(PE-36344) Disable curl's ntlm if OpenSSL excludes it

[justinstoller]

OpenSSL 3.0 by default disables some legacy algorithms that are required for ntlm. We previously kept them enabled for Bolt's WinRM transport but in b85bf0f made the inclusion of these legacy algorithms optional so that the agent and company no longer have to include insecure crypto on account of Bolt.

However, removing the NTLM algorithms from OpenSSL caused downstream failures in the compilation of curl, which this patch addresses by disabling curl's support for NTLM.

[justinstoller]

Locally:

puppet-runtime on  disable-ntlm-in-curl [?] Ruby v2.7.6 
➜  bundle exec vanagon build agent-runtime-main el-8-x86_64 localhost:55000

....snip....

mkdir output
mkdir agent-runtime-main-archive
gunzip -c agent-runtime-main-202307120.5.gd31b127.tar.gz | 'tar' -C agent-runtime-main-archive -xf -
rm agent-runtime-main-202307120.5.gd31b127.tar.gz
cd agent-runtime-main-archive/agent-runtime-main-202307120.5.gd31b127; rm -f bill-of-materials; tar cf ../../agent-runtime-main-202307120.5.gd31b127.el-8-x86_64.tar *
gzip -9c agent-runtime-main-202307120.5.gd31b127.el-8-x86_64.tar > agent-runtime-main-202307120.5.gd31b127.el-8-x86_64.tar.gz
cp build_metadata.agent-runtime-main.el-8-x86_64.json output/agent-runtime-main-202307120.5.gd31b127.el-8-x86_64.json
cp bill-of-materials output/agent-runtime-main-202307120.5.gd31b127.el-8-x86_64-bill-of-materials ||:
cp agent-runtime-main-202307120.5.gd31b127.el-8-x86_64.tar.gz output
sha1sum output/agent-runtime-main-202307120.5.gd31b127.el-8-x86_64.tar.gz > output/agent-runtime-main-202307120.5.gd31b127.el-8-x86_64.tar.gz.sha1
Warning: Permanently added '[localhost]:55000' (ED25519) to the list of known hosts.

puppet-runtime on  disable-ntlm-in-curl [!?] Ruby v2.7.6 after 10m33s 

[joshcooper]

Here is what your code changes would affect:

Project pe-installer-runtime-main

Nothing is affected 😊

Project pe-bolt-server-runtime-main

Nothing is affected 😊

Project agent-runtime-7.x

Platform name: el-7-x86_64

Component 'curl'

        Field: configure[0]

- ["CPPFLAGS='-I/opt/puppetlabs/puppet/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/puppet/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/puppet/lib'      ./configure --prefix=/opt/puppetlabs/puppet         --with-ssl=/opt/puppetlabs/puppet         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/puppet/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/puppet/ssl/certs         CFLAGS='-I/opt/puppetlabs/puppet/include -I/opt/pl-build-tools/include '         "]
+ ["CPPFLAGS='-I/opt/puppetlabs/puppet/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/puppet/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/puppet/lib'      ./configure --prefix=/opt/puppetlabs/puppet         --with-ssl=/opt/puppetlabs/puppet --disable-ntlm         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/puppet/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/puppet/ssl/certs         CFLAGS='-I/opt/puppetlabs/puppet/include -I/opt/pl-build-tools/include '         "]

Project pe-bolt-server-runtime-2021.7.x

Nothing is affected 😊

Project pe-bolt-server-runtime-2019.8.x

Nothing is affected 😊

Project pe-installer-runtime-2019.8.x

Platform name: el-7-x86_64

Component 'curl'

        Field: configure[0]

- ["CPPFLAGS='-I/opt/puppetlabs/installer/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/installer/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/installer/lib'      ./configure --prefix=/opt/puppetlabs/installer         --with-ssl=/opt/puppetlabs/installer         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/installer/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/installer/ssl/certs         CFLAGS='-I/opt/puppetlabs/installer/include -I/opt/pl-build-tools/include '         "]
+ ["CPPFLAGS='-I/opt/puppetlabs/installer/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/installer/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/installer/lib'      ./configure --prefix=/opt/puppetlabs/installer         --with-ssl=/opt/puppetlabs/installer --disable-ntlm         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/installer/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/installer/ssl/certs         CFLAGS='-I/opt/puppetlabs/installer/include -I/opt/pl-build-tools/include '         "]

Project pe-installer-runtime-2021.7.x

Platform name: el-7-x86_64

Component 'curl'

        Field: configure[0]

- ["CPPFLAGS='-I/opt/puppetlabs/installer/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/installer/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/installer/lib'      ./configure --prefix=/opt/puppetlabs/installer         --with-ssl=/opt/puppetlabs/installer         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/installer/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/installer/ssl/certs         CFLAGS='-I/opt/puppetlabs/installer/include -I/opt/pl-build-tools/include '         "]
+ ["CPPFLAGS='-I/opt/puppetlabs/installer/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/installer/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/installer/lib'      ./configure --prefix=/opt/puppetlabs/installer         --with-ssl=/opt/puppetlabs/installer --disable-ntlm         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/installer/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/installer/ssl/certs         CFLAGS='-I/opt/puppetlabs/installer/include -I/opt/pl-build-tools/include '         "]

Project agent-runtime-6.x

Platform name: el-7-x86_64

Component 'curl'

        Field: configure[0]

- ["CPPFLAGS='-I/opt/puppetlabs/puppet/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/puppet/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/puppet/lib'      ./configure --prefix=/opt/puppetlabs/puppet         --with-ssl=/opt/puppetlabs/puppet         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/puppet/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/puppet/ssl/certs         CFLAGS='-I/opt/puppetlabs/puppet/include -I/opt/pl-build-tools/include '         "]
+ ["CPPFLAGS='-I/opt/puppetlabs/puppet/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/puppet/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/puppet/lib'      ./configure --prefix=/opt/puppetlabs/puppet         --with-ssl=/opt/puppetlabs/puppet --disable-ntlm         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/puppet/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/puppet/ssl/certs         CFLAGS='-I/opt/puppetlabs/puppet/include -I/opt/pl-build-tools/include '         "]

Project bolt-runtime

Nothing is affected 😊

Project pdk-runtime

Platform name: el-7-x86_64

Component 'curl'

        Field: configure[0]

- ["CPPFLAGS='-I/opt/puppetlabs/pdk/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/pdk/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/pdk/lib'      ./configure --prefix=/opt/puppetlabs/pdk         --with-ssl=/opt/puppetlabs/pdk         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/pdk/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/pdk/ssl/certs         CFLAGS='-I/opt/puppetlabs/pdk/include -I/opt/pl-build-tools/include '         "]
+ ["CPPFLAGS='-I/opt/puppetlabs/pdk/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/pdk/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/pdk/lib'      ./configure --prefix=/opt/puppetlabs/pdk         --with-ssl=/opt/puppetlabs/pdk --disable-ntlm         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/pdk/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/pdk/ssl/certs         CFLAGS='-I/opt/puppetlabs/pdk/include -I/opt/pl-build-tools/include '         "]

Project client-tools-runtime-main

Platform name: el-7-x86_64

Component 'curl'

        Field: configure[0]

- ["CPPFLAGS='-I/opt/puppetlabs/client-tools/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/client-tools/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/client-tools/lib'      ./configure --prefix=/opt/puppetlabs/client-tools         --with-ssl=/opt/puppetlabs/client-tools         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/client-tools/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/client-tools/ssl/certs         CFLAGS='-I/opt/puppetlabs/client-tools/include -I/opt/pl-build-tools/include '         "]
+ ["CPPFLAGS='-I/opt/puppetlabs/client-tools/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/client-tools/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/client-tools/lib'      ./configure --prefix=/opt/puppetlabs/client-tools         --with-ssl=/opt/puppetlabs/client-tools --disable-ntlm         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/client-tools/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/client-tools/ssl/certs         CFLAGS='-I/opt/puppetlabs/client-tools/include -I/opt/pl-build-tools/include '         "]

Project client-tools-runtime-2019.8.x

Platform name: el-7-x86_64

Component 'curl'

        Field: configure[0]

- ["CPPFLAGS='-I/opt/puppetlabs/client-tools/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/client-tools/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/client-tools/lib'      ./configure --prefix=/opt/puppetlabs/client-tools         --with-ssl=/opt/puppetlabs/client-tools         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/client-tools/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/client-tools/ssl/certs         CFLAGS='-I/opt/puppetlabs/client-tools/include -I/opt/pl-build-tools/include '         "]
+ ["CPPFLAGS='-I/opt/puppetlabs/client-tools/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/client-tools/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/client-tools/lib'      ./configure --prefix=/opt/puppetlabs/client-tools         --with-ssl=/opt/puppetlabs/client-tools --disable-ntlm         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/client-tools/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/client-tools/ssl/certs         CFLAGS='-I/opt/puppetlabs/client-tools/include -I/opt/pl-build-tools/include '         "]

Project client-tools-runtime-2021.7.x

Platform name: el-7-x86_64

Component 'curl'

        Field: configure[0]

- ["CPPFLAGS='-I/opt/puppetlabs/client-tools/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/client-tools/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/client-tools/lib'      ./configure --prefix=/opt/puppetlabs/client-tools         --with-ssl=/opt/puppetlabs/client-tools         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/client-tools/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/client-tools/ssl/certs         CFLAGS='-I/opt/puppetlabs/client-tools/include -I/opt/pl-build-tools/include '         "]
+ ["CPPFLAGS='-I/opt/puppetlabs/client-tools/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/client-tools/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/client-tools/lib'      ./configure --prefix=/opt/puppetlabs/client-tools         --with-ssl=/opt/puppetlabs/client-tools --disable-ntlm         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/client-tools/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/client-tools/ssl/certs         CFLAGS='-I/opt/puppetlabs/client-tools/include -I/opt/pl-build-tools/include '         "]

Project agent-runtime-main

Platform name: el-7-x86_64

Component 'curl'

        Field: configure[0]

- ["CPPFLAGS='-I/opt/puppetlabs/puppet/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/puppet/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/puppet/lib'      ./configure --prefix=/opt/puppetlabs/puppet         --with-ssl=/opt/puppetlabs/puppet         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/puppet/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/puppet/ssl/certs         CFLAGS='-I/opt/puppetlabs/puppet/include -I/opt/pl-build-tools/include '         "]
+ ["CPPFLAGS='-I/opt/puppetlabs/puppet/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/puppet/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/puppet/lib'      ./configure --prefix=/opt/puppetlabs/puppet         --with-ssl=/opt/puppetlabs/puppet --disable-ntlm         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/puppet/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/puppet/ssl/certs         CFLAGS='-I/opt/puppetlabs/puppet/include -I/opt/pl-build-tools/include '         "]

[justinstoller]

Oooooo, thank you @joshcooper ! I didn't intend to change curl for 7.x runtimes....

[justinstoller]

I will see if I can update this to conditionally disable ntlm if use_legacy_openssl_algos is falsey and the openssl version matches "^3\.".

[justinstoller]

⚠️ DISCLAIMER

This task is still experimental, it can be invoked locally provided that development dependencies are installed (bundle install --with development).

Ensure all your local changes are committed, then run bundle exec rake vanagon:component_diff -- [options].

Run the task with --help to see all available options. If you notice unexpected behavior or want to suggest improvements, ping #prod-puppet-agent on Slack.

Here is what your code changes would affect:

Project pdk-runtime

Platform name: el-7-x86_64

Component 'openssl-3.0'

        Field: configure[0]

- [" ./Configure --prefix=/opt/puppetlabs/pdk --libdir=lib --openssldir=/opt/puppetlabs/pdk/ssl shared no-gost linux-x86_64  no-camellia no-md2 no-ssl3 no-ssl3-method no-dtls1-method no-dtls1_2-method no-aria no-rc5 no-mdc2 no-whirlpool no-legacy no-dtls no-dtls1 no-idea no-seed no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS"]
+ [" ./Configure --prefix=/opt/puppetlabs/pdk --libdir=lib --openssldir=/opt/puppetlabs/pdk/ssl shared no-gost linux-x86_64  no-camellia no-md2 no-ssl3 no-ssl3-method no-dtls1-method no-dtls1_2-method no-aria no-rc5 no-mdc2 no-whirlpool no-legacy no-md4 no-des no-dtls no-dtls1 no-idea no-seed no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS"]

Project pe-bolt-server-runtime-2019.8.x

Nothing is affected 😊

Project client-tools-runtime-2021.7.x

Nothing is affected 😊

Project pe-bolt-server-runtime-2021.7.x

Nothing is affected 😊

Project pe-installer-runtime-2021.7.x

Nothing is affected 😊

Project agent-runtime-main

Platform name: el-7-x86_64

Component 'curl'

        Field: configure[0]

- ["CPPFLAGS='-I/opt/puppetlabs/puppet/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/puppet/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/puppet/lib'      ./configure --prefix=/opt/puppetlabs/puppet         --with-ssl=/opt/puppetlabs/puppet         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/puppet/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/puppet/ssl/certs         CFLAGS='-I/opt/puppetlabs/puppet/include -I/opt/pl-build-tools/include '         "]
+ ["CPPFLAGS='-I/opt/puppetlabs/puppet/include -I/opt/pl-build-tools/include'       LDFLAGS='-L/opt/puppetlabs/puppet/lib -L/opt/pl-build-tools/lib -Wl,-rpath=/opt/puppetlabs/puppet/lib'      ./configure --prefix=/opt/puppetlabs/puppet         --with-ssl=/opt/puppetlabs/puppet --disable-ntlm         --enable-threaded-resolver         --disable-ldap         --disable-ldaps         --with-ca-bundle=/opt/puppetlabs/puppet/ssl/cert.pem         --with-ca-path=/opt/puppetlabs/puppet/ssl/certs         CFLAGS='-I/opt/puppetlabs/puppet/include -I/opt/pl-build-tools/include '         "]

Component 'openssl-3.0'

        Field: configure[0]

- [" ./Configure --prefix=/opt/puppetlabs/puppet --libdir=lib --openssldir=/opt/puppetlabs/puppet/ssl shared no-gost linux-x86_64  no-camellia no-md2 no-ssl3 no-ssl3-method no-dtls1-method no-dtls1_2-method no-aria no-rc5 no-mdc2 no-whirlpool no-legacy no-dtls no-dtls1 no-idea no-seed no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS"]
+ [" ./Configure --prefix=/opt/puppetlabs/puppet --libdir=lib --openssldir=/opt/puppetlabs/puppet/ssl shared no-gost linux-x86_64  no-camellia no-md2 no-ssl3 no-ssl3-method no-dtls1-method no-dtls1_2-method no-aria no-rc5 no-mdc2 no-whirlpool no-legacy no-md4 no-des no-dtls no-dtls1 no-idea no-seed no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS"]

Project pe-bolt-server-runtime-main

Nothing is affected 😊

Project agent-runtime-6.x

Nothing is affected 😊

Project client-tools-runtime-main

Nothing is affected 😊

Project client-tools-runtime-2019.8.x

Nothing is affected 😊

Project bolt-runtime

Nothing is affected 😊

Project agent-runtime-7.x

Nothing is affected 😊

Project pe-installer-runtime-2019.8.x

Nothing is affected 😊

Project pe-installer-runtime-main

Platform name: el-7-x86_64

    Component 'rubygem-rubyntlm-fork' was removed, not showing diff for it ❌

Component 'openssl-3.0'

        Field: configure[0]

- [" ./Configure --prefix=/opt/puppetlabs/installer --libdir=lib --openssldir=/opt/puppetlabs/installer/ssl shared no-gost linux-x86_64  no-camellia no-md2 no-ssl3 no-ssl3-method no-dtls1-method no-dtls1_2-method no-aria no-rc5 no-mdc2 no-whirlpool no-legacy no-dtls no-dtls1 no-idea no-seed no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS"]
+ [" ./Configure --prefix=/opt/puppetlabs/installer --libdir=lib --openssldir=/opt/puppetlabs/installer/ssl shared no-gost linux-x86_64  no-camellia no-md2 no-ssl3 no-ssl3-method no-dtls1-method no-dtls1_2-method no-aria no-rc5 no-mdc2 no-whirlpool no-dtls no-dtls1 no-idea no-seed no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS"]

        Field: patches[0]

+ {"origin_path"=>"resources/patches/openssl/openssl-3-activate-legacy-algos.patch", "namespace"=>"openssl-3.0", "assembly_path"=>"patches/openssl-3.0/openssl-3-activate-legacy-algos.patch", "strip"=>1, "fuzz"=>0, "after"=>"unpack", "destination"=>nil}

[justinstoller]

Weird, the result I pasted above is from the invocation that Josh gave me in the previous PR so it includes those openssl changes as well. And the pdk-runtime only seems to have those openssl changes... I ran the command again with the correct invocation for just this PR and it only showed changes for agent-runtime-main. BUT, since pdk-runtime changed in the last PR I expected it to change here as well. I'm currently building that locally.

[joshcooper]

There's a bug in the component_diff command when using markdown, as it doesn't put a newline between </detail> and the start of the next project. I updated your comment so it displays the projects correctly.

[justinstoller]

Thank you

[justinstoller]

Okay, well pdk-runtime builds just fine so I guess my concerns were unfounded.

[justinstoller]

Since this was only known to fail in the agent runtime builds, it is the only changed project, and we got an approval from phoenix I'm not going to wait for other reviews to merge.