-aws-lambdaedge-execution-environment-update/

All the images here are running the latest versions.

You can add the layer arn:aws:lambda:::awslayer:AmazonLinux1803 to update to the new version on your Lambdas

[drzhouq]

Thanks @mhart you must have tried the AWS Lambda 3.7. I was reporting lambda 3.6. I tried quite a few regions (us-east-1, us-west-1 and eu-central-1) and all get "OpenSSL 1.0.1k-fips 8 Jan 2015".

[mhart]

Nope, I'm definitely on python3.6

Again, I think you're probably not running your Lambdas with the latest changes.

Please confirm you have the arn:aws:lambda:::awslayer:AmazonLinux1803 layer attached to your live Lambda.

[drzhouq]

you are right. Adding arn:aws:lambda:::awslayer:AmazonLinux1803 layer fixes this issue. Many thanks for let me know the existence of this layer. I would not be able to find it out by myself. I understand this is just a temporary workaround and it uses 1 of the 5 layers quota.

[mhart]

No probs – it was mentioned in the initial upgrade announcement, but you might have missed that:

https://aws.amazon.com/blogs/compute/upcoming-updates-to-the-aws-lambda-execution-environment/

[Pechi77]

@mhart I added this layer, but still, my SSL version shows OpenSSL 1.0.1e-fips 11 Feb 2013 and my script is not working,

And lambda python version is 3.6

can you help.

[mhart]

@Pechi77 you added which layer?

[Pechi77]

Hi @mhart I added this arn:aws:lambda:::awslayer:AmazonLinux1803 for my lambda function layer section, as you see in the above image. Am I missing anything?

[mhart]

@Pechi77 Oh, you don't need to do that anymore – all environments got updated by July 29, 2019 as stated in the referenced posts.

How are you determining your SSL version? You should make sure you don't have any other layers that could be adding an older version of SSL (eg, what does the cloudflarescrapingpackages layer have in it?)

[Pechi77]

actually, I am using couldscraper, works fine in locally, and not in lambda. I see SSL version in lambda by doing import ssl; ssl.OPENSSL_VERSION and it prints 1.0.1e-fips 11 Feb 2013

[mhart]

Do you see the same thing if you run the command as shown here?

https://github.com/lambci/docker-lambda/issues/189#issue-449357998

[Pechi77]

Yes, I get the same output OpenSSL 1.0.2k-fips 26 Jan 2017

[mhart]

Er, that's a different output. That shows that the SSL version installed on Lambda is correct.

I think it's just the Python version that's showing an older version

[Pechi77]

Any help to make my script work in AWS Lambda?

[serivas]

I have a similar issue. Lambda has an old OpenSSL version installed. Getting this error:

DEPRECATION: The OpenSSL being used by this python install (OpenSSL 1.0.2k-fips 26 Jan 2017) does not meet the minimum supported version (>= OpenSSL 1.1.1) in order to support TLS 1.3 required by Cloudflare, You may encounter an unexpected Captcha or cloudflare 1020 blocks.