Red Hat patches its OpenSSL implementation with some additional API
calls. That means you cannot use builds from an unpatched upstream
OpenSSL tarball in place of the system libcrypto and libssl libraries.

The proper way is to always obtain updated system packages from your
vendor, i.e., Red Hat. Otherwise you would have to try to update the
source rpm package from RHEL with new openssl version keeping the
patches that Red Hat adds to it. That is definitely not a trivial

If, for some reason, you need newer OpenSSL package for some particular
application that you install to the system, it should be possible to
keep the system openssl package untouched, install the upstream OpenSSL
package somewhere into /opt or /usr/local, and link that application
against this installation of OpenSSL.

The primary question to ask is - why do you need to install
openssl 1.1.1l on RHEL-8.6?

Tomas Mraz, OpenSSL

On Tue, 2022-11-08 at 07:17 +0100, Matthias Apitz wrote:
> Hello,
> We compile openssl 1.1.1l from the sources and run on RedHat 8.6 into
> the
> problem that the system shared lib /usr/lib64/libk5crypto.so.3 misses
> a
> symbol from openssl:
> # objdump -TC /usr/lib64/libk5crypto.so.3 | grep EVP_KDF
> 0000000000000000      DF *UND*  0000000000000000  OPENSSL_1_1_1b
> EVP_KDF_ctrl
> 0000000000000000      DF *UND*  0000000000000000  OPENSSL_1_1_1b
> EVP_KDF_CTX_new_id
> 0000000000000000      DF *UND*  0000000000000000  OPENSSL_1_1_1b
> EVP_KDF_CTX_free
> 0000000000000000      DF *UND*  0000000000000000  OPENSSL_1_1_1b
> EVP_KDF_derive
> # objdump -TC libssl.so.1.1 | grep EVP_KDF
> (nix)
> I checked also the sources 1.1.1l and 1.1.1s, there are a lot of
> 'EVP_*'
> symbols, but not EVP_KDF_ctrl.
> What is the correct way to fix this. Thanks in advance.
>         matthias

Tomáš Mráz, OpenSSL

Reply via email to