Amazon Linux 2022 release candidate 0 (2022.0.20220728.1) uses OpenSSL 3.0 by default

rabbitmq / erlang-rpm

Latest Erlang/OTP releases packaged as a zero dependency RPM, just enough for running RabbitMQ

https://rabbitmq.com/install-rpm.html

Other

545 stars 117 forks source link

Amazon Linux 2022 release candidate 0 (2022.0.20220728.1) uses OpenSSL 3.0 by default #105

Closed Darth-Bobo closed 1 year ago

Darth-Bobo commented 2 years ago

Amazon have changed the base OpenSSL package to v3 and now erlang will not install because of a dependency problem:

e.g.:

nothing provides libcrypto.so.1.1()(64bit) needed by erlang-25.0.3-1.el8.x86_64
nothing provides libcrypto.so.1.1(OPENSSL_1_1_0)(64bit) needed by erlang-25.0.3-1.el8.x86_64
nothing provides libcrypto.so.1.1(OPENSSL_1_1_1)(64bit) needed by erlang-25.0.3-1.el8.x86_64

In theory this could be resolved by downgrading OpenSSL, but that feels like the wrong way to go.

michaelklishin commented 2 years ago

Erlang 25 may or may not be ready for OpenSSL 3.0, which is very new. Using OpenSSL 1.1 is perfectly fine, the vast majority of software in the world uses 1.1.x.

I don't think we have the capacity on this team to work on Amazon Linux-specific issues and OpenSSL 3.0 at least until RabbitMQ 3.11 ships this fall.

This is open source software, so you are welcome to dive in and report how compatible Erlang's TLS implementation is with 3.0, and add a build artifact for AL 2022. The images used to produce the RPMs are available as part of this repository.

lukebakken commented 2 years ago

A quick search in the Erlang/OTP repository returns this discussion:

https://github.com/erlang/otp/issues/4577#issuecomment-945396214

You will have to compile Erlang 25 from source to use OpenSSL 3.0.

Downgrading to OpenSSL 1.1 is perfectly acceptable as well.

michaelklishin commented 2 years ago

Assuming that Erlang 25's OpenSSL 3.0 support is robust, we can produce a new package type, al2022 or something, that would build the package on AL 2022. That should be enough. It feels weird to special case a single vendor-specific distribution but given the scale and reach of AWS, we may not have a lot of options.

Darth-Bobo commented 2 years ago

I found that I could install openssl1.1 from the Fedora dev repo (https://fedora.mirrorservice.org/fedora/linux/development/rawhide/Everything/x86_64/os) and that has allowed erlang and rabbit to install so I now have a test node up and running.

Meanwhile I've also raised this with the AL 2022 development project since the previews all included OpenSSL 1.1

erlmachinedev commented 1 year ago

I faced the same issue when tried Amazon Linux 2022 and the solution is to get el9 instead of el8.

After that I successfully installed the latest Erlang and RabbitMQ on a top of OpenSLL 3.0

michaelklishin commented 1 year ago

I will make sure the README does mention this difference.

Now that Erlang 25.1 has made OpenSSL 3 support "officially production ready" we may consider to move to use OpenSSL 3 in CentOS Stream 9 builds.

michaelklishin commented 1 year ago

This is no longer relevant as of Erlang/OTP 25.3 and #119.