AIX Open Source

 View Only
Back to discussions
Expand all | Collapse all

openssl3 and mod_ssl question

  • 1.  openssl3 and mod_ssl question

    Posted Fri September 27, 2024 07:01 AM
    Reply
    Hello,
     
    I have installed latest httpd and mod_ssl + openssl v3. But from the http log I see http starting with openssl 1.1.1x. 
    Is it correct or some description problem ?
     
    root@xxx:/ # rpm -qa|grep -i mod_ssl
    mod_ssl-2.4.62-1.ppc
    root@xxx:/ # rpm -qa|grep -i httpd
    httpd-2.4.62-1.ppc
     
     
    root@xxx:/ # lslpp -L|grep -i openssl
      openssl.base           3.0.13.1000    C     F    Open Secure Socket Layer
      openssl.license        3.0.13.1000    C     F    Open Secure Socket License
      openssl.man.en_US      3.0.13.1000    C     F    Open Secure Socket Layer
     
     
    root@xxx:/ # tail -f /var/log/httpd/error_log
    [Fri Sep 27 09:21:16.161108 2024] [core:notice] [pid 6881758] AH00094: Command line: '/opt/freeware/sbin/httpd'
    [Fri Sep 27 09:45:09.464409 2024] [mpm_prefork:notice] [pid 6881758] AH00169: caught SIGTERM, shutting down
    [Fri Sep 27 09:47:37.419937 2024] [mpm_prefork:notice] [pid 7799052] AH00163: Apache/2.4.62 (Unix) OpenSSL/1.1.1x configured -- resuming normal operations
    [Fri Sep 27 09:47:37.422585 2024] [core:notice] [pid 7799052] AH00094: Command line: '/opt/freeware/sbin/httpd'
    [Fri Sep 27 10:17:44.262391 2024] [mpm_prefork:notice] [pid 7799052] AH00169: caught SIGTERM, shutting down
    [Fri Sep 27 10:17:51.133289 2024] [mpm_prefork:notice] [pid 8192268] AH00163: Apache/2.4.62 (Unix) OpenSSL/1.1.1x configured -- resuming normal operations
    [Fri Sep 27 10:17:51.133376 2024] [core:notice] [pid 8192268] AH00094: Command line: '/opt/freeware/sbin/httpd'
    [Fri Sep 27 10:30:50.639737 2024] [mpm_prefork:notice] [pid 8192268] AH00169: caught SIGTERM, shutting down
    [Fri Sep 27 10:30:54.686466 2024] [mpm_prefork:notice] [pid 11403724] AH00163: Apache/2.4.62 (Unix) OpenSSL/1.1.1x configured -- resuming normal operations
    [Fri Sep 27 10:30:54.686552 2024] [core:notice] [pid 11403724] AH00094: Command line: '/opt/freeware/sbin/httpd'
     
     
    root@xxx:/ # rpm -ql mod_ssl-2.4.62-1.ppc |grep -i mod_ssl
    /opt/freeware/lib/httpd/modules/mod_ssl.so
    /opt/freeware/lib64/httpd/modules/mod_ssl.so
    /var/cache/mod_ssl
    /var/cache/mod_ssl/scache.dir
    /var/cache/mod_ssl/scache.pag
    /var/cache/mod_ssl/scache.sem
     
     
    root@xxx:/ # ldd /opt/freeware/lib/httpd/modules/mod_ssl.so
    /opt/freeware/lib/httpd/modules/mod_ssl.so needs:
    /usr/lib/libssl.a(libssl.so.1.1)
    /usr/lib/libcrypto.a(libcrypto.so.1.1)
    /usr/lib/libc.a(shr.o)
    /opt/freeware/lib/libgcc_s.a(shr.o)
    /usr/lib/librtl.a(shr.o)
    /usr/lib/libpthreads.a(shr_xpg5.o)
    /unix
    /usr/lib/libcrypt.a(shr.o)
    /usr/lib/libpthreads.a(shr_comm.o)
     
     
    root@xxx:/ # lslpp -w /usr/lib/libssl.a
      File                                        Fileset               Type
      ----------------------------------------------------------------------------
      /usr/lib/libssl.a                           openssl.base          File


    ------------------------------
    Tomasz Boruszek
    ------------------------------


  • 2.  RE: openssl3 and mod_ssl question

    Posted Fri September 27, 2024 09:17 AM
    Reply

    AIX Toolbox packages are built against openssl 1.1.1 (dynamic linking). So even with openssl 3.0 installed, the linkage is with the *.so.1.1 shared libraries as you can see from the ldd output. Toolbox ecosystem can move to openssl 3.0 only when openssl 3.0 is available in AIX 7.1, as 7.1 is the base build level for AIX Toolbox packages. As per AIX openssl team, openssl 3.0 will be available in AIX 7.1 this year end. 



    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 3.  RE: openssl3 and mod_ssl question

    Posted Fri September 27, 2024 09:41 AM
    Reply

    Thanks, thats explained me a lot.



    ------------------------------
    Tomasz Boruszek
    ------------------------------

    Original Message


  • 4.  RE: openssl3 and mod_ssl question

    Posted Tue November 12, 2024 12:07 AM
    Reply

    We are in the same situation.  Our Security team is informing us we need to use a version of Apache that uses OpenSSL3 to pass security vulnerability tests that are failing.  We are on AIX 7.1, OpenSSL 3.0.10.1001, and AIX toolbox versions of httpd 2.5.62-1 and mod_ssl 2.4.62-1.  Mod_ssl  appears to be built using OpenSSL 1.1.1.x.  When will a newer release of mod_ssl be available on the AIX Toolbox site which uses OpenSSL 3?   Or - what is a workaround solution available for mod_ssl to use the newer OpenSSL libraries? Thank you



    ------------------------------
    Alma Eaton
    ------------------------------

    Original Message


  • 5.  RE: openssl3 and mod_ssl question

    Posted Tue November 12, 2024 03:58 AM
    Reply

    read ayappans reply in  post #2



    ------------------------------
    I regret starting this entire conversation
    ------------------------------

    Original Message


  • 6.  RE: openssl3 and mod_ssl question

    Posted Fri December 20, 2024 09:22 PM
    Reply

    Thank you for the information.  We are also interested in the release that supports OpenSSL 3.x.  We have many vulnerabilities being flagged on versions not available. Please advise when available and any information on update/install procedures. 

    OpenSSL 1.1.1 < 1.1.1zb Vulnerability
    OpenSSL 1.1.1 < 1.1.1za Vulnerability
    OpenSSL 1.1.1 < 1.1.1y Multiple Vulnerabilities
    OpenSSL 1.1.1 < 1.1.1x Multiple Vulnerabilities
    OpenSSL 1.1.1 < 1.1.1w Vulnerability


    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 7.  RE: openssl3 and mod_ssl question

    Posted Mon December 30, 2024 11:53 AM
    Reply

    Ayappan, Are you aware of any ETA or roadmap date for this release?



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 8.  RE: openssl3 and mod_ssl question

    Posted Mon December 30, 2024 10:32 PM
    Reply

    Checked with AIX Openssl team recently. The work (Openssl 3 in AIX 7.1) is still in progress. I don't have any more details at this moment. 
    Since Openssl is supported by IBM, you can open a case and get more details on this. 



    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 9.  RE: openssl3 and mod_ssl question

    Posted Tue January 21, 2025 04:32 PM
    Reply

    Looks like OpenSSL 3 is not available on AIX 7.1 according to the ticket I opened: ( now we just need the compile with apache httpd)

    Gary Wysocki (IBM)
    Jan 20, 2025, 08:38

    Hi Gary,

    I checked with our openssl team and Jimmie stated As of this writing all versions of openssl 3.0.x.x is supported in AIX 7.1,7.2 and 7.3.

    See the openssl Readme files at the mrs site:

    https://www.ibm.com/resources/mrs/assets?source=aixbp

    The latest version is openssl 3.0.15.1000

    From the Readme file:

    This is the readme file of openSSL 3.0.15.1000 VRMF for AIX 7.1 , 7.2 and 7.3 which contains openssl 3.0.15 version.

    openssl-3.0.15.1000.tar.Z

    ================================================

    SECTION II - Vulnerabilities related information

    ================================================

    OpenSSL 3.0.15.1000 addresses all vulnerabilities reported upto and including openssl 3.0.15 version.

    Vulnerabilities fixed in openssl 3.0.15 version:

    1. CVE-2024-9143 Low-level invalid GF(2^m) parameters lead to OOB memory access

    2. CVE-2024-6119 Possible denial of service in X.509 name checks

    3. CVE-2024-5535 SSL_select_next_proto buffer overread

    4. CVE-2024-4741 Use After Free with SSL_free_buffers

    5. CVE-2024-4603 Excessive time spent checking DSA keys and parameters

    -

    Is Apache using the openssl provided by IBM or some other vendor's SSL?

    If Apache has a requirement to move to 3.0 shared objects that would be something for the AIX open source development team has to look into.

    I will follow up with you on 23 Jan 2025 if there isn't a case update

    Regards

    Gary A. Wysocki

    IBM Power Premium

    AIX Technical Account Manager



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 10.  RE: openssl3 and mod_ssl question

    Posted Tue January 21, 2025 04:41 PM
    Reply

    Sorry for the typo:    OpenSSL 3.x is NOW available for AIX 7.1, 7.2 and 7.3.

    Now we just need info on when a compiled version of Apache will be released with that OpenSSL3.X library, and any upgrade considerations for moving from OpenSSL1.X to OpenSSL3.X on that Apache release.



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 11.  RE: openssl3 and mod_ssl question

    Posted Wed January 22, 2025 01:28 AM
    Reply

    We are working on compiling apache with openssl3 and will try to provide it within couple of weeks.
    We will keep the thread updated with the progress.



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


  • 12.  RE: openssl3 and mod_ssl question

    Posted Fri February 07, 2025 12:44 PM
    Reply

    Reshma,

    Just when we thought we had things all figured out, looks like the open source apache community has just released Apache 2.4.63 ( on Jan 23, 2025).   Are you still working on the OpenSSL3.x compile with 2.4.62 or does this new release cause issues.  My guess better to take one step at time and not introduce to many variables.  Please let us know what direction you are taking this, and any release time tables.   Thank you for all your help - Michael Larsen



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 13.  RE: openssl3 and mod_ssl question

    Posted Tue February 11, 2025 07:16 AM
    Reply

    Hi Michael,
    As you suggested, we will not be updating httpd to 2.4.63. We are working on httpd 2.4.62 with openssl3 and it will be published by the end of this week. 



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


  • 14.  RE: openssl3 and mod_ssl question

    Posted Wed February 19, 2025 10:21 AM
    Reply

    Reshma,

    Where are you going to publish the Apache/OpenSSL3 version? and how are you going to distinguish this new package with the original package that is linked to OpenSSL1.x?



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 15.  RE: openssl3 and mod_ssl question

    Posted Thu February 20, 2025 12:26 AM
    Reply

    Hi Michael,
    We have published httpd 2.4.62-2 in AIX Toolbox. Release 2 is built with openssl3.
    httpd-2.4.62-2.aix7.1.ppc.rpm
    You can use dnf to update to this release.



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


  • 16.  RE: openssl3 and mod_ssl question

    Posted Thu February 20, 2025 04:29 AM
    Edited by C- -T Thu February 20, 2025 04:31 AM
    Reply

    still uses old 1.1 libs...

    edit: still old httpd version in repo, therefore old ssl libs loaded..

    root@nimvie: /root # ldd /opt/freeware/lib/httpd/modules/mod_ssl.so

/opt/freeware/lib/httpd/modules/mod_ssl.so needs:
         /usr/lib/libssl.a(libssl.so.1.1)
         /usr/lib/libcrypto.a(libcrypto.so.1.1)
         /usr/lib/libc.a(shr.o)
         /opt/freeware/lib/libgcc_s.a(shr.o)
         /usr/lib/librtl.a(shr.o)
         /usr/lib/libpthreads.a(shr_xpg5.o)
         /usr/lib/libc.a(_shr.o)
         /unix
         /usr/lib/libcrypt.a(shr.o)
         /usr/lib/libpthreads.a(_shr_xpg5.o)
         /usr/lib/libpthreads.a(shr_comm.o)

root@nimvie: /root #
root@nimvie: /root # rpm -qi httpd
Name        : httpd
Version     : 2.4.62
Release     : 1
Architecture: ppc
Install Date: Thu Feb 20 10:24:00 CET 2025
Group       : System Environment/Daemons
Size        : 12965003
License     : Apache Software License
Signature   : (none)
Source RPM  : httpd-2.4.62-1.src.rpm
Build Date  : Wed Jul 24 07:50:15 CEST 2024
Build Host  : pokndd5.pok.stglabs.ibm.com
Relocations : /opt /var /etc
Packager    : IBM AIX Toolbox  <https://ibm.biz/AIXToolbox>
URL         : https://httpd.apache.org/
Bug URL     : https://ibm.biz/aixoss_forum
Summary     : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.



    ------------------------------
    I regret starting this entire conversation
    ------------------------------

    Original Message


  • 17.  RE: openssl3 and mod_ssl question

    Posted Mon February 24, 2025 01:59 AM
    Reply

    Please run "dnf clean all" and then update httpd to 2.4.62-2. The release 2 is built with openssl3.



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


  • 18.  RE: openssl3 and mod_ssl question

    Posted Mon February 24, 2025 02:23 AM
    Reply

    newest httpd has some weird problems with ssl certs..still works with 2.4.62-1. why is this?

    [Mon Feb 24 08:14:34.717484 2025] [ssl:info] [pid 43450708] AH01914: Configuring server nimvie.sozvers.at:443 for SSL protocol
[Mon Feb 24 08:14:34.718436 2025] [ssl:emerg] [pid 43450708] AH01903: Failed to configure CA certificate chain!


    ------------------------------
    I regret starting this entire conversation
    ------------------------------

    Original Message


  • 19.  RE: openssl3 and mod_ssl question

    Posted Fri February 28, 2025 05:51 AM
    Reply

    The information provided above is not enough to figure out the issue. It would be helpful if you can provide more details.
    Could you please change the "LogLevel" field in httpd.conf file to "trace8" (LogLevel trace8), restart the server and share the resulting logs?



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


  • 20.  RE: openssl3 and mod_ssl question

    Posted Mon March 03, 2025 05:09 AM
    Reply

    already got it running...might have something to do with the "SSLCertificateChainFile" parameter is depreacated since httpd 2.4.8. by commenting it out in the config file and concating the cert and intermediate together the error is gone.

    why is this running wiht httpd 2.4.62 but not 2.4.63....i have no idea and i dont even care anymore.



    ------------------------------
    I regret starting this entire conversation
    ------------------------------

    Original Message


  • 21.  RE: openssl3 and mod_ssl question

    Posted 21 days ago
    Reply

    Reshma,

    Thank you for all your support with these Apache updates.  Do you have any information on what the next available OpenSSL 3 version will be for AIX 7.1.   It looks like 7.2 is updated to OpenSSL 3.0.15, but not sure what version will be available for your Apache builds on AIX 7.1.  We are glad for the OpenSSL3 currently updated, but scanning is now requiring 3.0.15 or higher on the Apache OpenSSL.

    Please advise on anytime lines for the next Apache build that updates to newer version of OpenSSL3.



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 22.  RE: openssl3 and mod_ssl question

    Posted 8 days ago
    Reply

    Reshma,

    Do you have any timeline on when a new Apache package can be available with Apache 2.4.63 and a version of OpenSSL >= 3.0.15?

    We have number of vulnerabilities now being flagged on Apache Openssl versions < 3.0.15



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 23.  RE: openssl3 and mod_ssl question

    Posted 6 days ago
    Edited by RESHMA KUMAR 6 days ago
    Reply

    Hi Michael,

    We are working on making httpd 2.4.63 available in AIX Toolbox by next week. 
    Regarding openssl, 3.0.15 is already available in AIX web download site. Please download and install it from there.
    https://www.ibm.com/resources/mrs/assets/DownloadList?source=aixbp&lang=en_US



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


  • 24.  RE: openssl3 and mod_ssl question

    Posted 5 days ago
    Reply

    Reshma, 

    Excellent, do you know what OpenSSL version you will be compiling for Apache 2.4.63?



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 25.  RE: openssl3 and mod_ssl question

    Posted 5 days ago
    Reply

    Hi Michael,

    We won't be compiling OpenSSL but will use the already available openssl 3.0.15 to compile Apache 2.4.63. 
    Apache is dynamically linked to the openssl library. So, during runtime it will make use of the installed openssl.



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


Related Content