swift-nio-ssl: swift-nio-ssl not working in a sandboxed app

Hi,

I am using swift-nio and it works perfectly. So far I worked on the command line and everything worked as expected. I then started using the created library from a Mac App with a GUI and and soon as I enable SSL I see the following in the logs:

Auto configuration failed
4318397384:error:02FFF001:system library:func(4095):Operation not permitted:bio/bss_file.c:122:fopen('/usr/local/etc/libressl/openssl.cnf', 'rb')
4318397384:error:20FFF002:BIO routines:CRYPTO_internal:system lib:bio/bss_file.c:127:
4318397384:error:0EFFF002:configuration file routines:CRYPTO_internal:system lib:conf/conf_def.c:200:

I can make it work by removing the sandboxing of the app but that is not really a solution given that sandboxing is the way forward.

Do you have any advise on how to approach this?

Thanks.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 2
  • Comments: 29 (19 by maintainers)

Most upvoted comments

Agreed, I see no reason to close this issue. I will reframe it as “use custom openssl/libressl configuration file location” though, which is the fix we’d need to make to resolve this problem.

For anyone who feels like picking this up, we probably need to make this function public, and extend it to take an optional String that we pass here. We’ll also need to update the logic for this, but that’d probably do-able.

@Lukasa happy to to report that Swift 4.2 finally arrived to Arch Linux resolving all the mysterious issues came with the custom Swift binary. Not to mention that Vapor also got an update. All my pain relieved 😃

(I’ll also investigate this with the nightlies when I have a few spare moments later today.)

openssl 1.1 is the current supported library although NIO does not compile with it.

What do you mean? It should compile fine. What errors are you encountering?

Just came this idea into my mind: what if project embeds libressl portable making NIO fully independent of the current SSL implementations at OS / userland level?

This cannot be done today. The primary reason why is that swift-corelibs-foundation links libcurl to provide an implementation for URLSession, and libcurl links the system OpenSSL. As Linux has a single symbol table, if we separately statically link the same symbols (via libressl portable, or via boringssl statically linked) into our main binary, we will cause a symbol clash and cause horrifying breakages (see #16).

@helje5 Sure does. 👍