OpenSSL issue with binary outside container (RedHat/Fedora specific)

[mathieu-aubin]

I use the product of this great project on various systems and since aome of them have no running docker instance, i've got the habbit of copying the binaries from the image to a distribution server which is then used to update other systems where i use ffmpeg and friend.

I recently came upon a ssl error while using ffprobe and found out, after some digging, that RedHat flavored distributions apply a patch to modify openssl config file in order to add special, distro-specific config parameters which in turn is unrecognized from an unpatched openssl instance.

[tls @ 0x7f80c8ec3800] error:030000A9:digital envelope routines::unknown option

I first tried adding -reconnect_on_network_error true to my ffprobe command with some success.
the initial error message still shows but the command is ran without problems afterwards.

After some research.. i found this openssl/openssl#23016

I then found what ultimately works for me which is explained in my comment HERE

file /etc/crypto-policies/back-ends/opensslcnf.config contains the unrecognized config argument (Fedora set to yes and no on RedHat)

[evp_properties] rh-allow-sha1-signatures = yes

I raise this to let you know about my issue and how i 'fixed' it so you can see if it's worth including in the readme file somehow.

[wader]

Thanks for letting me know and research it. Yeap sounds like this should be a new know issue section in the readme, and i guess this also happens with some docker base image in addition to"host" distros?

[mathieu-aubin]

I would think that yes, if you used any RedHat based distro as base container os, the problem would appear also... Best is to change the configuration value from enabled to disabled in /etc/ssl/openssl.cnf -> config_diagnostics = 0

I don't have the language skills to really explain it in a simple manner in the readme file but you are better at that than i am, i am certain. I'm so french... Maybe something akin to..

"An SSL 'unknown option' error is likely to arise on RedHat based distributions when crypto (openssl) is called."

Then somehow explain the simple modification required to ignore the error.. maybe also link to the relevant stuff..

[wader]

👍 ok! i gave it a shot in #467

[mathieu-aubin]

Without modifying ooenssl.cnf, -reconnect_on_network_error true option added to the command line does warn about the unrecognized option while also perfor.ing a round 2 and ultimately performing the requested command...

[wader]

Without modifying ooenssl.cnf, -reconnect_on_network_error true option added to the command line does warn about the unrecognized option while also perfor.ing a round 2 and ultimately performing the requested command...

Aha, added note about it. By "round 2" do you mean it does a new connection that succeeds on error ?

[mathieu-aubin]

Check this out