[9.0] [artifacts] Remove default --openssl-legacy-provider (#213123) (#213173)

# Backport

This will backport the following commits from `main` to `9.0`:
- [[artifacts] Remove default --openssl-legacy-provider
(#213123)](https://github.com/elastic/kibana/pull/213123)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT
[{"author":{"name":"Jon","email":"jon@elastic.co"},"sourceCommit":{"committedDate":"2025-03-04T22:51:46Z","message":"[artifacts]
Remove default --openssl-legacy-provider (#213123)\n\n# Release
note\n\nLegacy OpenSSL algorithms have been disabled by default.
Further\ninformation on which algorithms can be found
at\nhttps://docs.openssl.org/3.0/man7/OSSL_PROVIDER-legacy. These can
be\nre-enabled by adding `--openssl-legacy-provider`
to\n`$KBN_PATH_CONF/node.options`","sha":"98a7259ee148c64392c7df5995d18067a464389a","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:breaking","Team:Operations","v9.0.0","ci:all-cypress-suites","ci:cloud-deploy","ci:project-deploy-elasticsearch","backport:version","v9.1.0"],"title":"[artifacts]
Remove default
--openssl-legacy-provider","number":213123,"url":"https://github.com/elastic/kibana/pull/213123","mergeCommit":{"message":"[artifacts]
Remove default --openssl-legacy-provider (#213123)\n\n# Release
note\n\nLegacy OpenSSL algorithms have been disabled by default.
Further\ninformation on which algorithms can be found
at\nhttps://docs.openssl.org/3.0/man7/OSSL_PROVIDER-legacy. These can
be\nre-enabled by adding `--openssl-legacy-provider`
to\n`$KBN_PATH_CONF/node.options`","sha":"98a7259ee148c64392c7df5995d18067a464389a"}},"sourceBranch":"main","suggestedTargetBranches":["9.0"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/213123","number":213123,"mergeCommit":{"message":"[artifacts]
Remove default --openssl-legacy-provider (#213123)\n\n# Release
note\n\nLegacy OpenSSL algorithms have been disabled by default.
Further\ninformation on which algorithms can be found
at\nhttps://docs.openssl.org/3.0/man7/OSSL_PROVIDER-legacy. These can
be\nre-enabled by adding `--openssl-legacy-provider`
to\n`$KBN_PATH_CONF/node.options`","sha":"98a7259ee148c64392c7df5995d18067a464389a"}}]}]
BACKPORT-->

Co-authored-by: Jon <jon@elastic.co>

config/node.options

@@ -10,6 +10,3 @@
 
 ## restore < Node 16 default DNS lookup behavior
 --dns-result-order=ipv4first
-
-## enable OpenSSL 3 legacy provider
---openssl-legacy-provider

src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile

@@ -155,9 +155,6 @@ COPY --chown=1000:0 config/kibana.yml /usr/share/kibana/config/kibana.yml
 {{#serverless}}
 ENV PROFILER_SIGNAL=SIGUSR1
 {{/serverless}}
-{{^opensslLegacyProvider}}
-RUN sed 's/\(--openssl-legacy-provider\)/#\1/' -i config/node.options
-{{/opensslLegacyProvider}}
 
 # Add the launcher/wrapper script. It knows how to interpret environment
 # variables and translate them to Kibana CLI options.

src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.ts

@@ -19,7 +19,6 @@ function generator(options: TemplateContext) {
   return Mustache.render(template.toString(), {
     wolfi: options.baseImage === 'wolfi',
     ubi: options.baseImage === 'ubi',
-    opensslLegacyProvider: !(options.cloud || options.serverless || options.fips),
     ...options,
   });
 }

src/setup_node_env/openssl_legacy_provider/index.js

@@ -1,20 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the "Elastic License
- * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
- * Public License v 1"; you may not use this file except in compliance with, at
- * your election, the "Elastic License 2.0", the "GNU Affero General Public
- * License v3.0 only", or the "Server Side Public License, v 1".
- */
-
-var branch = require('../../../package.json').branch;
-var docsBranch = branch.match(/^\d\.\d\d?$/) || 'current';
-var openSSLLegacyProviderEnabled = require('./openssl_legacy_provider_enabled')();
-
-if (openSSLLegacyProviderEnabled) {
-  console.log(
-    'Kibana is currently running with legacy OpenSSL providers enabled! For details and instructions on how to disable see https://www.elastic.co/guide/en/kibana/' +
-      docsBranch +
-      '/production.html#openssl-legacy-provider'
-  );
-}

src/setup_node_env/openssl_legacy_provider/openssl_legacy_provider_enabled.js

@@ -1,15 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the "Elastic License
- * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
- * Public License v 1"; you may not use this file except in compliance with, at
- * your election, the "Elastic License 2.0", the "GNU Affero General Public
- * License v3.0 only", or the "Server Side Public License, v 1".
- */
-
-var crypto = require('crypto');
-
-// The blowfish cipher is only available when node is running with the --openssl-legacy-provider flag
-module.exports = function () {
-  return crypto.getCiphers().includes('blowfish');
-};

src/setup_node_env/openssl_legacy_provider/openssl_legacy_provider_enabled.test.js

@@ -1,79 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the "Elastic License
- * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
- * Public License v 1"; you may not use this file except in compliance with, at
- * your election, the "Elastic License 2.0", the "GNU Affero General Public
- * License v3.0 only", or the "Server Side Public License, v 1".
- */
-
-var spawnSync = require('child_process').spawnSync;
-
-describe('openSSLLegacyProviderEnabled', function () {
-  function runLegacyProviderCheck(execOptions, nodeOptions) {
-    var result = spawnSync(
-      process.execPath,
-      (execOptions ? execOptions.split(' ') : []).concat([
-        '-p',
-        "require('./openssl_legacy_provider_enabled')()",
-      ]),
-      {
-        env: {
-          NODE_OPTIONS: nodeOptions || '',
-        },
-        encoding: 'utf-8',
-        cwd: __dirname,
-      }
-    );
-    var stdout = result.stdout.trim();
-    return stdout === 'true';
-  }
-
-  it('should be disabled by default', function () {
-    expect(runLegacyProviderCheck()).toBe(false);
-  });
-
-  describe('using NODE_OPTIONS', function () {
-    it('should be enabled when --openssl-legacy-provider is set', function () {
-      expect(runLegacyProviderCheck(null, '--openssl-legacy-provider')).toBe(true);
-    });
-
-    it('should be enabled when --openssl-legacy-provider is set after --no-openssl-legacy-provider', function () {
-      expect(
-        runLegacyProviderCheck(null, '--no-openssl-legacy-provider --openssl-legacy-provider')
-      ).toBe(true);
-    });
-
-    it('should be disabled when --no-openssl-legacy-provider is set', function () {
-      expect(runLegacyProviderCheck(null, '--no-openssl-legacy-provider')).toBe(false);
-    });
-
-    it('should be disabled when --no-openssl-legacy-provider is set after --openssl-legacy-provider', function () {
-      expect(
-        runLegacyProviderCheck(null, '--openssl-legacy-provider --no-openssl-legacy-provider')
-      ).toBe(false);
-    });
-  });
-
-  describe('using exec arguments', function () {
-    it('should be enabled when --openssl-legacy-provider is set', function () {
-      expect(runLegacyProviderCheck('--openssl-legacy-provider')).toBe(true);
-    });
-
-    it('should be enabled when --openssl-legacy-provider is set after --no-openssl-legacy-provider', function () {
-      expect(runLegacyProviderCheck('--no-openssl-legacy-provider --openssl-legacy-provider')).toBe(
-        true
-      );
-    });
-
-    it('should be disabled when --no-openssl-legacy-provider is set', function () {
-      expect(runLegacyProviderCheck('--no-openssl-legacy-provider')).toBe(false);
-    });
-
-    it('should be disabled when --no-openssl-legacy-provider is set after --openssl-legacy-provider', function () {
-      expect(runLegacyProviderCheck('--openssl-legacy-provider --no-openssl-legacy-provider')).toBe(
-        false
-      );
-    });
-  });
-});

src/setup_node_env/setup_env.js

@@ -15,4 +15,3 @@ require('./harden');
 require('symbol-observable');
 require('source-map-support').install();
 require('./node_version_validator');
-require('./openssl_legacy_provider');

src/setup_node_env/tsconfig.json

@@ -6,7 +6,6 @@
   "include": [
     "harden/**/*",
     "root/**/*",
-    "openssl_legacy_provider/**/*",
     "*.js",
     "*.ts",
   ],