Openssl upgrade & md4 hashing

At MIT we recently upgraded our base image from a debian-buster image to a debian-bookworm image. This uncovered an incompatibility between the newer version of openssl and one of the hash digests that edx-platform is using, specifically this function.

Our older TLS library was the following:

ii  openssl                            1.1.1d-0+deb10u7             amd64        Secure Sockets Layer toolkit - cryptographic utility

And our upgraded version is:

ii  openssl                            3.0.11-1~deb12u2                        amd64        Secure Sockets Layer toolkit - cryptographic utility

Our research brought us to this github issue which we confirmed to match what we are seeing.

Basically, openssl + hashlib are saying that md4 is supported and available but if you actually try to invoke openssl md4 you’ll get an error saying it is not available. This can be resolved by updating the openssl configuration to include ‘legacy’ digest functions but in lieu of making a config change to an underlying library we would propose updating the hash function to something a bit newer and more widely supported. We intend to open a PR in the coming days that implements this change.

Just wanted to share in case anyone else encounters a similar issue! Thanks!

-Mike Davidson
MIT Open Learning Engineering

Here’s the link to edx-platform PR: fix: replaced md4 with blake2b by Anas12091101 · Pull Request #34442 · openedx/edx-platform · GitHub