.NET runtime (on Linux) crashes with SIGABRT when using OpenSSL 3 with deprecated APIs disabled

[egraff]

Description

When using an OpenSSL 3 version of libssl compiled with --api=3.0 no-deprecated, the .NET runtime makes the process abort (SIGABRT) with the error Cannot get required symbol d2i_RSAPublicKey from libssl. The d2i_RSAPublicKey function is deprecated in OpenSSL 3, and should not be used.

Reproduction Steps

Run any .NET application on a system where an OpenSSL 3 version of libssl compiled with --api=3.0 no-deprecated is present.

Expected behavior

The .NET runtime already searches for all the ABI versions of libssl until it finds one that works. Either, the runtime should handle the missing symbol error, and continue the search for another version of libssl (e.g. libssl.so.1.1), or it should be changed not to depend on the deprecated symbol at all. The process should not crash.

Actual behavior

The process crashes:

# gdb --args /usr/share/dotnet/dotnet exec /usr/share/dotnet/sdk/6.0.403/dotnet.dll internal
GNU gdb (Pexos 10.1-1.7pexip4) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/share/dotnet/dotnet...
(No debugging symbols found in /usr/share/dotnet/dotnet)
(gdb) r
Starting program: /usr/share/dotnet/dotnet exec /usr/share/dotnet/sdk/6.0.403/dotnet.dll internal
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7f6802b1b700 (LWP 11631)]
[New Thread 0x7f680231a700 (LWP 11632)]
[New Thread 0x7f6801af5700 (LWP 11633)]
[New Thread 0x7f68012f0700 (LWP 11634)]
[New Thread 0x7f6800503700 (LWP 11635)]
[New Thread 0x7f67ff993700 (LWP 11636)]
[New Thread 0x7f67fd142700 (LWP 11637)]
[New Thread 0x7f67fc941700 (LWP 11638)]
[New Thread 0x7f67fc900700 (LWP 11639)]
[New Thread 0x7f67fc0fb700 (LWP 11640)]
[New Thread 0x7f67fb8f6700 (LWP 11641)]
[New Thread 0x7f6788f35700 (LWP 11642)]
Cannot get required symbol d2i_RSAPublicKey from libssl
[New Thread 0x7f6753ffd700 (LWP 11643)]

Thread 1 "dotnet" received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f680334c537 in __GI_abort () at abort.c:79
#2  0x00007f67fb0ddded in ?? () from /usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.11/libSystem.Security.Cryptography.Native.OpenSsl.so
#3  0x00007f67fb0d2f7e in ?? () from /usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.11/libSystem.Security.Cryptography.Native.OpenSsl.so
#4  0x00007f680384034f in __pthread_once_slow (once_control=0x7f67fb0ed094, init_routine=0x7f67fb0d2f70) at pthread_once.c:116
#5  0x00007f67fb0d2f64 in CryptoNative_EnsureOpenSslInitialized () from /usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.11/libSystem.Security.Cryptography.Native.OpenSsl.so
#6  0x00007f678a956069 in ?? ()
#7  0x00000000a41cb3bd in ?? ()
#8  0x00007f68031f48f0 in ?? () from /usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.11/libcoreclr.so
#9  0x00007ffe7c1d2008 in ?? ()
#10 0x0000000000000000 in ?? ()

Regression?

Probably not a regression (not sure).

Known Workarounds

Only known workaround is to either remove OpenSSL 3, so the ABI search continues and falls back to libssl.so.1.1, or use a version of OpenSSL 3 that includes deprecated APIs. None of those solutions are really acceptable workarounds.

Configuration

Reproduced with:

• .NET SDK 6.0.403 (runtime 6.0.11)
• OS: Linux / Debian
• Architecture: x64

Other information

No response

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

When using an OpenSSL 3 version of libssl compiled with --api=3.0 no-deprecated, the .NET runtime makes the process abort (SIGABRT) with the error Cannot get required symbol d2i_RSAPublicKey from libssl. The d2i_RSAPublicKey function is deprecated in OpenSSL 3, and should not be used.

Reproduction Steps

Run any .NET application on a system where an OpenSSL 3 version of libssl compiled with --api=3.0 no-deprecated is present.

Expected behavior

The .NET runtime already searches for all the ABI versions of libssl until it finds one that works. Either, the runtime should handle the missing symbol error, and continue the search for another version of libssl (e.g. libssl.so.1.1), or it should be changed not to depend on the deprecated symbol at all. The process should not crash.

Actual behavior

The process crashes:

# gdb --args /usr/share/dotnet/dotnet exec /usr/share/dotnet/sdk/6.0.403/dotnet.dll internal
GNU gdb (Pexos 10.1-1.7pexip4) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/share/dotnet/dotnet...
(No debugging symbols found in /usr/share/dotnet/dotnet)
(gdb) r
Starting program: /usr/share/dotnet/dotnet exec /usr/share/dotnet/sdk/6.0.403/dotnet.dll internal
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7f6802b1b700 (LWP 11631)]
[New Thread 0x7f680231a700 (LWP 11632)]
[New Thread 0x7f6801af5700 (LWP 11633)]
[New Thread 0x7f68012f0700 (LWP 11634)]
[New Thread 0x7f6800503700 (LWP 11635)]
[New Thread 0x7f67ff993700 (LWP 11636)]
[New Thread 0x7f67fd142700 (LWP 11637)]
[New Thread 0x7f67fc941700 (LWP 11638)]
[New Thread 0x7f67fc900700 (LWP 11639)]
[New Thread 0x7f67fc0fb700 (LWP 11640)]
[New Thread 0x7f67fb8f6700 (LWP 11641)]
[New Thread 0x7f6788f35700 (LWP 11642)]
Cannot get required symbol d2i_RSAPublicKey from libssl
[New Thread 0x7f6753ffd700 (LWP 11643)]

Thread 1 "dotnet" received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f680334c537 in __GI_abort () at abort.c:79
#2  0x00007f67fb0ddded in ?? () from /usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.11/libSystem.Security.Cryptography.Native.OpenSsl.so
#3  0x00007f67fb0d2f7e in ?? () from /usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.11/libSystem.Security.Cryptography.Native.OpenSsl.so
#4  0x00007f680384034f in __pthread_once_slow (once_control=0x7f67fb0ed094, init_routine=0x7f67fb0d2f70) at pthread_once.c:116
#5  0x00007f67fb0d2f64 in CryptoNative_EnsureOpenSslInitialized () from /usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.11/libSystem.Security.Cryptography.Native.OpenSsl.so
#6  0x00007f678a956069 in ?? ()
#7  0x00000000a41cb3bd in ?? ()
#8  0x00007f68031f48f0 in ?? () from /usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.11/libcoreclr.so
#9  0x00007ffe7c1d2008 in ?? ()
#10 0x0000000000000000 in ?? ()

Regression?

Probably not a regression (not sure).

Known Workarounds

Only known workaround is to either remove OpenSSL 3, so the ABI search continues and falls back to libssl.so.1.1, or use a version of OpenSSL 3 that includes deprecated APIs. None of those solutions are really acceptable workarounds.

Configuration

Reproduced with:

• .NET SDK 6.0.403 (runtime 6.0.11)
• OS: Linux / Debian
• Architecture: x64

Other information

No response

Author:	egraff
Assignees:	-
Labels:	area-System.Security
Milestone:	-

[vcsjones]

The work to move to OpenSSL 3.0 APIs is being tracked in #46526.

no-deprecated

All distributions that I am aware of compile with deprecated APIs. Is there a distro that is shipping with no-deprecated?

[egraff]

@vcsjones we compile OpenSSL ourselves as part of our own Debian-based distro with high security requirements.

[bartonjs]

Your only two options right now are:

• Use a build of OpenSSL 3 that doesn't remove deprecated functions
• Use the CLR_OPENSSL_VERSION_OVERRIDE environment variable to prioritize binding to an older SONAME. (CLR_OPENSSL_VERSION_OVERRIDE=1.1 to look for libssl.so.1.1 first)

Finishing off the move to avoid now-deprecated API is almost certainly not going to be simple enough to patch on existing releases, so the earliest that this would be remedied for you is .NET 8.

[egraff]

@bartonjs thank you for the swift answer! 🙂 I did not know about the CLR_OPENSSL_VERSION_OVERRIDE environment variable, so that is valuable info

[jeffhandley]

With the guidance provided above, I'm closing this as a duplicate of #46526, which isn't going to get closed out during .NET 8.