Let me make myself as clear as possible.
Suppose we have a /usr/lib/libssl.a file that contains these libraries: libssl.so, libssl.so.0.9.8, libssl.so.1.0.0 and libssl.so.1.0.2. You copy this file to /path/to/my/old, set exported LIBPATH to /path/to/my/old and start your application in this environment.
Then some time later you install an efix for OpenSSL 1.0.2. This efix replaces libssl.so.1.0.2 in /usr/lib/libssl.a and of course leaves /path/to/my/old/libssl.a intact. Your application does not care because it uses version 0.8.9.
And then your application that has exported LIBPATH=/path/to/my/old in its env spawns a short lived process that needs OpenSSL 1.0.2. This spawned process will use libssl.so.1.0.2 coming from /path/to/my/old/libssl.a, ie the one that was not modified by the efix, right?
Preserving just libssl.so.0.9.8 lets us avoid this problem.
Original Message:
Sent: Wed January 17, 2024 07:18 AM
From: Andrey Klyachkin
Subject: Duration of support for AIX service packs?
> I am talkig about efixes not for 0.8.9, but for newer versions (that happen to be inside the *.a files copied to /path/to/my/old).
If you copied files outisde of the standard path, how would AIX (installp/emgr) find it there? They will not be touched by emgr and you can freely install newer OpenSSL versions. The older libraries will not be affected by any update or efix anyway.
> Exported LIBPATH will be used also by any processess spawned/executed by your apllication.
Yes, it is so. The new forked process inherits the environment of the parent process unless something else is specified.
------------------------------
Andrey Klyachkin
https://www.power-devops.com
Original Message:
Sent: Wed January 17, 2024 06:54 AM
From: Lech Szychowski
Subject: Duration of support for AIX service packs?
> P.S. You can't expect seriously an efix for OpenSSL 0.9.8 which is out of date since many years.
I am talkig about efixes not for 0.8.9, but for newer versions (that happen to be inside the *.a files copied to /path/to/my/old).
> This is exactly the reason why you shouldn't define LIBPATH globally or in a user's profile. Only for the application you need.
Exported LIBPATH will be used also by any processess spawned/executed by your apllication. Some of these might be using OpenSSL libraries newer than 0.8.9 - and these ones will use not the patched copies in /usr/lib, but the unpatched copies in /path/to/my/old.
------------------------------
Lech Szychowski
Original Message:
Sent: Wed January 17, 2024 06:31 AM
From: Andrey Klyachkin
Subject: Duration of support for AIX service packs?
This is exactly the reason why you shouldn't define LIBPATH globally or in a user's profile. Only for the application you need.
P.S. You can't expect seriously an efix for OpenSSL 0.9.8 which is out of date since many years.
------------------------------
Andrey Klyachkin
https://www.power-devops.com
Original Message:
Sent: Wed January 17, 2024 06:06 AM
From: Lech Szychowski
Subject: Duration of support for AIX service packs?
Beware of possible side effects.
Archives libssl.a and libcrypto*.a contain more than *0.8.9.so files. Suppose we do what you proposed and later we install an efix for OpenSSL. It could change files in /usr/lib/, but of course will not change copies of these files in /path/to/my/old/openssl. So if dynamic linker loading the application (or any other binary this application wants to spawn/exec) wants to load some other OpenSSL library it will pick up the unpatched copy in /path/to/my/old/openssl, not the patched copy in /usr/lib (as contents of LIBPATH takes precedence over the standard library search path).
------------------------------
Lech Szychowski
Original Message:
Sent: Wed January 17, 2024 04:55 AM
From: Andrey Klyachkin
Subject: Duration of support for AIX service packs?
As Bertram wrote, you must order fixes through IBM support for earlier SPs.
Optimizing Lech's solution, you can copy libssl.a and libcrypto*.a to the directory with your application and write a small wrapper script like:
export LIBPATH=/path/to/my/old/openssl
start_app
By setting LIBPATH variable you redefine where the application will search for libraries. Just don't do it globally in /etc/environment, but only for the application start.
https://www.ibm.com/support/pages/libpath-environment-variables-aix-platforms
------------------------------
Andrey Klyachkin
https://www.power-devops.com
Original Message:
Sent: Tue January 16, 2024 04:08 AM
From: Alexander Reichle-Schmehl
Subject: Duration of support for AIX service packs?
Hi!
Does anyone know, how long IBM provides support for a certain AIX Service Pack? I only found the AIX support lifecycle for tecnology levels.
My actual problem: We have a system, which is currently on oslevel 7200-05-03-2148. We can't upgrade it to TL5 SP7, as that would break some software we use there requiring the ancient openssl 0.9.8 - which is no longer available on SP7.
Luckily it is foreseeable, that we can decommission the server in about a year. The only question would be, if we would still receive support / security fixes for SP6 (or even SP3) till then.
------------------------------
Alexander Reichle-Schmehl
------------------------------