Opened 8 years ago

Closed 8 years ago

Last modified 7 years ago

#6158 closed defect (fixed)

TLS error while generating certificate: could not load the shared library

Reported by: librefreiheit Owned by:
Priority: Medium Milestone: Tor: 0.2.3.x-final
Component: Core Tor/Tor Version: Tor: 0.2.3.15-alpha
Severity: Keywords: SSL DSO tor-client
Cc: librefreiheit@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Running tor 0.2.15-alpha with openssl 1.0.1, a warning is displayed

Jun 14 07:35:09.000 [warn] TLS error while generating certificate: could not load the shared library (in DSO support routines:DLFCN_LOAD:---)
Jun 14 07:35:09.000 [warn] TLS error while generating certificate: could not load the shared library (in DSO support routines:DSO_load:---)
Jun 14 07:35:09.000 [warn] TLS error while generating certificate: dso not found (in engine routines:DYNAMIC_LOAD:---)
Jun 14 07:35:09.000 [warn] TLS error while generating certificate: no such engine (in engine routines:ENGINE_by_id:---)

This warning seems related to the lack of AES NI engine in 1.0.1.

/usr/lib64/engines/libaesni.so is not built in 1.0.1
openssl speed -engine aesni
invalid engine "aesni

Child Tickets

Change History (14)

comment:1 Changed 8 years ago by librefreiheit

Cc: librefreiheit@… added

comment:2 Changed 8 years ago by arma

There is no Tor 0.2.15-alpha.

Can you reproduce with either 0.2.2.37, or 0.2.3.16-alpha?

What operating system / distro / etc are you on?

comment:3 Changed 8 years ago by arma

Type: enhancementdefect

comment:4 Changed 8 years ago by librefreiheit

:) This 2.3.15-alpha

{{{git clone git://git.torproject.org/tor.git
git checkout tor-0.2.3.15-alpha
}}}

GNU/Debian Squeeze

comment:5 Changed 8 years ago by arma

Milestone: Tor: 0.2.3.x-final
Priority: minornormal

Can you provide details on how you put 1.0.1 on your squeeze?

For example, did you compile Tor yourself?

Are you sure you didn't give Tor a different set of openssl headers than libs?

comment:6 Changed 8 years ago by librefreiheit

Upgraded to 2.3.16-alpha, same error.

Tor is compiled from GIT
Openssl is compiled from sources. openssl-1.0.1

Jun 14 07:35:09.000 [notice] Tor 0.2.3.15-alpha (git-2513a3e959b61612) opening log file.
Jun 14 07:35:09.000 [notice] Parsing GEOIP file /etc/tor/geoip.
Jun 14 07:35:09.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
Jun 14 07:35:09.000 [warn] Unable to load dynamic OpenSSL engine "aesni".
Jun 14 07:35:09.000 [notice] Using OpenSSL engine RSAX engine support [rsax] for RSA
Jun 14 07:35:09.000 [notice] This version of OpenSSL has a known-good EVP counter-mode implementation. Using it.
Jun 14 07:35:09.000 [notice] OpenSSL OpenSSL 1.0.1 14 Mar 2012 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
Jun 14 07:35:09.000 [warn] TLS error while generating certificate: could not load the shared library (in DSO support routines:DLFCN_LOAD:---)
Jun 14 07:35:09.000 [warn] TLS error while generating certificate: could not load the shared library (in DSO support routines:DSO_load:---)
Jun 14 07:35:09.000 [warn] TLS error while generating certificate: dso not found (in engine routines:DYNAMIC_LOAD:---)
Jun 14 07:35:09.000 [warn] TLS error while generating certificate: no such engine (in engine routines:ENGINE_by_id:---)





comment:7 Changed 8 years ago by librefreiheit

Upps, this is 2.3.*16*-alpha notice

Jun 14 11:29:24.000 [notice] Tor 0.2.3.16-alpha (git-e94606a76b98752d) opening log file.
Jun 14 11:29:24.000 [notice] Parsing GEOIP file /etc/tor/geoip.
Jun 14 11:29:24.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
Jun 14 11:29:24.000 [warn] Unable to load dynamic OpenSSL engine "aesni".
Jun 14 11:29:24.000 [notice] Using OpenSSL engine RSAX engine support [rsax] for RSA
Jun 14 11:29:24.000 [notice] This version of OpenSSL has a known-good EVP counter-mode implementation. Using it.
Jun 14 11:29:24.000 [notice] OpenSSL OpenSSL 1.0.1 14 Mar 2012 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
Jun 14 11:29:24.000 [warn] TLS error while generating certificate: could not load the shared library (in DSO support routines:DLFCN_LOAD:---)
Jun 14 11:29:24.000 [warn] TLS error while generating certificate: could not load the shared library (in DSO support routines:DSO_load:---)
Jun 14 11:29:24.000 [warn] TLS error while generating certificate: dso not found (in engine routines:DYNAMIC_LOAD:---)
Jun 14 11:29:24.000 [warn] TLS error while generating certificate: no such engine (in engine routines:ENGINE_by_id:---)

comment:8 Changed 8 years ago by rransom

Try recompiling Tor (from a clean build tree) with CFLAGS, LDFLAGS, and LD_LIBRARY_PATH set so that the compiler, linker, and loader can find the OpenSSL libraries you want to use, and run Tor with LD_LIBRARY_PATH set correctly.

Also, you should not be using the ‘rsax’ engine unless it really exists and works on your computer.

Also, these OpenSSL errors are not a Tor bug. The fact that users don't know how to compile a Tor binary that uses libraries other than the ones provided by the system might be a missing feature, but not a high-priority one.

comment:9 Changed 8 years ago by librefreiheit

AFAIK, in OpenSSL 1.0.1 there is not AES-NI and that functionality is available via EVP. The warnings that I see might be trigger when tor tries to call the AES-NI.

In a system with OpenSSL 0.9.8x, this functionality is available in the library /usr/lib64/engines/libaesni.so that is not longer present in OpenSSL 1.0.1

The RSAX engine is a software implementation for 64 bits platform that improves peformance. I beleive is built with new OpenSSL.

I think they are [warn] and not errors :)

comment:10 in reply to:  9 Changed 8 years ago by rransom

Resolution: invalid
Status: newclosed

Replying to librefreiheit:

AFAIK, in OpenSSL 1.0.1 there is not AES-NI and that functionality is available via EVP. The warnings that I see might be trigger when tor tries to call the AES-NI.

In a system with OpenSSL 0.9.8x, this functionality is available in the library /usr/lib64/engines/libaesni.so that is not longer present in OpenSSL 1.0.1

The RSAX engine is a software implementation for 64 bits platform that improves peformance. I beleive is built with new OpenSSL.

I think they are [warn] and not errors :)

OK then. Stop telling Tor to try to use the ‘aesni’ engine that doesn't exist.

I see no occurrences of the string “aesni” in tor.git, so this looks like a misconfiguration on your computer. Feel free to reopen this ticket if you have a real reason to believe that this is a Tor bug.

comment:11 Changed 8 years ago by librefreiheit

Resolution: invalid
Status: closedreopened

The problem has been described in this mail.

https://lists.torproject.org/pipermail/tor-relays/2012-March/001260.html

As AES-NI is no longer present in OpenSSL 1.0.1 what configuration option is required in torrc to make use of EVP accelaration?

comment:12 Changed 8 years ago by librefreiheit

Resolution: fixed
Status: reopenedclosed

Checking src/common/aes.c it seems that AES-NI is reached via EVP automatically.

evaluate_evp_for_aes(int force_val)

comment:13 Changed 7 years ago by nickm

Keywords: tor-client added

comment:14 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.