WL: OpenSSL 1.0.1 or greater

Reported by Robert-accettura on 2012-08-09
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
IUS Community Project
Wishlist
Jeffrey Ness

Bug Description

Would be great to see OpenSSL 1.0.1 or greater added to the repo.

CentOS 6 shipped with 1.0, however 1.0.1 has some significant changes that are needed by many things including SPDY in web servers (Next Protocol Negotiation TLS). Over the course of CentOS 6's live it's becoming increasingly important.

tags: added: openssl
Jeffrey Ness (jeffrey-ness) wrote :

Thank you for the request Robert, I will certainly look in to this!

Changed in ius:
importance: Undecided → Wishlist
assignee: nobody → Jeffrey Ness (jeffrey-ness)
Robert-accettura (raccettura) wrote :

I know nginx requires 1.0.1, I believe mod_spdy does as well.

Jeffrey Ness (jeffrey-ness) wrote :

Working on a openssl10 package that is based off Fedora's latest package:

 [root@localhost ~]# rpm -qa | grep openssl
openssl10-libs-1.0.1c-7.ius.el6.x86_64
openssl10-1.0.1c-7.ius.el6.x86_64

--

[root@localhost ~]# openssl
OpenSSL> version
OpenSSL 1.0.1c-fips 10 May 2012

--

Would you please give this testing package a whirl?

  yum install openssl10 --enablerepo=ius-testing

Thanks

Changed in ius:
status: New → Fix Committed
status: Fix Committed → In Progress
Robert-accettura (raccettura) wrote :
Download full text (6.9 KiB)

Hm, doesn't look like this will be a smooth install:

$ sudo yum install openssl10 --enablerepo=ius-testing
[sudo] password for raccettura:
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
epel/metalink | 12 kB 00:00
 * base: mirror.us.leaseweb.net
 * epel: mirror.symnds.com
 * extras: mirror.us.leaseweb.net
 * ius: mirror.rackspace.com
 * ius-testing: mirror.rackspace.com
 * rpmforge: mirror.us.leaseweb.net
 * rpmforge-extras: mirror.us.leaseweb.net
 * updates: mirror.us.leaseweb.net
base | 3.7 kB 00:00
cr | 3.0 kB 00:00
epel | 4.3 kB 00:00
epel/primary_db | 3.9 MB 00:00
extras | 3.0 kB 00:00
ius | 2.2 kB 00:00
ius/primary_db ...

Read more...

Jeffrey Ness (jeffrey-ness) wrote :

Hello Robert,

Yes, this package will conflict with installed openssl package, In order to address this I will need a bit more information.

Can you please provide the results from the following:

  rpm -qa | grep openssl

Also if this server already has openssl installed, please try the yum replace method:

   yum install yum-plugin-replace
   yum replace openssl --replace-with openssl10

Jeffrey Ness (jeffrey-ness) wrote :

The last command should enable ius-testing:

     yum replace openssl --replace-with=openssl10 --enablerepo=ius-testing

Robert-accettura (raccettura) wrote :

Sorry for the delay. Installed now, giving it a run.

bharper (bharper) wrote :

Hello Robert,

Thanks for the update. We looking forward to hearing back from you about regarding these packages.

Robert-accettura (raccettura) wrote :

TLS 1.2 is now showing up as supported. Likely won't be able to test NPN in the short term, but the package itself is still being tested.

Robert-accettura (raccettura) wrote :

Still in production and I think things are stable. No incidents to speak of.

Robert-accettura (raccettura) wrote :

Still in production, no regressions noted.

p4guru (p4guru) wrote :

Can confirm working on CentOS 6.3 64bit

Installed Packages
openssl10.x86_64 1:1.0.1c-7.ius.el6 @ius-testing
openssl10-devel.x86_64 1:1.0.1c-7.ius.el6 @ius-testing
openssl10-libs.x86_64 1:1.0.1c-7.ius.el6 @ius-testing
openssl10-perl.x86_64 1:1.0.1c-7.ius.el6 @ius-testing
openssl10-static.x86_64 1:1.0.1c-7.ius.el6 @ius-testing

Do you plan to add support for CentOS 5.8 as well ?

Thanks

Jeffrey Ness (jeffrey-ness) wrote :

Thank you for your updates.

We have recently found what will be a problem with the openssl10 packages:

Packages that BuildRequire openssl will auto resolve to openssl10.

DEBUG util.py:257: ================================================================================
DEBUG util.py:257: Package Arch Version Repository Size
DEBUG util.py:257: ================================================================================
DEBUG util.py:257: Installing:
DEBUG util.py:257: autoconf noarch 2.63-5.1.el6 base 781 k
DEBUG util.py:257: bzip2-devel x86_64 1.0.5-7.el6_0 base 250 k
DEBUG util.py:257: db4-devel x86_64 4.7.25-17.el6 base 6.6 M
DEBUG util.py:257: gdbm-devel x86_64 1.8.0-36.el6 beta-optional 25 k
DEBUG util.py:257: gmp-devel x86_64 4.3.1-7.el6_2.2 base 171 k
DEBUG util.py:257: libX11-devel x86_64 1.3-2.el6 base 1.0 M
DEBUG util.py:257: libffi-devel x86_64 3.0.5-3.2.el6 beta-optional 18 k
DEBUG util.py:257: mesa-libGL-devel x86_64 7.11-5.el6 base 494 k
DEBUG util.py:257: ncurses-devel x86_64 5.7-3.20090208.el6 base 642 k
DEBUG util.py:257: openssl10-devel x86_64 1:1.0.1c-7.ius.el6 ius-testing 1.1 M

--

Being openssl10 provides a different shared library version than openssl this would mean
all BuildRequires will auto resolve to openssl10 (since auto resolves are linked to the shared library):

# rpm -q openssl10-libs -l |grep libcrypto.so
/usr/lib64/.libcrypto.so.1.0.1c.hmac
/usr/lib64/.libcrypto.so.10.hmac
/usr/lib64/libcrypto.so.1.0.1c
/usr/lib64/libcrypto.so.10

# rpm -q openssl -l | grep libcrypto.so
/usr/lib64/.libcrypto.so.1.0.0.hmac
/usr/lib64/.libcrypto.so.10.hmac
/usr/lib64/libcrypto.so.1.0.0
/usr/lib64/libcrypto.so.10

--

Jeffrey Ness (jeffrey-ness) wrote :

The epoch which was pulled in from Fedora was causing issues,
the latest -9 release resolves this by removing the epoch:

   http://bazaar.launchpad.net/~ius-coredev/ius/openssl10/view/head:/SPECS/openssl10.spec

--

I ask if you would update your current openssl10 version to openssl10-1.0.1c-9.ius
to verify nothing has broken between the versions.

Once this has been verified, and sits in testing for 14 days I can get it added to IUS Stable

Thank you very much for your assistance!

Robert-accettura (raccettura) wrote :

Doesn't look like I'm finding it:

$ sudo yum update openssl10 --enablerepo=ius-testing
Loaded plugins: downloadonly, fastestmirror, priorities, replace, security
Loading mirror speeds from cached hostfile
 * base: mirror.us.leaseweb.net
 * epel: mirrors.rit.edu
 * extras: mirror.us.leaseweb.net
 * ius: archive.linux.duke.edu
 * ius-testing: archive.linux.duke.edu
 * rpmforge: mirror.us.leaseweb.net
 * rpmforge-extras: mirror.us.leaseweb.net
 * updates: mirror.us.leaseweb.net
2034 packages excluded due to repository priority protections
Setting up Update Process
No Packages marked for Update

Jeffrey Ness (jeffrey-ness) wrote :

This is most likely due to the epoch on the old package.

Can you do a:
* yum search openssl10 ––enablerepo=ius-testing

You may need to force the install. Or perform a manual upgrade using yum shell.

Robert-accettura (raccettura) wrote :
Download full text (4.1 KiB)

Here's what I got:

$ yum search openssl10 ––enablerepo=ius-testing
Loaded plugins: downloadonly, fastestmirror, priorities, replace, security
Determining fastest mirrors
epel/metalink | 6.6 kB 00:00
 * base: mirror.us.leaseweb.net
 * epel: mirrors.rit.edu
 * extras: mirror.us.leaseweb.net
 * ius: archive.linux.duke.edu
 * rpmforge: mirror.us.leaseweb.net
 * rpmforge-extras: mirror.us.leaseweb.net
 * updates: mirror.us.leaseweb.net
base | 3.7 kB 00:00
cr | 3.0 kB 00:00
epel | 4.3 kB 00:00
epel/primary_db | 4.1 MB 00:00
extras | 3.5 kB 00:00
extras/primary_db | 24 kB 00:00
ius | 2.2 kB 00:00
ius/primary_db | 81 kB 00:00
mod-spdy | 951 B 00:00
newrelic | 951 B 00:00
newrelic/primary | 2.1 kB 00:00
newrelic 5/5
rpmforge | 1.9 kB 00:00
rpmforge/primary_db | 2.6 MB 00:00
rpmforge-extras | 1.9 kB 00:00
rpmforge-extras/primary_db | 460 kB 00:00
updates ...

Read more...

Jeffrey Ness (jeffrey-ness) wrote :

Hello Robert,

Yeah it does appear you have some packages in this repository,
you should be able to get version information for it be running the following:

    # yum info openssl10 --enablerepo=ius-testing

If you are still seeing old version you may need to clear your yum cache:

   # yum clean all

Also, one thing I failed to mention is it could take up to 24 hours for all mirrors to sync after
the push was ran. That being the case I would wait until tomorrow morning to be sure all packages have synced properly.

The process of upgrading manually I mentioned above would be using yum shell,
you can see information on this below:

   http://iuscommunity.org/pages/UpgradingTheOldWay.html?highlight=shell#upgrading-stock-rhel-packages-to-ius-packages

Please let me know if you have any other issues.

Thanks
Jeffrey-

Robert-accettura (raccettura) wrote :

Tried again and still not seeing an update :-/ Not sure why.

bharper (bharper) wrote :
Download full text (5.2 KiB)

Hello Robert,

Are you excluding any packages within your yum.conf? Sometimes that can create some confusion. Here is an example with openssh on a test box:

####
# yum check-update
Loaded plugins: downloadonly
fedora/17/x86_64/metalink | 19 kB 00:00
updates/17/x86_64/metalink | 14 kB 00:00

emacs-filesystem.x86_64 1:24.1-7.fc17 updates
git.x86_64 1.7.11.7-2.fc17 updates
glances.noarch 1.5.1-1.fc17 updates
gnupg2.x86_64 2.0.19-5.fc17 updates
grub2.x86_64 1:2.0-0.39.fc17 updates
grub2-tools.x86_64 1:2.0-0.39.fc17 updates
kernel.x86_64 3.6.9-2.fc17 updates
libblkid.x86_64 2.21.2-3.fc17 updates
libcap-ng.x86_64 0.7.3-1.fc17 updates
libmount.x86_64 2.21.2-3.fc17 updates
libuuid.x86_64 2.21.2-3.fc17 updates
openssh-clients.x86_64 5.9p1-28.fc17 updates
openssh-server.x86_64 5.9p1-28.fc17 updates
perl-Git.noarch 1.7.11.7-2.fc17 updates
util-linux.x86_64 2.21.2-3.fc17 updates

# echo "exclude=openssh" >> /etc/yum.conf

# yum check-update
Loaded plugins: downloadonly
fedora/17/x86_64/metalink | 19 kB 00:00
updates/17/x86_64/metalink | 14 kB 00:00

emacs-filesystem.x86_64 1:24.1-7.fc17 updates
git.x86_64 1.7.11.7-2.fc17 updates
glances.noarch 1.5.1-1.fc17 updates
gnupg2.x86_64 2.0.19-5.fc17 updates
grub2.x86_64 1:2.0-0.39.fc17 updates
grub2-tools.x86_64 1:2.0-0.39.fc17 updates
kernel.x86_64 3.6.9-2.fc17 updates
libblkid.x86_64 2.21.2-3.fc17 updates
libcap-ng.x86_64 0.7.3-1.fc17 updates
libmount.x86_64 2.21.2-3.fc17 updates
libuuid.x86_64 2.21.2-3.fc17 updates
openssh-clients.x86_64 5.9p1-28.fc17 updates
openssh-server.x86_64 5.9p1-28.fc17 ...

Read more...

Jeffrey Ness (jeffrey-ness) wrote :
Download full text (6.0 KiB)

Hello Robert,

Are you still having issues updating to openssl10-1.0.1c-9.ius?

The reason you are not seeing openssl10-1.0.1c-9.ius as an updated is most likely
due to the epoch that was marked on openssl10-1.0.1c-9.ius:

# rpm -q openssl10
openssl10-1.0.1c-7.ius.el6.x86_64

# yum install openssl10 --enablerepo=ius-testing
Loaded plugins: fastestmirror, replace
Loading mirror speeds from cached hostfile
 * base: mirrors.loosefoot.com
 * epel: fedora-epel.mirror.lstn.net
 * extras: mirrors.loosefoot.com
 * ius: mirror.sothatswhy.org.uk
 * ius-testing: mirror.sothatswhy.org.uk
 * updates: mirrors.loosefoot.com
ius-testing | 2.2 kB 00:00
ius-testing/primary_db | 58 kB 00:00
Setting up Install Process
Package matching openssl10-1.0.1c-9.ius.el6.x86_64 already installed. Checking for update.
Nothing to do

--

What you will need to do is a manual remove and install of openssl10:

# yum shell --enablerepo=ius-testing

> remove openssl10 openssl10-libs

> install openssl10 openssl10-libs

> run

--> Running transaction check
---> Package openssl10.x86_64 0:1.0.1c-9.ius.el6 will be installed
---> Package openssl10.x86_64 1:1.0.1c-7.ius.el6 will be erased
---> Package openssl10-libs.x86_64 0:1.0.1c-9.ius.el6 will be installed
---> Package openssl10-libs.x86_64 1:1.0.1c-7.ius.el6 will be erased
--> Finished Dependency Resolution

==========================================================================================================================================================================================
 Package Arch Version Repository Size
==========================================================================================================================================================================================
Installing:
 openssl10 x86_64 1.0.1c-9.ius.el6 ius-testing 663 k
 openssl10-libs x86_64 1.0.1c-9.ius.el6 ius-testing 806 k
Removing:
 openssl10 x86_64 1:1.0.1c-7.ius.el6 @/openssl10-1.0.1c-7.ius.el6.x86_64 1.5 M
 openssl10-libs x86_64 1:1.0.1c-7.ius.el6 @/openssl10-libs-1.0.1c-7.ius.el6.x86_64 2.3 M

Transaction Summary
==========================================================================================================================================================================================
Install ...

Read more...

Robert-accettura (raccettura) wrote :

$ sudo yum install openssl10 --enablerepo=ius-testing
Loaded plugins: downloadonly, fastestmirror, priorities, replace, security
Loading mirror speeds from cached hostfile
 * base: centos.mirror.constant.com
 * epel: mirror.us.leaseweb.net
 * extras: centos.mirror.constant.com
 * ius: archive.linux.duke.edu
 * ius-testing: archive.linux.duke.edu
 * rpmforge: mirror.us.leaseweb.net
 * rpmforge-extras: mirror.us.leaseweb.net
 * updates: centos.mirror.constant.com
2103 packages excluded due to repository priority protections
Setting up Install Process
Package matching openssl10-1.0.1c-9.ius.el6.i686 already installed. Checking for update.
Nothing to do

I think that worked since I see -9.

Jeffrey Ness (jeffrey-ness) wrote :

Robert,

If the old openssl10 package with epoch of 1 is installed it will not identify openssl10-1.0.1c-9.ius.el6 as an update,
see my results above.

Can you verify which version of the package you have installed?

   # rpm -qp | grep openssl10

Thanks

Robert-accettura (raccettura) wrote :

Still showed -7, so I tried it again... looks like that made things worse...

Resolving Dependencies
--> Running transaction check
---> Package openssl10.i686 0:1.0.1c-9.ius.el6 will be installed
--> Processing Dependency: openssl10-libs(x86-32) = 1.0.1c-9.ius.el6 for package: openssl10-1.0.1c-9.ius.el6.i686
--> Processing Dependency: libssl.so.10(libssl.so.10) for package: openssl10-1.0.1c-9.ius.el6.i686
--> Processing Dependency: libcrypto.so.10(libcrypto.so.10) for package: openssl10-1.0.1c-9.ius.el6.i686
--> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.1) for package: openssl10-1.0.1c-9.ius.el6.i686
--> Processing Conflict: openssl10-1.0.1c-9.ius.el6.i686 conflicts openssl < 1.0.1
--> Finished Dependency Resolution
Error: Package: openssl10-1.0.1c-9.ius.el6.i686 (ius-testing)
           Requires: openssl10-libs(x86-32) = 1.0.1c-9.ius.el6
Error: Package: openssl10-1.0.1c-9.ius.el6.i686 (ius-testing)
           Requires: libcrypto.so.10(OPENSSL_1.0.1)
Error: Package: openssl10-1.0.1c-9.ius.el6.i686 (ius-testing)
           Requires: libcrypto.so.10(libcrypto.so.10)
Error: openssl10 conflicts with openssl
Error: Package: openssl10-1.0.1c-9.ius.el6.i686 (ius-testing)
           Requires: libssl.so.10(libssl.so.10)
 You could try using --skip-broken to work around the problem
** Found 2 pre-existing rpmdb problem(s), 'yum check' output follows:
perl-IO-Compress-2.037-1.el6.rfx.noarch has missing requires of perl(Compress::Raw::Bzip2) = ('0', '2.037', None)
perl-IO-Compress-2.037-1.el6.rfx.noarch has missing requires of perl(Compress::Raw::Zlib) = ('0', '2.037', None)

yuck. Not quite sure how to dig out of that one.

Jeffrey Ness (jeffrey-ness) wrote :

Robert,

You will need to perform the removal and re-installation manually from the yum shell as posted above.

The simplified is below:

    # yum shell --enablerepo=ius-testing

    > remove openssl10 openssl10-libs

    > install openssl10 openssl10-libs

    > run

====

This will create a transaction to remove openssl10 and openssl10-libs, then in the same transaction install openssl10 and openssl10-libs (getting the new versions). You then run the transaction and you should get a pretty yum result page showing the removal of the old and install of the new.

Jeffrey -

Robert-accettura (raccettura) wrote :

Here's what I got:

$ sudo yum shell --enablerepo=ius-testing
Loaded plugins: downloadonly, fastestmirror, priorities, replace, security
Loading mirror speeds from cached hostfile
 * base: centos.mirror.constant.com
 * epel: mirror.us.leaseweb.net
 * extras: centos.mirror.constant.com
 * ius: archive.linux.duke.edu
 * ius-testing: archive.linux.duke.edu
 * rpmforge: mirror.us.leaseweb.net
 * rpmforge-extras: mirror.us.leaseweb.net
 * updates: centos.mirror.constant.com
Setting up Yum Shell
> remove openssl10 openssl10-libs
Setting up Remove Process
No Match for argument: openssl10
ius-testing | 2.2 kB 00:00
2103 packages excluded due to repository priority protections
Package(s) openssl10 available, but not installed.
No Match for argument: openssl10-libs
>

Jeffrey Ness (jeffrey-ness) wrote :

Robert,

Lets look back to what Ben mentioned, is it possible you have it excluded?

Can you give us a list of all openssl packages you have installed:

  # rpm -qa | grep openssl

You may try using shell with excludes disabled:

  # yum shell --enablerepo=ius-testing --disableexcludes=all

When in the shell you will only want to remove your openssl10 packages that are installed.

It is also worth noting openssl10 can not be installed along side openssl.

Robert-accettura (raccettura) wrote :

$ rpm -qa | grep openssl
openssl-1.0.0-25.el6_3.1.i686

It's back to openssl now.

I think the problem (or one of them) is that it's not seeing openssl10-libs:
plugins: downloadonly, fastestmirror, priorities, replace, security
Loading mirror speeds from cached hostfile
 * base: centos.mirror.constant.com
 * epel: mirror.us.leaseweb.net
 * extras: centos.mirror.constant.com
 * ius: archive.linux.duke.edu
 * ius-testing: archive.linux.duke.edu
 * rpmforge: mirror.us.leaseweb.net
 * rpmforge-extras: mirror.us.leaseweb.net
 * updates: centos.mirror.constant.com
Setting up Yum Shell
> install openssl10 openssl10-libs
2115 packages excluded due to repository priority protections
Setting up Install Process
No package openssl10-libs available.

Jeffrey Ness (jeffrey-ness) wrote :

Robert,

I can show openssl10-libs is available from the mirror you are using for ius-testing (archive.linux.duke.edu):

   http://archive.linux.duke.edu/ius/testing/Redhat/6/x86_64/

I would suggest cleaning your yum cache.

     # yum clean all
     # rm -rf /var/cache/yum/*

If that is not working I would just grab the RPM manually from the repo link above.

Jeffrey-

Robert-accettura (raccettura) wrote :

I'm convinced something isn't right now. I downloaded the RPM manually, however I can't switch back from openssl to openssl10.

Jeffrey Ness (jeffrey-ness) wrote :

Hello Robert,

Below are my steps are a fresh CentOS 6 x86_64 server:

* We start out with base openssl installed:

  # rpm -qa | grep openssl
  openssl-1.0.0-25.el6_3.1.x86_64

* Download the openssl10 packages:

  # ls -l
  total 1480
  -rw-r--r-- 1 root root 678868 Dec 5 05:08 openssl10-1.0.1c-9.ius.el6.x86_64.rpm
  -rw-r--r-- 1 root root 825344 Dec 5 05:08 openssl10-libs-1.0.1c-9.ius.el6.x86_64.rpm

* Install from local files:

# yum localinstall *

    Examining openssl10-libs-1.0.1c-9.ius.el6.x86_64.rpm: openssl10-libs-1.0.1c-9.ius.el6.x86_64
    Marking openssl10-libs-1.0.1c-9.ius.el6.x86_64.rpm to be installed
    Resolving Dependencies
    --> Running transaction check
    ---> Package openssl.x86_64 0:1.0.0-25.el6_3.1 will be obsoleted
    ---> Package openssl10.x86_64 0:1.0.1c-9.ius.el6 will be installed
    ---> Package openssl10-libs.x86_64 0:1.0.1c-9.ius.el6 will be obsoleting
    --> Finished Dependency Resolution

    Dependencies Resolved

    ====================================================================================
     Package Arch Version Repository
    ====================================================================================
    Installing:
     openssl10 x86_64 1.0.1c-9.ius.el6 /openssl10-1.0.1c-9.ius.el6.x86_64
     openssl10-libs x86_64 1.0.1c-9.ius.el6 /openssl10-libs-1.0.1c-9.ius.el6.x86_64
         replacing openssl.x86_64 1.0.0-25.el6_3.1
         replacing openssl.x86_64 1.0.0-25.el6_3.1

    Transaction Summary
    ====================================================================================
    Install 2 Package(s)

    Total size: 3.8 M
    Is this ok [y/N]:

Robert-accettura (raccettura) wrote :

Ok, that worked. It's running, lets see how it does.

Robert-accettura (raccettura) wrote :

Still running and seems good. No issues detected.

Jeffrey Ness (jeffrey-ness) wrote :

Great! We really appreciate you testing out this package.

I will do a final one over on this package then get it in to the Stable repos.

Jeffrey-

Jeffrey Ness (jeffrey-ness) wrote :

The package has been tagged as stable-candidate and will be available after tonight's synchronization.

Jeffrey Ness (jeffrey-ness) wrote :

Please disregard #36, additional testing needs to be done.

Michael Frank (2-contact) wrote :

Hello, are there any news when the package becomes stable?

Robert-accettura (raccettura) wrote :

It's working fine for me. However it does need to be updated to address: http://www.openssl.org/news/secadv_20130205.txt

Jeffrey Ness (jeffrey-ness) wrote :

Great, Thanks Robert.

I'll be working on getting openssl10-1.0.1d-1.ius build and in to the testing channels,
once the package has lived for the required 14 days in testing I'll then get it to stable.

Thanks
Jeffrey-

Jeffrey Ness (jeffrey-ness) wrote :

Moving to 1.0.1d may be a bit more work than originally thought,
the fips patch (needed to build the fips module) is not compatible with 1.0.1d
(and is a rather large patch http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-1.0.1c-fips.patch?h=f18):

Patch #40 (openssl-1.0.1c-fips.patch):
+ /usr/bin/patch -s -p1 -b --suffix .fips --fuzz=2
+ /bin/cat /home/jness/ius/openssl10/SOURCES/openssl-1.0.1c-fips.patch
1 out of 2 hunks FAILED -- saving rejects to file crypto/err/err_all.c.rej
1 out of 8 hunks FAILED -- saving rejects to file crypto/evp/digest.c.rej
1 out of 8 hunks FAILED -- saving rejects to file crypto/rsa/rsa_eay.c.rej
error: Bad exit status from /var/tmp/rpm-tmp.YpYjdF (%prep)

--

Nor has fedora rawhide yet moved to 1.0.1d yet:

http://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/source/SRPMS/o/

http://pkgs.fedoraproject.org/cgit/openssl.git/tree/?h=f18

--

Will see what needs to be changed in patches to get a successful build.

Jeffrey-

Robert-accettura (raccettura) wrote :

Interesting. The changelog notes as the 2nd change:
      o Include the fips configuration module.

Jeffrey Ness (jeffrey-ness) wrote :

Yeah, it seems fips module was added by patch previously, but now that it is added that patch is probably not needed.

I also want to include the Redhat bug report here:
   https://bugzilla.redhat.com/show_bug.cgi?id=907589

Jeffrey Ness (jeffrey-ness) wrote :

I've been able to remove the fips patches and get a build for 1.0.1e,
openssl10-1.0.1e-1.ius will be available in the IUS testing channels tonight.

Jeffrey-

Jeffrey Ness (jeffrey-ness) wrote :

Hello,

Any word on how this package is working in your testing environments?

Thanks

Robert-accettura (raccettura) wrote :

So far running, no issues detected.

Jeffrey Ness (jeffrey-ness) wrote :

Fantastic! Then we are on course for hitting stable in about 8 days from now.

Thank you very much for your assistance.

Jeffrey-

Michael Frank (2-contact) wrote :

Hi Jeffrey,
could you say when it will be available in the stable Repo?

Jeffrey Ness (jeffrey-ness) wrote :

Hello Michael,

I does seem like openssl10 has been in testing for its required 14 days,
and at this time is ready to be moved to stable.

I'll get this tagged today, and on tonight sync will be available in the stable repos.

Jeffrey-

Changed in ius:
status: In Progress → Fix Committed
James Kennedy (serveradmin) wrote :

Sorry to dredge an old issue, but I notice that the IUS package is following Redhat by disabling the ECC ciphers ("no-ec no-ec2m no-ecdh no-ecdsa" parameters on Configure). There has been a bug against Fedora rawhide regarding this for about 6 years, but I'm wondering if you could just go ahead and enable the ECC ciphers on this package.

More info:
https://bugzilla.redhat.com/show_bug.cgi?id=319901
http://cr.yp.to/ecdh/patents.html
http://security.stackexchange.com/questions/3519/can-ecc-be-used-without-infringing-on-patents

bharper (bharper) wrote :

Hello James,

Thanks for the request. IUS has very limited resources for packaging more of less investigating patents and prior art. Unfortunately, we will need to follow Red Hat's decision regarding this issue. If/when Red Hat makes a decision, we can reevaluate this request.

-Ben

Alexandru P (imperialnetwork) wrote :

From my understanding the packages from Fedora-19 should contain ECC ciphers.
Would be great if you could rebuild the openssl10 packages from the updated fedora-19 packages:

openssl-1.0.1e-30.fc19.x86_64.rpm 29-Oct-2013 18:34 725364
openssl-devel-1.0.1e-30.fc19.i686.rpm 29-Oct-2013 18:33 1263524
openssl-devel-1.0.1e-30.fc19.x86_64.rpm 29-Oct-2013 18:34 1263480
openssl-libs-1.0.1e-30.fc19.i686.rpm 29-Oct-2013 18:34 913500
openssl-libs-1.0.1e-30.fc19.x86_64.rpm 29-Oct-2013 18:34 924936
openssl-perl-1.0.1e-30.fc19.x86_64.rpm 29-Oct-2013 18:33 53736
openssl-static-1.0.1e-30.fc19.x86_64.rpm 29-Oct-2013 18:34 992328

bharper (bharper) wrote :

Hello Alexandru and James,

Thanks for the update. Looking over the Red Hat's bug, Fedora packages have been updated and according to the release notes Red Hat's packages will get updated in 6.5.

We will need to revaluate if it IUS needs to package openssl10, if Red Hat will be offering openssl 1.0.1. There was debate if we should have moved the openssl10 packages into the stable repos. Also we have received reports from some users that attempting to install openssl10 broke there servers.

-Ben

James Kennedy (serveradmin) wrote :

Regardless of whether openssl10 "should" have been moved to stable, it is in there for now. Can the package be updated to have the same cipher support as Fedora's openssl package? I don't see the necessity in making people wait for 6.5.

bharper (bharper) wrote :

Hello James,

Unfortunately, that Red Hat bug did not include information on how Red Hat and Fedora came to the conclusion to start including the ec and ecparam commands. That information would have been helpful. The IUS team is currently evaluating how we should proceed regarding this request.

-Ben

James Kennedy (serveradmin) wrote :

Thanks for the reply Ben.
It sounds like they couldn't discuss it publicly in the bug thread. Maybe by reaching out to Redhat it would be possible to find out more.
Relevant contact info: https://fedoraproject.org/wiki/User:Spot?rd=TomCallaway

Hi,

i´ve just updated to Centos 6.5 via "yum update".
Previously i had installed the openssl from the ius-repo

Now, i´ve a strange error in sshd - i revieve:

sshd: relocation error: sshd: symbol SSLeay_version, version
OPENSSL_1.0.1 not defined in file libcrypto.so.10 with link time rference

Any idea what this mean?

Is it necessary to remove the openssl from the ius-repo?

Any ideas what to do to fix these error?

Thanks and kind regards,
Michael

Am 04.11.2013 22:37, schrieb bharper:
> Hello Alexandru and James,
>
> Thanks for the update. Looking over the Red Hat's bug, Fedora packages
> have been updated and according to the release notes Red Hat's packages
> will get updated in 6.5.
>
> We will need to revaluate if it IUS needs to package openssl10, if Red
> Hat will be offering openssl 1.0.1. There was debate if we should have
> moved the openssl10 packages into the stable repos. Also we have
> received reports from some users that attempting to install openssl10
> broke there servers.
>
> -Ben
>

bharper (bharper) wrote :

Hello Michael,

Thanks for taking the time to report this issue. Off the top of my head, I am not sure what that error message means. I will have to do some research. Seeing that el 6.5 now includes openssl 1.0.1, ssh might be excepting some behavior from that version of openssl.

Can you please provide the output of the following commands:

$ cat /etc/issue

$ rpm -qa |grep openssl

$ rpm -qa |grep ssh

-Ben

bharper (bharper) wrote :
Download full text (7.8 KiB)

Hello Michael,

I was able to recreate the behavior you reported. I spun up a CentOS 6.4 server and switched it to use IUS's openssl10. Then I upgraded to 6.5:

# cat /etc/issue
CentOS release 6.4 (Final)
Kernel \r on an \m

# rpm -qa |grep openssl
openssl10-libs-1.0.1e-2.ius.centos6.x86_64
openssl10-1.0.1e-2.ius.centos6.x86_64

# yum upgrade
...

# ssh localhost
ssh: relocation error: ssh: symbol SSLeay_version, version OPENSSL_1.0.1 not defined in file libcrypto.so.10 with link time reference

and from a remote machine:

$ ssh <email address hidden>
ssh_exchange_identification: read: Connection reset by peer

After switching back to stock openssl, I was able to connect.

# yum replace openssl10 --replace-with openssl
Loaded plugins: fastestmirror, replace
Loading mirror speeds from cached hostfile
 * epel: mirror.steadfast.net
 * ius: mirror.rackspace.hk
Replacing packages takes time, please be patient...

WARNING: Unable to resolve all providers: ['config(openssl10-libs)', 'openssl-libs', 'openssl-libs(x86-64)', 'openssl10-libs', 'openssl10-libs(x86-64)', 'openssl10', 'openssl10(x86-64)']

This may be normal depending on the package. Continue? [y/N] y
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 0:1.0.1e-15.el6 will be installed
---> Package openssl10.x86_64 0:1.0.1e-2.ius.centos6 will be erased
---> Package openssl10-libs.x86_64 0:1.0.1e-2.ius.centos6 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================================
 Package Arch Version Repository Size
=======================================================================================================================
Installing:
 openssl x86_64 1.0.1e-15.el6 base 1.5 M
Removing:
 openssl10 x86_64 1.0.1e-2.ius.centos6 @ius 1.5 M
 openssl10-libs x86_64 1.0.1e-2.ius.centos6 @ius 2.2 M

Transaction Summary
=======================================================================================================================
Install 1 Package(s)
Remove 2 Package(s)

Total download size: 1.5 M
Is this ok [y/N]: y
Downloading Packages:
openssl-1.0.1e-15.el6.x86_64.rpm | 1.5 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : openssl-1.0.1e-15.el6.x86_64 1/3
  Erasing : openssl10-1.0.1e-2.ius.centos6.x86_64 2/3
  Erasing : openssl10-libs-1.0.1e-2.ius.centos6.x86_64 3/3
  Verifying : openssl-1.0.1e-15.el6.x86_64 1/3
  Verifying ...

Read more...

bharper (bharper) wrote :
Download full text (64.5 KiB)

In some cases replacing openssl10 with stock openssl using the method I described in my previous comment will not work. Previous, I spun up a fresh server and the yum replace method worked just fine. I did another test on a server that had more than just the base packages installed and ran into some issues. This server had been up for several months running 6.4 and plenty of additional packages installed. It got updated to 6.5 and I attempted to use the yum replace method, but it did not work:

# yum replace openssl10 --replace-with openssl
Loaded plugins: fastestmirror, protectbase, replace
Loading mirror speeds from cached hostfile
 * base: mirror.team-cymru.org
 * epel: fedora-epel.mirror.lstn.net
 * extras: mirror.team-cymru.org
 * updates: mirror.team-cymru.org
0 packages excluded due to repository protections
Replacing packages takes time, please be patient...

WARNING: Unable to resolve all providers: ['openssl10-devel', 'openssl10-devel(x86-64)', 'openssl10', 'openssl10(x86-64)', 'config(openssl10-libs)', 'openssl-libs', 'openssl-libs(x86-64)', 'openssl10-libs', 'openssl10-libs(x86-64)']

This may be normal depending on the package. Continue? [y/N] y
Resolving Dependencies
There are unfinished transactions remaining. You might consider running yum-complete-transaction first to finish them.
--> Running transaction check
---> Package openssl.i686 0:1.0.1e-16.el6_5 will be installed
--> Processing Dependency: libz.so.1 for package: openssl-1.0.1e-16.el6_5.i686
--> Processing Dependency: libresolv.so.2 for package: openssl-1.0.1e-16.el6_5.i686
--> Processing Dependency: libkrb5.so.3(krb5_3_MIT) for package: openssl-1.0.1e-16.el6_5.i686
--> Processing Dependency: libkrb5.so.3 for package: openssl-1.0.1e-16.el6_5.i686
--> Processing Dependency: libk5crypto.so.3(k5crypto_3_MIT) for package: openssl-1.0.1e-16.el6_5.i686
--> Processing Dependency: libk5crypto.so.3 for package: openssl-1.0.1e-16.el6_5.i686
--> Processing Dependency: libgssapi_krb5.so.2 for package: openssl-1.0.1e-16.el6_5.i686
--> Processing Dependency: libdl.so.2(GLIBC_2.1) for package: openssl-1.0.1e-16.el6_5.i686
--> Processing Dependency: libdl.so.2(GLIBC_2.0) for package: openssl-1.0.1e-16.el6_5.i686
--> Processing Dependency: libdl.so.2 for package: openssl-1.0.1e-16.el6_5.i686
--> Processing Dependency: libcom_err.so.2 for package: openssl-1.0.1e-16.el6_5.i686
--> Processing Dependency: libc.so.6(GLIBC_2.7) for package: openssl-1.0.1e-16.el6_5.i686
---> Package openssl-devel.i686 0:1.0.1e-16.el6_5 will be installed
---> Package openssl10.x86_64 0:1.0.1e-2.ius.el6 will be erased
---> Package openssl10-devel.x86_64 0:1.0.1e-2.ius.el6 will be erased
--> Processing Dependency: openssl-devel(x86-64) for package: nodejs-devel-0.10.22-1.el6.x86_64
---> Package openssl10-libs.x86_64 0:1.0.1e-2.ius.el6 will be erased
--> Processing Dependency: libcrypto.so.10()(64bit) for package: mysql55-5.5.34-1.ius.centos6.x86_64
--> Processing Dependency: libcrypto.so.10()(64bit) for package: ntpdate-4.2.6p5-1.el6.centos.x86_64
--> Processing Dependency: libcrypto.so.10()(64bit) for package: mysql55-server-5.5.34-1.ius.centos6.x86_64
--> Processing Dependency: libcrypto.so.10()(64bit) fo...

Tim Harrison (tharri) wrote :

Any update on this issue?

bharper (bharper) wrote :

Hello Tim,

All openssl10 packages have been removed from the stable repos. If for some reason you still need the old openssl10 rpms , the are available in the archive repos.

-Ben

Alexander (znferr0) wrote :

hi Tim!

maybe it will help you

rpm -e --justdb --nodeps openssl

yum install openssl openssl-devel

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.