openssl doesn't work properly

[peektoseen]

Hello! Docker image doesn't work. Example from documentation (README.md) not work:

$ docker run --rm -it mbrav/docker-gost openssl
openssl: /lib/x86_64-linux-gnu/libssl.so.3: version `OPENSSL_3.2.0' not found (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.2.0' not found (required by openssl)

[peektoseen]

Нашёл решение. Нужно добавить сертификат в доверенные:

openssl s_client -connect esia.gosuslugi.ru:443 -showcerts </dev/null | awk '/-----BEGIN CERTIFICATE-----/, /-----END CERTIFICATE-----/' >  /usr/local/share/ca-certificates/esia-cert.crt
update-ca-certificates

Не уверен, что это безопасный путь. Лучше забирать сертификаты из достоверного источника. Если домен скомпрометирован - то получится что скомпрометированный сертификат попадёт в доверенные.

[mbrav]

Hi @peektoseen, thank you for noticing the issue. Unfortunately (and maybe fortunately 😃) I no longer have to work with GOST and openssl.

I think the problem is with the transition to OpenSSL 3.2 since my current setup automatically builds docker images once a new version of OpenSSL or Nginx is available. However, at the time of this writing, the mainline branch of OpenSSL includes GOST engine as a submodule synced to a commit from 5 months ago. Once the submodule gets updated, I expect the openssl build to work.

For now, it is possible to use an older tag with OpenSSL 3.1:

 ╰─λ docker run -it mbrav/docker-gost:bookworm-3.1.4 openssl version
OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)

[mbrav]

@peektoseen I have Good news, build is fixed for OpenSSL 3.3.0:

 ╰─λ docker run -it --rm mbrav/docker-gost:bookworm-3.3.0 sh
# openssl version
OpenSSL 3.3.0 9 Apr 2024 (Library: OpenSSL 3.3.0 9 Apr 2024)
# openssl ciphers | tr ":" "\n" | grep GOST
GOST2012-MAGMA-MAGMAOMAC
GOST2012-KUZNYECHIK-KUZNYECHIKOMAC
LEGACY-GOST2012-GOST8912-GOST8912
IANA-GOST2012-GOST8912-GOST8912
GOST2001-GOST89-GOST89