NTLM fails on Ubuntu 22.04 with OpenSSL 3.0

[wfurt]

It seems like OpenSSL 3.0 (at least on Ubuntu) retired md4.

# openssl md4
Error setting digest
4037123E367F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD4 : 88), Properties ()
4037123E367F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:../crypto/evp/digest.c:237:

authentication fails with unknown GSS error: dotnet/runtime#67353
Perhaps gss-ntlm should have fall-back implementation instead of depending on OpenSSL.

[wfurt]

dup of #71.

[simo5]

Ah yeah, in openssl 3.0 the legacy provider is not enabled by default, thus MD4 may not work.
I have a way to re-enable MD4 only for specific operations, but that will also eventually fail once some distrinution decides to completeluy get rid of legacy algorithms, but will carry us there until then.
@wfurt Is this urgent for you to resolve ?

[simo5]

Note that in the short term a workaround is to change the openssl 3.0 configuration (system-wide) to enable the "legacy" provider.

[wfurt]

it seems like we are minutes apart with @filipnavara - closing and opening at the same tome from different continents :)

[wfurt]

I will check if installing legacy openssl and forcing to use it would fix the problem @simo5. if that works I think that can be workaround for some time for anybody who urgently needs to jump on new OS version.

[simo5]

Working on this here: #72
Is there a way to run check on 22.04 on github? my actions conf has ubuntu:latest but all i get is 20.04

[omajid]

Perhaps it's because 22.04 hasn't technically been released yet? https://hub.docker.com/_/ubuntu says 22.04, jammy or devel should get you a 22.04 container.

Edit: this assumes you are using a container via jobs.<id>.container: https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container. If you are using a VM using runs-on: ubuntu-latest, then it's not supported, just like altnernative OS's like Fedora are not supported :(

[simo5]

@omajid annoying, but I guess will test the 3.0 code once github updates the images.
MEanwhile I tested locally on rawhide and #72 seem to work w/o issues

@wfurt can you test if PR #72 solves the problem for you w/o configureing openssl for legacy provider?

[omajid]

@simo5 I can't get Fedora containers to work, but you can see Ubuntu tests failing using this action: https://github.com/omajid/gss-ntlmssp/blob/ci-actions-containers/.github/workflows/ccpp.yml. Result: https://github.com/omajid/gss-ntlmssp/actions/runs/2073611521

[omajid]

If you can help me work around configure: error: GSSAPI library does not support gss_import_cred on Fedora, I can clean it up and do a PR.

[simo5]

What version of Fedora?
As long as you have krb5-devel installed all should work fine

[omajid]

Fedora 35. See the configure section at https://github.com/omajid/gss-ntlmssp/runs/5778418850?check_suite_focus=true:

checking for krb5-config... /usr/bin/krb5-config
checking for gss_import_cred in -lgssapi_krb5... no
configure: error: GSSAPI library does not support gss_import_cred

krb5-devel is installed earlier:

 krb5-devel                             x86_64  1.19.2-2.fc35              fedora   140 k

[simo5]

you need these packages installed to build:
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
BuildRequires: m4
BuildRequires: libxslt
BuildRequires: libxml2
BuildRequires: docbook-style-xsl
BuildRequires: doxygen
BuildRequires: gettext-devel
BuildRequires: pkgconfig
BuildRequires: krb5-devel >= 1.11.2
BuildRequires: libunistring-devel
BuildRequires: openssl-devel
BuildRequires: pkgconfig(wbclient)
BuildRequires: zlib-devel
BuildRequires: make

wbclient is actually optional, but it is easy to install via libwbclient-devel

[omajid]

Yup, I grabbed all the dependencies from the Fedora 35 spec file too. Still doesn't seem to work.

dnf install -y autoconf automake docbook-style-xsl doxygen gettext-devel krb5-devel libtool libunistring-devel libxml2 libxslt m4 make openssl-devel pkgconfig 'pkgconfig(wbclient)' zlib-devel

[simo5]

Something fishy here gss_import_cred is supported since ages

[simo5]

I tested this morning on rawhide (F37) installed from scratch (container image) and worked just fine.
It should work just fin in f35 too though

[omajid]

Rawhide works using the same dnf command, but not Fedora 35 😕

[simo5]

try to avoid the autoreconf
I just tried that and my configure exploded elsewhere on rawhide
There may be some issue with newer autoconf perhaps

[simo5]

Uhm I had missed installing libtool, all seem to be working fine now even after autoreconf

[simo5]

This should be fixed in main now, please reopen or a file a new one in case of more issues