Hi,
On 07/06/21 20:26, Lothar Belle wrote:
Hi,
recently I compiled openssl-1.1.1k on CentOS-8
but when I am using libcrypto.so.1.1 I get errors like:
libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b
Obviously RedHat added additional features into there own libraries,
but using the same version/naming.
See https://bugzilla.redhat.com/show_bug.cgi?id=1829790
I tried also to apply the patches, but they don‘t work with the latest
source code
https://git.centos.org/rpms/openssl/blob/c8/f/SOURCES/openssl-1.1.1-evp-kdf.patch
The suggested solution renaming the libraries didn‘t work neither for me.
But we want to use the latest version, including all security fixes,
therefore I can‘t use the build-in version.
Has anybody a solution for this?
Is it planned to implement such features in official OpenSSL in the near future?
CentOS 8(.3) uses openssl 1.1.1g *with security backports* . The whole
idea of an enterprise OS like RHEL 8 is that you fix packages at certain
version (e.g. kernel 4.18.0, gcc 8.3.1, openssl 1.1.1g) and that those
versions will remain (mostly) constant throughout the life cycle of the OS.
Redhat backports security fixes from newer releases into this 1.1.1g
release, thus one can claim that "rhel8 openssl 1.1.1g" is as safe (or
unsafe) as the stock version of openssl 1.1.1k.
If you don't like this, then switch to a distro that does not use this
"version pinning" - the downside of that will that you will be doing
upgrades very frequently.
As you found out, it is nearly impossible to swap out the existing
openssl 1.1.1g with a "stock" openssl version, as RedHat/CentOS have
applied patches to it. My advice would be: don't even try. If you *have
to* use openssl 1.1.1k, then switch to Fedora or to Ubuntu (not the LTS
releases). But keep in mind:
- debian 10 uses openssl 1.1.1d
- ubuntu seems to be at openssl 1.1.1j
etc.
HTH,
JJK
