Re: Compile opensslß1.1.1k on CentOS8
On Monday, 7 June 2021 20:26:28 CEST, Lothar Belle wrote: Hi, recently I compiled openssl-1.1.1k on CentOS-8 but when I am using libcrypto.so.1.1 I get errors like: libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b Obviously RedHat added additional features into there own libraries, but using the same version/naming. See https://bugzilla.redhat.com/show_bug.cgi?id=1829790 I tried also to apply the patches, but they don‘t work with the latest source code https://git.centos.org/rpms/openssl/blob/c8/f/SOURCES/openssl-1.1.1-evp-kdf.patch The suggested solution renaming the libraries didn‘t work neither for me. But we want to use the latest version, including all security fixes, therefore I can‘t use the build-in version. Please note that packages in RHEL, and thus, later, in CentOS, include security fixes: https://access.redhat.com/security/updates/backporting even if their package version is older than the newest upstream release. But that's not the only reason why those packages have additional patches, they also have them to better integrate with the rest of the system: https://access.redhat.com/articles/3655361 or integrate with features like system-wide crypto policies: https://access.redhat.com/articles/3666211 or, as in the case of the openssl-1.1.1-evp-kdf.patch, to provide features from newer releases (like 3.0.0) in an older ABI release. So I'd strongly suggest against replacting the .so files of any low-level library, in any distribution, not just RHEL or CentOS. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Re: Re: Compile opensslß1.1.1k on CentOS8
janj...@nikhef.nl said: > As you found out, it is nearly impossible to swap out the existing openssl > 1.1.1g with a "stock" openssl version, as RedHat/CentOS have applied patches > to it. My advice would be: don't even try. If you *have to* use openssl > 1.1.1k, then switch to Fedora or to Ubuntu (not the LTS releases). But keep > in mind: - debian 10 uses openssl 1.1.1d - ubuntu seems to be at openssl > 1.1.1j etc. There are two cases. One is where you want to replace the system libraries so that all the installed programs that use libssl will now use your new version. I agree doing that is crazy. That's what distros are for. But if you are working on a program and you want that one program to use a new version, that's not so hard. The trick is to install your new version of openssl in /usr/local/ (or wherever). Then you have to patch the build recipe for your program to look there. This is how you would get your program ready for 3.0.0 or get a program that needs TLS1.3 to work on a distro that is stuck in the dark ages. I use: ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared to build and install OpenSSL, then, for waf: ctx.env.INCLUDES = ["/usr/local/ssl/include"] ctx.env.LIBPATH = ["/usr/local/ssl/lib"] I don't remember where I found that config line. -- These are my opinions. I hate spam.
Re: Compile opensslß1.1.1k on CentOS8
Hi, On 07/06/21 20:26, Lothar Belle wrote: Hi, recently I compiled openssl-1.1.1k on CentOS-8 but when I am using libcrypto.so.1.1 I get errors like: libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b Obviously RedHat added additional features into there own libraries, but using the same version/naming. See https://bugzilla.redhat.com/show_bug.cgi?id=1829790 I tried also to apply the patches, but they don‘t work with the latest source code https://git.centos.org/rpms/openssl/blob/c8/f/SOURCES/openssl-1.1.1-evp-kdf.patch The suggested solution renaming the libraries didn‘t work neither for me. But we want to use the latest version, including all security fixes, therefore I can‘t use the build-in version. Has anybody a solution for this? Is it planned to implement such features in official OpenSSL in the near future? CentOS 8(.3) uses openssl 1.1.1g *with security backports* . The whole idea of an enterprise OS like RHEL 8 is that you fix packages at certain version (e.g. kernel 4.18.0, gcc 8.3.1, openssl 1.1.1g) and that those versions will remain (mostly) constant throughout the life cycle of the OS. Redhat backports security fixes from newer releases into this 1.1.1g release, thus one can claim that "rhel8 openssl 1.1.1g" is as safe (or unsafe) as the stock version of openssl 1.1.1k. If you don't like this, then switch to a distro that does not use this "version pinning" - the downside of that will that you will be doing upgrades very frequently. As you found out, it is nearly impossible to swap out the existing openssl 1.1.1g with a "stock" openssl version, as RedHat/CentOS have applied patches to it. My advice would be: don't even try. If you *have to* use openssl 1.1.1k, then switch to Fedora or to Ubuntu (not the LTS releases). But keep in mind: - debian 10 uses openssl 1.1.1d - ubuntu seems to be at openssl 1.1.1j etc. HTH, JJK
