i built the module against 1.1.2.X and it worked...
Original Message:
Sent: Mon March 20, 2023 10:19 AM
From: Ayappan P
Subject: openssl v3: broken backward compatibility
Yes, if you are building against OpenSSL 1.1.2.X, then you should be able to run it against OpenSSL 1.1.1.X. ( The vice-versa is the problem).
Do you see any problem building it against 1.1.2.X ?
------------------------------
Ayappan P
Original Message:
Sent: Mon March 20, 2023 10:03 AM
From: C- -T
Subject: openssl v3: broken backward compatibility
are this rebuilt binaries runable with OpenSSL 1.1.1.X? because otherwise we need to upgrade all our lpar to openssl OpenSSL 1.1.2.X which is simply not possible.
btw...the Net::SSLeay module can NOT be built against OpenSSL 1.1.2.X so this approach leads to nowhere.
------------------------------
I regret starting this entire conversation
Original Message:
Sent: Mon March 20, 2023 09:55 AM
From: Ayappan P
Subject: openssl v3: broken backward compatibility
As far as I know, OpenSSL 1.1.1.X exports some symbols (probably deprecated or not recommended) which are not there in OpenSSL 1.1.2.X.
In OpenSSL 3, I think the "so.1.1" library is taken from the 1.1.2.X build. So one has to build softwares against OpenSSL 1.1.2.X fileset.
------------------------------
Ayappan P
Original Message:
Sent: Mon March 20, 2023 09:43 AM
From: C- -T
Subject: openssl v3: broken backward compatibility
during our upgrade task to aix 7.3 and the included openssl v3 we ran into a critical openssl compat problem.
some crucial software parts which were compiled against openssl 1.1.1.1201 are throwing runtime errors after the forced openssl v3 upgrade
in aix 7.3.
example with perls Net::SSLeay module:
build host:
root@hsr5s1p8: /root # oslevel -s7200-05-03-2148root@hsr5s1p8: /root # lslpp -l | grep -i openssl openssl.base 1.1.1.1201 COMMITTED Open Secure Socket Layer openssl.license 1.1.1.1201 COMMITTED Open Secure Socket License openssl.man.en_US 1.1.1.1201 COMMITTED Open Secure Socket Layer openssl.base 1.1.1.1201 COMMITTED Open Secure Socket Layerroot@hsr5s1p8: /root # /opt/itsv/applperlbin/active/bin/perl -e 'use IO::Socket::SSL'root@hsr5s1p8: /root # /opt/itsv/applperlbin/active/bin/perl -e 'use Net::SSLeay'
host with aix 7.3 and latest openssl v3 throwing errors
root@aixtestha1c2: /root # oslevel -s7300-01-01-2246root@aixtestha1c2: /root # lslpp -l | grep -i openssl openssl.base 3.0.8.1000 COMMITTED Open Secure Socket Layer openssl.license 3.0.8.1000 COMMITTED Open Secure Socket License openssl.man.en_US 3.0.8.1000 COMMITTED Open Secure Socket Layer openssl.base 3.0.8.1000 COMMITTED Open Secure Socket Layerroot@aixtestha1c2: /root # /opt/itsv/applperlbin/active/bin/perl -e 'use Net::SSLeay'Can't load '/opt/itsv/applperlbin/install-5.36.0/lib/perl5/5.36/site_perl/auto/Net/SSLeay/SSLeay.so' for module Net::SSLeay: Symbol resolution failed for /opt/itsv/applperlbin/install-5.36.0/lib/perl5/5.36/site_perl/auto/Net/SSLeay/SSLeay.so because: Symbol SSL_CTX_set_psk_client_callback (number 543) is not exported from dependent module /usr/lib/libssl.a[libssl.so.1.1]. Symbol SSL_set_psk_client_callback (number 544) is not exported from dependent module /usr/lib/libssl.a[libssl.so.1.1].Could not load module /opt/itsv/applperlbin/install-5.36.0/lib/perl5/5.36/site_perl/auto/Net/SSLeay/SSLeay.so.System error: Exec format errorExamine .loader section symbols with the 'dump -Tv' command. at /opt/itsv/applperlbin/install-5.36.0/lib/perl5/5.36/DynaLoader.pm line 206. at -e line 1.Compilation failed in require at -e line 1.BEGIN failed--compilation aborted at -e line 1.
this is a major problem because many critical jobs depends on this perl functionality. i am not entirely shure whats the deal here, but the /usr/lib/libssl.a[libssl.so.1.1] (libcrypto.a?) file in the latest openssl v3 webdownload is definitely not backward compatible to openssl v1 and can be considered BROKEN.
and before you ask, no, the Net::SSLeay can not be rebuilt against openssl v3. generally not very clever to force an upgrade to openssl v3 as there are many software project which are not even rudimentally ready for openssl v3.
how to proceed?
chris
------------------------------
I regret starting this entire conversation
------------------------------