[Solved] Openssl error on a self compiled build

Installing and Using OpenWrt
1

I have a build compiled by myself.
What I see are these openssl errors.

root@QNAP:~# openssl engine -t -c
FATAL: Startup failure (dev note: apps_startup()) for openssl
302D258A7F000000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(libengines.so): Error loading shared library libengines.so: No such file or directory
302D258A7F000000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:152:
302D258A7F000000:error:0700006E:configuration file routines:module_load_dso:error loading dso:crypto/conf/conf_mod.c:321:module=engines, path=engines
302D258A7F000000:error:07000071:configuration file routines:module_run:unknown module name:crypto/conf/conf_mod.c:266:module=engines

I have these installed

root@QNAP:~# opkg list-installed | grep openssl
libopenssl-conf - 3.0.13-r1
libopenssl-legacy - 3.0.13-r1
libopenssl3 - 3.0.13-r1
libustream-openssl20201210 - 2024.04.19~524a76e5-r1
luci-ssl-openssl - 24.153.25439~2e265f7
openssl-util - 3.0.13-r1
wpad-openssl - 2024.03.09~695277a5-r1

Can anyone help with this error?

2

Maybe you also have an old OpenSSL on your build system?
Check with : apt list openssl

1 Like
3 
apt list openssl
openssl/debian-rolling,now 3.2.1-3 amd64 [installed,automatic]


openssl version                        
OpenSSL 3.2.2-dev  (Library: OpenSSL 3.2.2-dev )

Could this be the reason?
I compile on the same system for other routers too and I don't see those openssl errors on them.

4

No I do not think so, both are 3.X.X.X so I would assume that that is compatible

5

I thought I finally setup my config but now this error confused me because it seems that encryption somehow still works. I have curl that uses https and I dont see any other broken things. I don't have mbedtls nor wolfssl on my system. On the same build system I compile for other routers (R7800 being one of them) using openssl on all of them and it works.
Any sugestions how to test if openssl actually work?

6

Get some info:

openssl engine -t -c -vv
openssl engine -pre DUMP_INFO devcrypto

assuming devcrypto is the engine in play

1 Like
7

I've just flashed a new build that has devcrypto enabled again.
I get this on it.

root@OpenWrt:~# openssl version
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
root@OpenWrt:~# openssl engine -t -c -vv
(dynamic) Dynamic engine loading support
     [ unavailable ]
     SO_PATH: Specifies the path to the new ENGINE shared library
     NO_VCHECK: Specifies to continue even if version checking fails (boolean)
     ID: Specifies an ENGINE id name for loading
     LIST_ADD: Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2                                              =mandatory)
     DIR_LOAD: Specifies whether to load from 'DIR_ADD' directories (0=no,1=yes,                                              2=mandatory)
     DIR_ADD: Adds a directory from which ENGINEs can be loaded
     LOAD: Load up the ENGINE specified by other settings
(devcrypto) /dev/crypto engine
     [ available ]
     USE_SOFTDRIVERS: specifies whether to use software (not accelerated) driver                                              s (0=use only accelerated drivers, 1=allow all drivers, 2=use if acceleration ca                                              n't be determined) [default=2]
     CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to enable [                                              default=ALL]
     DIGESTS: either ALL, NONE, or a comma-separated list of digests to enable [                                              default=NONE]
     DUMP_INFO: dump info about each algorithm to stderr; use 'openssl engine -p                                              re DUMP_INFO devcrypto'
root@OpenWrt:~# openssl engine -pre DUMP_INFO devcrypto
(devcrypto) /dev/crypto engine
Information about ciphers supported by the /dev/crypto engine:
Cipher DES-CBC, NID=31, /dev/crypto info: id=1, CIOCGSESSION (session open call) failed
Cipher DES-EDE3-CBC, NID=44, /dev/crypto info: id=2, CIOCGSESSION (session open call) failed
Cipher BF-CBC, NID=91, /dev/crypto info: id=3, CIOCGSESSION (session open call) failed
Cipher CAST5-CBC, NID=108, /dev/crypto info: id=4, CIOCGSESSION (session open call) failed
Cipher AES-128-CBC, NID=419, /dev/crypto info: id=11, driver=cbc(aes-generic) (software)
Cipher AES-192-CBC, NID=423, /dev/crypto info: id=11, driver=cbc(aes-generic) (software)
Cipher AES-256-CBC, NID=427, /dev/crypto info: id=11, driver=cbc(aes-generic) (software)
Cipher RC4, NID=5, /dev/crypto info: id=12, CIOCGSESSION (session open call) failed
Cipher AES-128-CTR, NID=904, /dev/crypto info: id=21, driver=ctr(aes-generic) (software)
Cipher AES-192-CTR, NID=905, /dev/crypto info: id=21, driver=ctr(aes-generic) (software)
Cipher AES-256-CTR, NID=906, /dev/crypto info: id=21, driver=ctr(aes-generic) (software)
Cipher AES-128-ECB, NID=418, /dev/crypto info: id=23, driver=ecb(aes-generic) (software)
Cipher AES-192-ECB, NID=422, /dev/crypto info: id=23, driver=ecb(aes-generic) (software)
Cipher AES-256-ECB, NID=426, /dev/crypto info: id=23, driver=ecb(aes-generic) (software)

Information about digests supported by the /dev/crypto engine:
Digest MD5, NID=4, /dev/crypto info: id=13, driver=unknown. CIOCGSESSION (session open) failed
Digest SHA1, NID=64, /dev/crypto info: id=14, driver=sha1-generic (software), CIOCCPHASH capable
Digest RIPEMD160, NID=117, /dev/crypto info: id=102, driver=unknown. CIOCGSESSION (session open) failed
Digest SHA224, NID=675, /dev/crypto info: id=103, driver=sha224-generic (software), CIOCCPHASH capable
Digest SHA256, NID=672, /dev/crypto info: id=104, driver=sha256-generic (software), CIOCCPHASH capable
Digest SHA384, NID=673, /dev/crypto info: id=105, driver=sha384-arm64 (software), CIOCCPHASH capable
Digest SHA512, NID=674, /dev/crypto info: id=106, driver=sha512-arm64 (software), CIOCCPHASH capable

[Success]: DUMP_INFO

On a build with devcrypto disabled I get this

root@OpenWrt:~# openssl engine -t -c -vv
FATAL: Startup failure (dev note: apps_startup()) for openssl
309D9E8B7F000000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(libengines.so): Error loading shared library libengines.so: No such file or directory
309D9E8B7F000000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:152:
309D9E8B7F000000:error:0700006E:configuration file routines:module_load_dso:error loading dso:crypto/conf/conf_mod.c:321:module=engines, path=engines
309D9E8B7F000000:error:07000071:configuration file routines:module_run:unknown module name:crypto/conf/conf_mod.c:266:module=engines
Qualcommax NSS Build
8

You need 1+ provider, devcrypto, AFLAG, GOST... You can build > 1 and configure at runtime.

1 Like
9

I have to choose one here, right.

image
image1015×239 83.8 KB

I cannot get it, how did it work without any of those enabled.
I followed other's recommendations on the IPQ807x thread to disable engine support because the crypto core hardware acceleration is broken.
Most guys there have it disabled and don't see that startup failure.

10

Don't know the history, there are a number of changes across versions, and if you are carrying forward a config there are changes that may also impact.

1 Like
11

Solution found on the NSS dedicated thread thanks to @qosmio.
The reason was in the openssl config indeed.

1 Like
12

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.