error:25066067:DSO support routines:dlfcn_load:could not load the shared library

[laneme]

Version

16.15.0

Platform

Linux usernam 5.15.0-30-generic #31-Ubuntu SMP Thu May 5 10:00:34 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Subsystem

No response

What steps will reproduce the bug?

Very unfornutalely i cannot find a way to reproduce this accross platforms but its worth noting that this problem isnt specific to version 16.15.0. It happens on 16.10.0 and 18.* too

The following code is what triggers the error

var crypto = require('crypto')
var sign = crypto.createSign('RSA-SHA256')
sign.update(some_buffer)
sign.sign(some_private_key)

How often does it reproduce? Is there a required condition?

It DOES throw on the machine with OpenSSL 3.0.2, it does NOT throw on the OpenSSL 1.1.1f machine.

What is the expected behavior?

Expecting a signed buffer returned from crypto.sign funciton.

What do you see instead?

node:internal/crypto/sig:131
  const ret = this[kHandle].sign(data, format, type, passphrase, rsaPadding,
                            ^

Error: error:25066067:DSO support routines:dlfcn_load:could not load the shared library
    at Sign.sign (node:internal/crypto/sig:131:29)
    at Object.<anonymous> (/mytestfile.js:4:8)
    at Module._compile (node:internal/modules/cjs/loader:1105:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Function.Module._load (node:internal/modules/cjs/loader:822:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12)
    at node:internal/main/run_main_module:17:47 {
  opensslErrorStack: [
    'error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib',
    'error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error',
    'error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header',
    'error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long',
    'error:0E076071:configuration file routines:module_run:unknown module name',
    'error:0E07506E:configuration file routines:module_load_dso:error loading dso',
    'error:25070067:DSO support routines:DSO_load:could not load the shared library'
  ],
  library: 'DSO support routines',
  function: 'dlfcn_load',
  reason: 'could not load the shared library',
  code: 'ERR_OSSL_DSO_COULD_NOT_LOAD_THE_SHARED_LIBRARY'
}

Additional information

No response

[nemesisridiculii]

I'm getting the same error while using the Google Cloud Storage client library. When it goes to sign data to request an access token, it throws that error. I can also reproduce using the steps @laneme listed above.

As a workaround, I ran export OPENSSL_CONF=/dev/null before starting node. This prevents the issue and the code begins to work, however this also bypasses the config for openssl.

I first ran into this issue after upgrading to Ubuntu 22.04 which has the same uname -a as @laneme originally reported as their platform. This also has OpenSSL 3.0.2.

[bnoordhuis]

There's almost certainly something in your openssl configs that instruct it to load a third-party library ("engine" in openssl nomenclature) that's missing or, more likely, incompatible with openssl 3.

[nemesisridiculii]

Because this seems like a configuration issue with Ubuntu, I posted this same question on askubuntu.com here: https://askubuntu.com/questions/1409458/openssl-config-cuases-error-in-node-js-crypto-how-should-the-config-be-updated

[k0d3d]

Hi Guys,
I found a workaround while facing this issue using firebase-admin.
Hence, we suggest you to comment out the lines providers = provider_sectin the file/etc/ssl/openssl.cnf` and restart application once.

I took it off https://help.zoho.com/portal/en/community/topic/cant-install-zoho-workdrive-app-in-ubuntu-22-04

[bjconlan]

Yeah I found this to also work nicely with fedora 36 (given all providers in the provider_sect are commented out anyways). I think this is probably the most secure option (well at least over overriding the OPENSSL_CONF)

[sergiycheck]

I encountered the same error with Ubuntu 22.04 LTS jammy when trying to encrypt with RSA256 algorithm with jsonwebtoken library and jwt.sign() method.
Commenting the line mentioned above in the openssl.cnf file fixed this error.

[nemesisridiculii]

Thanks @k0d3d. That's an interesting fix. If I'm understanding the config file correctly (which seems unlikely as I'm not an openssl guru) commenting out that line should mean that openssl loads the default provider and no others. (see man 7 OSSL_PROVIDER-default). This makes sense, however looking through the config, I don't see where any other providers are loaded anyway. I tried un-commenting the line activate = 1 in [default_sect] which didn't work. I also tried commenting out the line default = default_sect in [provider_sect] again with no luck.

Somehow it seems like if the config file defines any provider section (even if it does not define any providers) then it does not load the default provider, even if explicitly told to do so. Perhaps the default provider is complied in statically and cannot be loaded dynamically? Perhaps a bug in the openssl config routines?

Looks like providers are a new concept in openssl 3.0, so hopefully Ubuntu will provide an appropriate config soon. openssl/openssl#16249. In the meantime, I guess we now have two viable workarounds.

[bnoordhuis]

As this isn't a bug in node I'll go ahead and convert the issue to a discussion.

[nyetwurk]

Others are seeing this https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011051

[edmorley]

Launchpad issue for porting the fix to Ubuntu 22.04's openssl:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1979639

[citkane]

I am experiencing the same issue when tying to use crypto.createPrivateKey, and found this discussion.

My setup:

• Ubuntu 22.04
• Node v16.15.1

The behavior is weird - I will illustrate below with the test code below:

const crypto = require('crypto');
const privateKeyPEM = '...'

console.log('------------------------------------------------------TRY 01')
try {
	console.log(crypto.createPrivateKey(privateKeyPEM))
} catch (err) {
	console.log(err)
}
console.log('------------------------------------------------------TRY 02')
try {
	console.log(crypto.createPrivateKey(privateKeyPEM))
} catch (err) {
	console.log(err)
}
console.log('------------------------------------------------------END')

This is launched with: node ./index.js, and yeilds:

------------------------------------------------------TRY 01
Error: error:25066067:DSO support routines:dlfcn_load:could not load the shared library
    at Object.createPrivateKey (node:internal/crypto/keys:618:12)
    at Object.<anonymous> (/home/michaeladmin/Code/mioScaffold/build/mioScaffold.js:97:24)
    at Module._compile (node:internal/modules/cjs/loader:1105:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Function.Module._load (node:internal/modules/cjs/loader:822:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12)
    at node:internal/main/run_main_module:17:47 {
  opensslErrorStack: [
    'error:0E076071:configuration file routines:module_run:unknown module name',
    'error:0E07506E:configuration file routines:module_load_dso:error loading dso',
    'error:25070067:DSO support routines:DSO_load:could not load the shared library'
  ],
  library: 'DSO support routines',
  function: 'dlfcn_load',
  reason: 'could not load the shared library',
  code: 'ERR_OSSL_DSO_COULD_NOT_LOAD_THE_SHARED_LIBRARY'
}
------------------------------------------------------TRY 02
PrivateKeyObject { [Symbol(kKeyType)]: 'private' }
------------------------------------------------------END

which shows that the issue only occurs on the first run, and subsequent calls succeed.

Launching the same file with: OPENSSL_CONF=/dev/null node ./index.js yields:

------------------------------------------------------TRY 01
PrivateKeyObject { [Symbol(kKeyType)]: 'private' }
------------------------------------------------------TRY 02
PrivateKeyObject { [Symbol(kKeyType)]: 'private' }
------------------------------------------------------END

I am just recording my observations - hopefully they are helpful to somebody with hands in code somewhere!

[bchew]

We've encountered this issue previously with version 16.15.0 on Ubuntu 22.04 and based on our testing so far, it has been resolved in 16.16.0. Looking at the release notes, it looks to me this was resolved in https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#dll-hijacking-on-windows-high-cve-2022-32223 | #43124

Thought to just mention in this thread if it resolves it for your use-case as well.

[citkane]

I can confirm that upgrading to NODE 16.16.0 resolves the issue for my use case above.

[kevgilmore]

I'm on v18.6.0 and I still get the error using npm package google-spreadsheet

[nayruthCalla]

Hello everyone, I also come to confirm that changing node version to 16.16.0 worked for me. thank you very much

[octaviotastico]

I confirm it worked on v16.16.0, I was using v16.15.1 and I was having this error

[aamaruf]

sudo nano /etc/ssl/openssl.cnf
commented out providers = provider_sect from [provider_sect] section

this solved my issue

[njraladdin]

this solved it for me on ubuntu 22!

[seco35]

Upgrading to 16.16.0 did not solve it and commenting this in the config file worked. However the
"providers = provider_sect" was in [openssl_init] section in my case.

[huuthang201]

thanks

[rlscode]

In my case i use Phantom for generate highcharts graph with Ubuntu 22.04.2 LTS and OpenSSL 3.0.2

[openssl_init]
# providers = provider_sect
# ssl_conf = ssl_sect

[provider_sect]
default = default_sect

# This one 👇
[default_sect]
activate = 1

[AlexandroDRK]

This work for me in Kubuntu 22.10 and OpenSSL 3.0.5, tanks!!!

[Dhruvn-patel]

how can i solve same problem in windows
Node.js: v16.15.1
"openssl": "^2.0.0",

[laneme]

For users who dont have any specific version requirements for either ubuntu or openssl, it seem to have solved for any of the 2023's versions of ubuntu desktop v22 for me.