AIX Open Source

 View Only
  • 1.  openssl v3: broken backward compatibility

    Posted Mon March 20, 2023 09:43 AM
    Edited by C- -T Mon March 20, 2023 09:44 AM

    during our upgrade task to aix 7.3 and the included openssl v3 we ran into a critical openssl compat problem.

    some crucial software parts  which were compiled against openssl 1.1.1.1201 are throwing runtime errors after the forced openssl v3 upgrade

    in aix 7.3.

    example with perls Net::SSLeay module:

    build host:

    root@hsr5s1p8: /root # oslevel -s
    7200-05-03-2148
    root@hsr5s1p8: /root # lslpp -l | grep -i openssl
      openssl.base            1.1.1.1201  COMMITTED  Open Secure Socket Layer
      openssl.license         1.1.1.1201  COMMITTED  Open Secure Socket License
      openssl.man.en_US       1.1.1.1201  COMMITTED  Open Secure Socket Layer
      openssl.base            1.1.1.1201  COMMITTED  Open Secure Socket Layer
    root@hsr5s1p8: /root # /opt/itsv/applperlbin/active/bin/perl -e 'use IO::Socket::SSL'
    root@hsr5s1p8: /root # /opt/itsv/applperlbin/active/bin/perl -e 'use Net::SSLeay'
    

    host with aix 7.3 and latest openssl v3 throwing errors

    root@aixtestha1c2: /root # oslevel -s
    7300-01-01-2246
    root@aixtestha1c2: /root # lslpp -l | grep -i openssl
      openssl.base            3.0.8.1000  COMMITTED  Open Secure Socket Layer
      openssl.license         3.0.8.1000  COMMITTED  Open Secure Socket License
      openssl.man.en_US       3.0.8.1000  COMMITTED  Open Secure Socket Layer
      openssl.base            3.0.8.1000  COMMITTED  Open Secure Socket Layer
    root@aixtestha1c2: /root # /opt/itsv/applperlbin/active/bin/perl -e 'use Net::SSLeay'
    Can't load '/opt/itsv/applperlbin/install-5.36.0/lib/perl5/5.36/site_perl/auto/Net/SSLeay/SSLeay.so' for module Net::SSLeay: Symbol resolution failed for /opt/itsv/applperlbin/install-5.36.0/lib/perl5/5.36/site_perl/auto/Net/SSLeay/SSLeay.so because:
            Symbol SSL_CTX_set_psk_client_callback (number 543) is not exported from dependent
              module /usr/lib/libssl.a[libssl.so.1.1].
            Symbol SSL_set_psk_client_callback (number 544) is not exported from dependent
              module /usr/lib/libssl.a[libssl.so.1.1].
    Could not load module /opt/itsv/applperlbin/install-5.36.0/lib/perl5/5.36/site_perl/auto/Net/SSLeay/SSLeay.so.
    System error: Exec format error
    Examine .loader section symbols with the 'dump -Tv' command. at /opt/itsv/applperlbin/install-5.36.0/lib/perl5/5.36/DynaLoader.pm line 206.
     at -e line 1.
    Compilation failed in require at -e line 1.
    BEGIN failed--compilation aborted at -e line 1.
    
    

    this is a major problem because many critical jobs depends on this perl functionality. i am not entirely shure whats the deal here, but the /usr/lib/libssl.a[libssl.so.1.1]  (libcrypto.a?) file in the latest openssl v3 webdownload is definitely not backward compatible to openssl v1 and can be considered BROKEN.

    and before you ask, no, the Net::SSLeay can not be rebuilt against openssl v3. generally not very clever to force an upgrade to openssl v3 as there are many software project which are not even rudimentally ready for openssl v3.

    how to proceed?

    chris



    ------------------------------
    I regret starting this entire conversation
    ------------------------------



  • 2.  RE: openssl v3: broken backward compatibility

    Posted Mon March 20, 2023 09:55 AM

    As far as I know, OpenSSL 1.1.1.X exports some symbols (probably deprecated or not recommended) which are not there in OpenSSL 1.1.2.X. 
    In OpenSSL 3, I think the "so.1.1" library is taken from the 1.1.2.X build. So one has to build softwares against OpenSSL 1.1.2.X fileset. 



    ------------------------------
    Ayappan P
    ------------------------------



  • 3.  RE: openssl v3: broken backward compatibility

    Posted Mon March 20, 2023 10:03 AM
    Edited by C- -T Mon March 20, 2023 10:07 AM

    are this rebuilt binaries runable with OpenSSL 1.1.1.X? because otherwise we need to upgrade all our lpar to openssl OpenSSL 1.1.2.X which is simply not possible.

    btw...the Net::SSLeay module can NOT be built against OpenSSL 1.1.2.X so this approach leads to nowhere. 



    ------------------------------
    I regret starting this entire conversation
    ------------------------------



  • 4.  RE: openssl v3: broken backward compatibility

    Posted Mon March 20, 2023 10:19 AM

    Yes, if you are building against OpenSSL 1.1.2.X, then you should be able to run it against OpenSSL 1.1.1.X. ( The vice-versa is the problem). 
    Do you see any problem building it against 1.1.2.X ?



    ------------------------------
    Ayappan P
    ------------------------------



  • 5.  RE: openssl v3: broken backward compatibility

    Posted Mon March 20, 2023 10:42 AM

    i built the module against 1.1.2.X and it worked...

    root@aixtestha1c2: /software/openssl/openssl-1.1.2.1201 # lslpp -l | grep openssl
      openssl.base            1.1.2.1201  COMMITTED  Open Secure Socket Layer
      openssl.license         1.1.2.1201  COMMITTED  Open Secure Socket License
      openssl.man.en_US       1.1.2.1201  COMMITTED  Open Secure Socket Layer
      openssl.base            1.1.2.1201  COMMITTED  Open Secure Socket Layer
    
    root@aixtestha1c2: /software/openssl/openssl-1.1.2.1201 # /opt/itsv/applperlbin/active/bin/cpanm --reinstall Net::SSLeay -n
    --> Working on Net::SSLeay
    Fetching http://www.cpan.org/authors/id/C/CH/CHRISN/Net-SSLeay-1.92.tar.gz ... OK
    Configuring Net-SSLeay-1.92 ... OK
    Building Net-SSLeay-1.92 ... OK
    Successfully reinstalled Net-SSLeay-1.92
    1 distribution installed
    
    root@aixtestha1c2: /software/openssl/openssl-1.1.2.1201 # /opt/itsv/applperlbin/active/bin/perl -e 'use IO::Socket::SSL'
    root@aixtestha1c2: /software/openssl/openssl-1.1.2.1201 # /opt/itsv/applperlbin/active/bin/perl -e 'use Net::SSLeay'
    

    afterwards i downgraded to 1.1.1.X

    root@aixtestha1c2: /software/openssl/latest # installp -F -Y -d . all
    
    Installation Summary
    --------------------
    Name                        Level           Part        Event       Result
    -------------------------------------------------------------------------------
    openssl.man.en_US           1.1.1.1201      USR         APPLY       SUCCESS
    openssl.license             1.1.1.1201      USR         APPLY       SUCCESS
    openssl.base                1.1.1.1201      USR         APPLY       SUCCESS
    openssl.base                1.1.1.1201      ROOT        APPLY       SUCCESS
    root@aixtestha1c2: /software/openssl/latest # slibclean
    root@aixtestha1c2: /software/openssl/latest # slibclean
    root@aixtestha1c2: /software/openssl/latest # slibclean
    root@aixtestha1c2: /software/openssl/latest # /opt/itsv/applperlbin/active/bin/perl -e 'use Net::SSLeay'
    root@aixtestha1c2: /software/openssl/latest # /opt/itsv/applperlbin/active/bin/perl -e 'use IO::Socket::SSL'
    

    still no errors...looks promising for now...will do further testing



    ------------------------------
    I regret starting this entire conversation
    ------------------------------