search

wader / static-ffmpeg

Multi-arch docker image with ffmpeg/ffprobe binaries built as hardened static PIE binaries with no external dependencies
https://hub.docker.com/r/mwader/static-ffmpeg/
MIT License
233 stars 56 forks source link

OpenSSL issue with binary outside container (RedHat/Fedora specific) #462

Closed mathieu-aubin closed 4 weeks ago

mathieu-aubin commented 1 month ago

I use the product of this great project on various systems and since aome of them have no running docker instance, i've got the habbit of copying the binaries from the image to a distribution server which is then used to update other systems where i use ffmpeg and friend.

I recently came upon a ssl error while using ffprobe and found out, after some digging, that RedHat flavored distributions apply a patch to modify openssl config file in order to add special, distro-specific config parameters which in turn is unrecognized from an unpatched openssl instance.

[tls @ 0x7f80c8ec3800] error:030000A9:digital envelope routines::unknown option

I first tried adding -reconnect_on_network_error true to my ffprobe command with some success. the initial error message still shows but the command is ran without problems afterwards.

After some research.. i found this https://github.com/openssl/openssl/discussions/23016

I then found what ultimately works for me which is explained in my comment HERE

file /etc/crypto-policies/back-ends/opensslcnf.config contains the unrecognized config argument (Fedora set to yes and no on RedHat)

[evp_properties] rh-allow-sha1-signatures = yes

I raise this to let you know about my issue and how i 'fixed' it so you can see if it's worth including in the readme file somehow.

wader commented 1 month ago

Thanks for letting me know and research it. Yeap sounds like this should be a new know issue section in the readme, and i guess this also happens with some docker base image in addition to"host" distros?

mathieu-aubin commented 1 month ago

I would think that yes, if you used any RedHat based distro as base container os, the problem would appear also... Best is to change the configuration value from enabled to disabled in /etc/ssl/openssl.cnf -> config_diagnostics = 0

I don't have the language skills to really explain it in a simple manner in the readme file but you are better at that than i am, i am certain. I'm so french... Maybe something akin to..

"An SSL 'unknown option' error is likely to arise on RedHat based distributions when crypto (openssl) is called."

Then somehow explain the simple modification required to ignore the error.. maybe also link to the relevant stuff..

wader commented 4 weeks ago

👍 ok! i gave it a shot in #467

mathieu-aubin commented 4 weeks ago

Without modifying ooenssl.cnf, -reconnect_on_network_error true option added to the command line does warn about the unrecognized option while also perfor.ing a round 2 and ultimately performing the requested command...

wader commented 4 weeks ago

Without modifying ooenssl.cnf, -reconnect_on_network_error true option added to the command line does warn about the unrecognized option while also perfor.ing a round 2 and ultimately performing the requested command...

Aha, added note about it. By "round 2" do you mean it does a new connection that succeeds on error ?

mathieu-aubin commented 4 weeks ago

Check this out

asciicast