AIX Open Source

AIX Open Source

Share your experiences and connect with fellow developers to discover how to build and manage open source software for the AIX operating system

 View Only
Back to discussions
Expand all | Collapse all

openssl3 and mod_ssl question

  • 1.  openssl3 and mod_ssl question

    Posted Fri September 27, 2024 07:01 AM
    Hello,
     
    I have installed latest httpd and mod_ssl + openssl v3. But from the http log I see http starting with openssl 1.1.1x. 
    Is it correct or some description problem ?
     
    root@xxx:/ # rpm -qa|grep -i mod_ssl
    mod_ssl-2.4.62-1.ppc
    root@xxx:/ # rpm -qa|grep -i httpd
    httpd-2.4.62-1.ppc
     
     
    root@xxx:/ # lslpp -L|grep -i openssl
      openssl.base           3.0.13.1000    C     F    Open Secure Socket Layer
      openssl.license        3.0.13.1000    C     F    Open Secure Socket License
      openssl.man.en_US      3.0.13.1000    C     F    Open Secure Socket Layer
     
     
    root@xxx:/ # tail -f /var/log/httpd/error_log
    [Fri Sep 27 09:21:16.161108 2024] [core:notice] [pid 6881758] AH00094: Command line: '/opt/freeware/sbin/httpd'
    [Fri Sep 27 09:45:09.464409 2024] [mpm_prefork:notice] [pid 6881758] AH00169: caught SIGTERM, shutting down
    [Fri Sep 27 09:47:37.419937 2024] [mpm_prefork:notice] [pid 7799052] AH00163: Apache/2.4.62 (Unix) OpenSSL/1.1.1x configured -- resuming normal operations
    [Fri Sep 27 09:47:37.422585 2024] [core:notice] [pid 7799052] AH00094: Command line: '/opt/freeware/sbin/httpd'
    [Fri Sep 27 10:17:44.262391 2024] [mpm_prefork:notice] [pid 7799052] AH00169: caught SIGTERM, shutting down
    [Fri Sep 27 10:17:51.133289 2024] [mpm_prefork:notice] [pid 8192268] AH00163: Apache/2.4.62 (Unix) OpenSSL/1.1.1x configured -- resuming normal operations
    [Fri Sep 27 10:17:51.133376 2024] [core:notice] [pid 8192268] AH00094: Command line: '/opt/freeware/sbin/httpd'
    [Fri Sep 27 10:30:50.639737 2024] [mpm_prefork:notice] [pid 8192268] AH00169: caught SIGTERM, shutting down
    [Fri Sep 27 10:30:54.686466 2024] [mpm_prefork:notice] [pid 11403724] AH00163: Apache/2.4.62 (Unix) OpenSSL/1.1.1x configured -- resuming normal operations
    [Fri Sep 27 10:30:54.686552 2024] [core:notice] [pid 11403724] AH00094: Command line: '/opt/freeware/sbin/httpd'
     
     
    root@xxx:/ # rpm -ql mod_ssl-2.4.62-1.ppc |grep -i mod_ssl
    /opt/freeware/lib/httpd/modules/mod_ssl.so
    /opt/freeware/lib64/httpd/modules/mod_ssl.so
    /var/cache/mod_ssl
    /var/cache/mod_ssl/scache.dir
    /var/cache/mod_ssl/scache.pag
    /var/cache/mod_ssl/scache.sem
     
     
    root@xxx:/ # ldd /opt/freeware/lib/httpd/modules/mod_ssl.so
    /opt/freeware/lib/httpd/modules/mod_ssl.so needs:
    /usr/lib/libssl.a(libssl.so.1.1)
    /usr/lib/libcrypto.a(libcrypto.so.1.1)
    /usr/lib/libc.a(shr.o)
    /opt/freeware/lib/libgcc_s.a(shr.o)
    /usr/lib/librtl.a(shr.o)
    /usr/lib/libpthreads.a(shr_xpg5.o)
    /unix
    /usr/lib/libcrypt.a(shr.o)
    /usr/lib/libpthreads.a(shr_comm.o)
     
     
    root@xxx:/ # lslpp -w /usr/lib/libssl.a
      File                                        Fileset               Type
      ----------------------------------------------------------------------------
      /usr/lib/libssl.a                           openssl.base          File


    ------------------------------
    Tomasz Boruszek
    ------------------------------


  • 2.  RE: openssl3 and mod_ssl question

    Posted Fri September 27, 2024 09:17 AM

    AIX Toolbox packages are built against openssl 1.1.1 (dynamic linking). So even with openssl 3.0 installed, the linkage is with the *.so.1.1 shared libraries as you can see from the ldd output. Toolbox ecosystem can move to openssl 3.0 only when openssl 3.0 is available in AIX 7.1, as 7.1 is the base build level for AIX Toolbox packages. As per AIX openssl team, openssl 3.0 will be available in AIX 7.1 this year end. 



    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 3.  RE: openssl3 and mod_ssl question

    Posted Fri September 27, 2024 09:41 AM

    Thanks, thats explained me a lot.



    ------------------------------
    Tomasz Boruszek
    ------------------------------

    Original Message


  • 4.  RE: openssl3 and mod_ssl question

    Posted Tue November 12, 2024 12:07 AM

    We are in the same situation.  Our Security team is informing us we need to use a version of Apache that uses OpenSSL3 to pass security vulnerability tests that are failing.  We are on AIX 7.1, OpenSSL 3.0.10.1001, and AIX toolbox versions of httpd 2.5.62-1 and mod_ssl 2.4.62-1.  Mod_ssl  appears to be built using OpenSSL 1.1.1.x.  When will a newer release of mod_ssl be available on the AIX Toolbox site which uses OpenSSL 3?   Or - what is a workaround solution available for mod_ssl to use the newer OpenSSL libraries? Thank you



    ------------------------------
    Alma Eaton
    ------------------------------

    Original Message


  • 5.  RE: openssl3 and mod_ssl question

    Posted Tue November 12, 2024 03:58 AM

    read ayappans reply in  post #2



    ------------------------------
    I regret starting this entire conversation
    ------------------------------

    Original Message


  • 6.  RE: openssl3 and mod_ssl question

    Posted Fri December 20, 2024 09:22 PM

    Thank you for the information.  We are also interested in the release that supports OpenSSL 3.x.  We have many vulnerabilities being flagged on versions not available. Please advise when available and any information on update/install procedures. 

    OpenSSL 1.1.1 < 1.1.1zb Vulnerability
    OpenSSL 1.1.1 < 1.1.1za Vulnerability
    OpenSSL 1.1.1 < 1.1.1y Multiple Vulnerabilities
    OpenSSL 1.1.1 < 1.1.1x Multiple Vulnerabilities
    OpenSSL 1.1.1 < 1.1.1w Vulnerability


    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 7.  RE: openssl3 and mod_ssl question

    Posted Mon December 30, 2024 11:53 AM

    Ayappan, Are you aware of any ETA or roadmap date for this release?



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 8.  RE: openssl3 and mod_ssl question

    Posted Mon December 30, 2024 10:32 PM

    Checked with AIX Openssl team recently. The work (Openssl 3 in AIX 7.1) is still in progress. I don't have any more details at this moment. 
    Since Openssl is supported by IBM, you can open a case and get more details on this. 



    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 9.  RE: openssl3 and mod_ssl question

    Posted Tue January 21, 2025 04:32 PM

    Looks like OpenSSL 3 is not available on AIX 7.1 according to the ticket I opened: ( now we just need the compile with apache httpd)

    Gary Wysocki (IBM)
    Jan 20, 2025, 08:38

    Hi Gary,

    I checked with our openssl team and Jimmie stated As of this writing all versions of openssl 3.0.x.x is supported in AIX 7.1,7.2 and 7.3.

    See the openssl Readme files at the mrs site:

    https://www.ibm.com/resources/mrs/assets?source=aixbp

    The latest version is openssl 3.0.15.1000

    From the Readme file:

    This is the readme file of openSSL 3.0.15.1000 VRMF for AIX 7.1 , 7.2 and 7.3 which contains openssl 3.0.15 version.

    openssl-3.0.15.1000.tar.Z

    ================================================

    SECTION II - Vulnerabilities related information

    ================================================

    OpenSSL 3.0.15.1000 addresses all vulnerabilities reported upto and including openssl 3.0.15 version.

    Vulnerabilities fixed in openssl 3.0.15 version:

    1. CVE-2024-9143 Low-level invalid GF(2^m) parameters lead to OOB memory access

    2. CVE-2024-6119 Possible denial of service in X.509 name checks

    3. CVE-2024-5535 SSL_select_next_proto buffer overread

    4. CVE-2024-4741 Use After Free with SSL_free_buffers

    5. CVE-2024-4603 Excessive time spent checking DSA keys and parameters

    -

    Is Apache using the openssl provided by IBM or some other vendor's SSL?

    If Apache has a requirement to move to 3.0 shared objects that would be something for the AIX open source development team has to look into.

    I will follow up with you on 23 Jan 2025 if there isn't a case update

    Regards

    Gary A. Wysocki

    IBM Power Premium

    AIX Technical Account Manager



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 10.  RE: openssl3 and mod_ssl question

    Posted Tue January 21, 2025 04:41 PM

    Sorry for the typo:    OpenSSL 3.x is NOW available for AIX 7.1, 7.2 and 7.3.

    Now we just need info on when a compiled version of Apache will be released with that OpenSSL3.X library, and any upgrade considerations for moving from OpenSSL1.X to OpenSSL3.X on that Apache release.



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 11.  RE: openssl3 and mod_ssl question

    Posted Wed January 22, 2025 01:28 AM

    We are working on compiling apache with openssl3 and will try to provide it within couple of weeks.
    We will keep the thread updated with the progress.



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


  • 12.  RE: openssl3 and mod_ssl question

    Posted Fri February 07, 2025 12:44 PM

    Reshma,

    Just when we thought we had things all figured out, looks like the open source apache community has just released Apache 2.4.63 ( on Jan 23, 2025).   Are you still working on the OpenSSL3.x compile with 2.4.62 or does this new release cause issues.  My guess better to take one step at time and not introduce to many variables.  Please let us know what direction you are taking this, and any release time tables.   Thank you for all your help - Michael Larsen



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 13.  RE: openssl3 and mod_ssl question

    Posted Tue February 11, 2025 07:16 AM

    Hi Michael,
    As you suggested, we will not be updating httpd to 2.4.63. We are working on httpd 2.4.62 with openssl3 and it will be published by the end of this week. 



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


  • 14.  RE: openssl3 and mod_ssl question

    Posted Wed February 19, 2025 10:21 AM

    Reshma,

    Where are you going to publish the Apache/OpenSSL3 version? and how are you going to distinguish this new package with the original package that is linked to OpenSSL1.x?



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 15.  RE: openssl3 and mod_ssl question

    Posted Thu February 20, 2025 12:26 AM

    Hi Michael,
    We have published httpd 2.4.62-2 in AIX Toolbox. Release 2 is built with openssl3.
    httpd-2.4.62-2.aix7.1.ppc.rpm
    You can use dnf to update to this release.



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


  • 16.  RE: openssl3 and mod_ssl question

    Posted Thu February 20, 2025 04:29 AM
    Edited by C- -T Thu February 20, 2025 04:31 AM

    still uses old 1.1 libs...

    edit: still old httpd version in repo, therefore old ssl libs loaded..

    root@nimvie: /root # ldd /opt/freeware/lib/httpd/modules/mod_ssl.so

/opt/freeware/lib/httpd/modules/mod_ssl.so needs:
         /usr/lib/libssl.a(libssl.so.1.1)
         /usr/lib/libcrypto.a(libcrypto.so.1.1)
         /usr/lib/libc.a(shr.o)
         /opt/freeware/lib/libgcc_s.a(shr.o)
         /usr/lib/librtl.a(shr.o)
         /usr/lib/libpthreads.a(shr_xpg5.o)
         /usr/lib/libc.a(_shr.o)
         /unix
         /usr/lib/libcrypt.a(shr.o)
         /usr/lib/libpthreads.a(_shr_xpg5.o)
         /usr/lib/libpthreads.a(shr_comm.o)

root@nimvie: /root #
root@nimvie: /root # rpm -qi httpd
Name        : httpd
Version     : 2.4.62
Release     : 1
Architecture: ppc
Install Date: Thu Feb 20 10:24:00 CET 2025
Group       : System Environment/Daemons
Size        : 12965003
License     : Apache Software License
Signature   : (none)
Source RPM  : httpd-2.4.62-1.src.rpm
Build Date  : Wed Jul 24 07:50:15 CEST 2024
Build Host  : pokndd5.pok.stglabs.ibm.com
Relocations : /opt /var /etc
Packager    : IBM AIX Toolbox  <https://ibm.biz/AIXToolbox>
URL         : https://httpd.apache.org/
Bug URL     : https://ibm.biz/aixoss_forum
Summary     : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.



    ------------------------------
    I regret starting this entire conversation
    ------------------------------

    Original Message


  • 17.  RE: openssl3 and mod_ssl question

    Posted Mon February 24, 2025 01:59 AM

    Please run "dnf clean all" and then update httpd to 2.4.62-2. The release 2 is built with openssl3.



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


  • 18.  RE: openssl3 and mod_ssl question

    Posted Mon February 24, 2025 02:23 AM

    newest httpd has some weird problems with ssl certs..still works with 2.4.62-1. why is this?

    [Mon Feb 24 08:14:34.717484 2025] [ssl:info] [pid 43450708] AH01914: Configuring server nimvie.sozvers.at:443 for SSL protocol
[Mon Feb 24 08:14:34.718436 2025] [ssl:emerg] [pid 43450708] AH01903: Failed to configure CA certificate chain!


    ------------------------------
    I regret starting this entire conversation
    ------------------------------

    Original Message


  • 19.  RE: openssl3 and mod_ssl question

    Posted Fri February 28, 2025 05:51 AM

    The information provided above is not enough to figure out the issue. It would be helpful if you can provide more details.
    Could you please change the "LogLevel" field in httpd.conf file to "trace8" (LogLevel trace8), restart the server and share the resulting logs?



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


  • 20.  RE: openssl3 and mod_ssl question

    Posted Mon March 03, 2025 05:09 AM

    already got it running...might have something to do with the "SSLCertificateChainFile" parameter is depreacated since httpd 2.4.8. by commenting it out in the config file and concating the cert and intermediate together the error is gone.

    why is this running wiht httpd 2.4.62 but not 2.4.63....i have no idea and i dont even care anymore.



    ------------------------------
    I regret starting this entire conversation
    ------------------------------

    Original Message


  • 21.  RE: openssl3 and mod_ssl question

    Posted Wed March 26, 2025 10:56 AM

    Reshma,

    Thank you for all your support with these Apache updates.  Do you have any information on what the next available OpenSSL 3 version will be for AIX 7.1.   It looks like 7.2 is updated to OpenSSL 3.0.15, but not sure what version will be available for your Apache builds on AIX 7.1.  We are glad for the OpenSSL3 currently updated, but scanning is now requiring 3.0.15 or higher on the Apache OpenSSL.

    Please advise on anytime lines for the next Apache build that updates to newer version of OpenSSL3.



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 22.  RE: openssl3 and mod_ssl question

    Posted Mon April 07, 2025 06:26 PM

    Reshma,

    Do you have any timeline on when a new Apache package can be available with Apache 2.4.63 and a version of OpenSSL >= 3.0.15?

    We have number of vulnerabilities now being flagged on Apache Openssl versions < 3.0.15



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 23.  RE: openssl3 and mod_ssl question

    Posted Thu April 10, 2025 05:13 AM
    Edited by RESHMA KUMAR Thu April 10, 2025 06:01 AM

    Hi Michael,

    We are working on making httpd 2.4.63 available in AIX Toolbox by next week. 
    Regarding openssl, 3.0.15 is already available in AIX web download site. Please download and install it from there.
    https://www.ibm.com/resources/mrs/assets/DownloadList?source=aixbp&lang=en_US



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


  • 24.  RE: openssl3 and mod_ssl question

    Posted Thu April 10, 2025 06:17 PM

    Reshma, 

    Excellent, do you know what OpenSSL version you will be compiling for Apache 2.4.63?



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 25.  RE: openssl3 and mod_ssl question

    Posted Fri April 11, 2025 10:10 AM

    Hi Michael,

    We won't be compiling OpenSSL but will use the already available openssl 3.0.15 to compile Apache 2.4.63. 
    Apache is dynamically linked to the openssl library. So, during runtime it will make use of the installed openssl.



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


  • 26.  RE: openssl3 and mod_ssl question

    Posted Mon April 21, 2025 01:57 AM

    Hi Michael, 
    httpd-2.4.63-1.aix7.1.ppc.rpm is now available in AIX Toolbox. Please use DNF to update to this version.



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


  • 27.  RE: openssl3 and mod_ssl question

    Posted Fri May 30, 2025 08:42 AM

    Hi Reshma,

    I have upgraded,

    httpd.ppc                                         2.4.63-1                       @AIX_Toolbox

    mod_ssl.ppc                                       2.4.63-1                    @AIX_Toolbox

    In error_log getting,

     AH01876: mod_ssl/2.4.63 compiled against Server: Apache/2.4.63, Library: OpenSSL/3.0.13

     AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 3.0.13 30 Jan 2024 (OpenSSL 1.1.1x  30 Jan 2024), version currently loaded is 0x1010118F) - may result in undefined or erroneous behavior

    # openssl version
    OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)

    Any ideas how to rectify please?  :)

    Kind regards,

    Brad



    ------------------------------
    Bradley Wells
    ------------------------------

    Original Message


  • 28.  RE: openssl3 and mod_ssl question

    Posted 10 days ago

    Hey Reshma,

    Hate to sound like a broken record, but Apache just released their latest version 2.4.64 and we are already getting flagged for vulnerabilities. Can you let us know where this release is on your roadmap to deliver a update package. Appreciate all your help



    ------------------------------
    Michael Larsen
    ------------------------------

    Original Message


  • 29.  RE: openssl3 and mod_ssl question

    Posted 9 days ago

    Hi Michael,
    httpd 2.4.64 is available in AIX Toolbox. This version has fix for the following CVEs
    CVE-2025-53020
    CVE-2025-49812
    CVE-2025-49630
    CVE-2025-23048
    CVE-2024-47252
    CVE-2024-43394
    CVE-2024-43204
    CVE-2024-42516
    Also, community has recently released 2.4.65. We are working on updating to this version. It will be available in couple of weeks.



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Original Message


Related Content