runtime: Interop+Crypto+OpenSslCryptographicException: error:0E076071:configuration file routines:MODULE_RUN:unknown module name

Hello.

Since a few days I’m getting rather weird situation of internal OpenSSL failures on my machine. In particular, this is the exception that I’m encountering since a few days:

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. 
---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. 
---> System.TypeInitializationException: The type initializer for 'SslMethods' threw an exception. 
---> System.TypeInitializationException: The type initializer for 'Ssl' threw an exception. 
---> System.TypeInitializationException: The type initializer for 'SslInitializer' threw an exception. 
---> Interop+Crypto+OpenSslCryptographicException: error:0E076071:configuration file routines:MODULE_RUN:unknown module name
   at Interop.SslInitializer..cctor()
   --- End of inner exception stack trace ---
   at Interop.SslInitializer.Initialize()
   at Interop.Ssl..cctor()
   --- End of inner exception stack trace ---
   at Interop.Ssl.SslV2_3Method()
   at Interop.Ssl.SslMethods..cctor()
   --- End of inner exception stack trace ---
   at Interop.OpenSsl.AllocateSslContext(SslProtocols protocols, SafeX509Handle certHandle, SafeEvpPKeyHandle certKeyHandle, EncryptionPolicy policy, SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SafeDeleteSslContext..ctor(SafeFreeSslCredentials credential, SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
   --- End of inner exception stack trace ---
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.BeginAuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__47_0(SslClientAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2](Func`5 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
   at System.Net.Security.SslStream.AuthenticateAsClientAsync(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask`1 creationTask)
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.DecompressionHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
   at ArchiSteamFarm.WebBrowser.InternalRequest(Uri requestUri, HttpMethod httpMethod, IReadOnlyCollection`1 data, String referer, HttpCompletionOption httpCompletionOption, Byte maxRedirections)

I’ve tried to solve this issue through various ways. Using CLR_OPENSSL_VERSION_OVERRIDE=1.1 I’m getting a different one:

Cannot get required symbol CRYPTO_add_lock from libssl
Aborted

Using DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0 fixed the problem I was having. CURL and OpenSSL work fine on my machine, I can make all usual https requests and my .NET Core app also has no issues doing them with curl handler.

I’ve managed to reproduce this on two different machines, both running Debian 10 (testing) x64, second machine being clean VM install. I suspect that this problem might be caused by some Debian libraries update, in particular libssl1.1 package (even though I see no reason why it’d break 1.0.2 usage, but it’s the only library that dotnet depends on that got updated recently). For reference:

+++-=================-============-============-===============================================
ii  libssl1.0.2:amd64 1.0.2o-1     amd64        Secure Sockets Layer toolkit - shared libraries
ii  libssl1.1:amd64   1.1.1-2      amd64        Secure Sockets Layer toolkit - shared libraries

I realize that Debian 10 is not supported as of yet, but this looks like some general libssl compatibility issue that you might be interested in looking into. You should have no problem trying to reproduce this issue on clean Debian Testing install, but if you’d need any further help from me, please let me know.

For completion, this was reproduced on two different SDK versions, latest stable and latest master:

.NET Core SDK (reflecting any global.json):
 Version:   2.1.403
 Commit:    04e15494b6

Runtime Environment:
 OS Name:     debian
 OS Version:
 OS Platform: Linux
 RID:         debian-x64
 Base Path:   /usr/share/dotnet/sdk/2.1.403/

Host (useful for support):
  Version: 2.1.5
  Commit:  290303f510

.NET Core SDKs installed:
  2.1.403 [/usr/share/dotnet/sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 2.1.5 [/usr/share/dotnet/shared/Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.5 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.5 [/usr/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download

.NET Core SDK (reflecting any global.json):
 Version:   3.0.100-alpha1-009708
 Commit:    ce09d64d8a

Runtime Environment:
 OS Name:     debian
 OS Version:
 OS Platform: Linux
 RID:         debian-x64
 Base Path:   /opt/dotnet-test/sdk/3.0.100-alpha1-009708/

Host (useful for support):
  Version: 3.0.0-preview1-27029-03
  Commit:  631e219c26

.NET Core SDKs installed:
  3.0.100-alpha1-009708 [/opt/dotnet-test/sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 3.0.0-alpha1-10062 [/opt/dotnet-test/shared/Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 3.0.0-alpha1-10062 [/opt/dotnet-test/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 3.0.0-preview1-27029-03 [/opt/dotnet-test/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download

Thank you for looking into my issue.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 2
  • Comments: 20 (13 by maintainers)

Most upvoted comments

Looks like the ssl_conf directive, actually.

If you comment out the line

ssl_conf = ssl_sect

Then .NET (and OpenSSL 1.0) will start working again, but the security choices that Debian made will then be ignored.

(Using that openssl.cnf file on Ubuntu 16.04 produces

$ openssl s_client -connect www.microsoft.com:443
Error configuring OpenSSL
139661852980888:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory
139661852980888:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
139661852980888:error:0E07506E:configuration file routines:MODULE_LOAD_DSO:error loading dso:conf_mod.c:271:module=ssl_conf, path=ssl_conf
139661852980888:error:0E076071:configuration file routines:MODULE_RUN:unknown module name:conf_mod.c:212:module=ssl_conf

, commenting out ssl_conf makes it succeed)

I’m not sure what a good change on our side would be for 2.1 without just backporting the OpenSSL 1.1 support.

+16
bartonjs on Nov 1, 2018

@bartonjs I entered that in and it said “Cannot get required symbol CRYPTO_add_lock from libsll.” Any way to fix this. I am trying to run a program through my raspberry pi 3b+

Same here. I’m trying to run the azure pipeline agent in a debian10 container. I installed dotnet runtime 3.0-preview9 hoping this would be be resolved, but I hit the same issue :

root@4a8f001fae84:/azp# apt list --installed | grep ssl
libssl1.1/stable,now 1.1.1c-1 amd64 [installed]
openssl/stable,now 1.1.1c-1 amd64 [installed,automatic]

root@4a8f001fae84:/azp# ./start.sh
1. Determining matching Azure Pipelines agent...
2. Downloading and installing Azure Pipelines agent...
3. Configuring Azure Pipelines agent...

>> Connect:

No usable version of the libssl was found
./config.sh: line 86:    66 Aborted                 ./bin/Agent.Listener configure "$@"
root@4a8f001fae84:/azp# export CLR_OPENSSL_VERSION_OVERRIDE=1.1
root@4a8f001fae84:/azp# ./start.sh 
1. Determining matching Azure Pipelines agent...
2. Downloading and installing Azure Pipelines agent...
3. Configuring Azure Pipelines agent...

>> Connect:

Cannot get required symbol CRYPTO_add_lock from libssl
./config.sh: line 86:   134 Aborted                 ./bin/Agent.Listener configure "$@"

# commenting out the ssl_conf = ssl_sect
root@4a8f001fae84:/azp# sed -i -e's/ssl_conf = ssl_sect/# ssl_conf = ssl_sect/' /etc/ssl/openssl.cnf
root@4a8f001fae84:/azp# grep 'ssl_conf = ssl_sect' /etc/ssl/openssl.cnf 
# ssl_conf = ssl_sect
root@4a8f001fae84:/azp# ./start.sh 
1. Determining matching Azure Pipelines agent...
2. Downloading and installing Azure Pipelines agent...
3. Configuring Azure Pipelines agent...

>> Connect:

Cannot get required symbol CRYPTO_add_lock from libssl
./config.sh: line 86:   208 Aborted                 ./bin/Agent.Listener configure "$@"
+3
serbrech on Sep 6, 2019

@JustArchi 2.2 should automatically get the change from 2.1, if I understand the branch flows correctly. So it, too, should be able to use OpenSSL 1.1.x starting in the next update.

+2
bartonjs on Feb 25, 2019

@bartonjs I entered that in and it said “Cannot get required symbol CRYPTO_add_lock from libsll.” Any way to fix this. I am trying to run a program through my raspberry pi 3b+

+1
pockets3407 on Aug 2, 2019

CLR_OPENSSL_VERSION_OVERRIDE=1.1 is the most appropriate workaround for net core 2.2.

+1
JustArchi on Jul 8, 2019
Read more comments on GitHub
← runtime: Internal CLR errors.
runtime: Introduce static methods to allocate and throw key exception types. →