PhantomJS does not work with the /etc/ssl/openssl.cnf on Debian Buster

[gterziysky]

The problem is described very well here, but pasting its contents just in case:

When I run tests on Debian Buster, I get the following failure:

140302110000960:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory
140302110000960:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
140302110000960:error:0E07506E:configuration file routines:MODULE_LOAD_DSO:error loading dso:conf_mod.c:285:module=ssl_conf, path=ssl_conf
140302110000960:error:0E076071:configuration file routines:MODULE_RUN:unknown module name:conf_mod.c:222:module=ssl_conf

From some targeted stracing, I'm seeing that the phantomjs binary is reading /etc/ssl/openssl.cnf. Buster upgrades openssl far enough that the config in /etc/ is too different and won't work. The correct fix is to provide an openssl.cfg with phantomjs that works.

This is blocking a debian upgrade for us, so I'll likely dig in and try to provide a fix.

Unfortunately, PhantomJS development is suspended and it appears that no fix will appear from the library's development team.

A fix has already been suggested here: https://github.com/drwetter/testssl.sh/issues/1117#issuecomment-418507425.

For example, create an "openssl.cnf" file which works with PhantomJS and then set the OPENSSL_CONF environment variable which points to this new file:

export OPENSSL_CONF=".../new_openssl.cnf"

I tested this solution and it worked, however, in order not to affect the config for any other code which may rely on the system openssl.cnf, this environment variable should be set only while running PhantomJS and then unset.

This can be done within phantom_run() by making a call to Sys.setenv() before calling the process and then to Sys.unsetenv() from within on.exit().

A caveat in this solution is that it would require keeping an "openssl.cnf" which PhantomJS can work with within the R package (i.e. in the data/ or inst/ folder).

The output of sessionInfo() is the following:

> sessionInfo()
R version 3.6.2 (2019-12-12)
Platform: x86_64-pc-linux-gnu (64-bit)
Running under: Debian GNU/Linux 10 (buster)

Matrix products: default
BLAS/LAPACK: /usr/lib/x86_64-linux-gnu/libopenblasp-r0.3.5.so

locale:
 [1] LC_CTYPE=en_US.UTF-8       LC_NUMERIC=C              
 [3] LC_TIME=en_US.UTF-8        LC_COLLATE=en_US.UTF-8    
 [5] LC_MONETARY=en_US.UTF-8    LC_MESSAGES=C             
 [7] LC_PAPER=en_US.UTF-8       LC_NAME=C                 
 [9] LC_ADDRESS=C               LC_TELEPHONE=C            
[11] LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=C       

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base     

loaded via a namespace (and not attached):
[1] compiler_3.6.2

Would it be possible to implement a solution in an upcoming package release?

[wch]

I'd be willing to look at a PR if you want to make one.

In the meantime, have you seen webshot2? https://github.com/rstudio/webshot2

[gterziysky]

Thank you for the quick reply.

I was actually looking for an alternative and will definitely give webshot2 a try.

If it does not work, I'll look into opening a PR with the fix.

[gterziysky]

I forked the repo and implemented the suggested fix here: https://github.com/gterziysky/webshot/commit/369d7eda9144cfd3dec53dce876886bcb88f5df1. I tested it on Debian Buster and on Ubuntu 18.04 LTS and it works. The package also passes devtools::check() (no surprise here).

I also copied the openssl.cnf for OpenSSL 1.1.1 to package inst/ folder.

Before I proceed with a PR though I wanted to verify if this solution is all right with you, @wch , (as it will run PhantomJS with the newly provided config regardless of the OS).