XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    openssl 1.1.1 update or manual build in XCP 8.2.1 possible ?

    Scheduled Pinned Locked Moved Development
    11 Posts 4 Posters 571 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • olivierlambertO Online
      olivierlambert Vates 🪐 Co-Founder CEO
      last edited by

      Hi,

      Can you explain what is the functional need first?

      1 Reply Last reply Reply Quote 0
      • DanpD Offline
        Danp Pro Support Team
        last edited by

        Check out the pending updates that were released earlier today.

        S 1 Reply Last reply Reply Quote 0
        • S Offline
          sapcode
          last edited by

          Hi Oliver,

          the issue is when using curl and wget which both uses openssl (OpenSSL 1.0.2k-fips 26 Jan 2017), in bash scripts some servers are not allowing communication with TLS lower/equal than tls1_2 and the following error is thrown:

          openssl s_client -connect ssl-tools.net:443
CONNECTED(00000003)
139843806320528:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:769
Secure Renegotiation IS NOT supported

          We tested the same call from another linux machine using "OpenSSL 1.1.1t-freebsd 7 Feb 2023" and it worked fine:

          openssl s_client -connect ssl-tools.net:443

Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2371 bytes and written 379 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported

          Best regards
          User

          1 Reply Last reply Reply Quote 0
          • S Offline
            sapcode @Danp
            last edited by sapcode

            @Danp can you please do a quick test on you machine if this will work, after applying the pending updates:

            openssl s_client -connect ssl-tools.net:443
            1 Reply Last reply Reply Quote 0
            • olivierlambertO Online
              olivierlambert Vates 🪐 Co-Founder CEO
              last edited by

              @sapcode said in openssl 1.1.1 update or manual build in XCP 8.2.1 possible ?:

              openssl s_client -connect ssl-tools.net:443

              # openssl s_client -connect ssl-tools.net:443
CONNECTED(00000003)
140304244799376:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1730903848
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
              S 1 Reply Last reply Reply Quote 0
              • S Offline
                sapcode @olivierlambert
                last edited by

                @olivierlambert so you get the same error even after applying the pending updates ?

                1 Reply Last reply Reply Quote 0
                • olivierlambertO Online
                  olivierlambert Vates 🪐 Co-Founder CEO
                  last edited by olivierlambert

                  I don't know I just made the update and executed the command, up to you to tell me what are you expecting from it 🙂

                  S 1 Reply Last reply Reply Quote 0
                  • S Offline
                    sapcode @olivierlambert
                    last edited by sapcode

                    @olivierlambert this error line from your call shows that the updates are not fixing the issue

                    140304244799376:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:769:

                    A correct output which you can reproduce with any version openssl higher or equal to 1.1.1 looks like this:

                    openssl s_client -connect ssl-tools.net:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E6
verify return:1
depth=0 CN = ssl-tools.net
verify return:1
---
Certificate chain
 0 s:CN = ssl-tools.net
   i:C = US, O = Let's Encrypt, CN = E6
 1 s:C = US, O = Let's Encrypt, CN = E6
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDfDCCAwKgAwIBAgISAwe686407pktUx6L9xPVL1ZsMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNDA5MTYxNjMwMTZaFw0yNDEyMTUxNjMwMTVaMBgxFjAUBgNVBAMTDXNz
bC10b29scy5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASX0K6Lk50W7c5e
oInqD7aIThmZDpyP+fK8QSP6/bg77XrN/hxovn+ruTYWpfMiBAp4QI0JZbwYvUWs
0YNrpColo4ICEDCCAgwwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQIz+2YvUOQXQMM
lvk9SGwHxLrMZzAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggr
BgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAi
BggrBgEFBQcwAoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzAYBgNVHREEETAPgg1z
c2wtdG9vbHMubmV0MBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBQYKKwYBBAHWeQIE
AgSB9gSB8wDxAHYAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4AAAGR
++E2+wAABAMARzBFAiAndRz0BOt7p6ZPW0LM70zHu0hIsO0FzjSrL566uNLIuQIh
AL0VFL/qfax8P3qWTaXqlrETL6Ro4bDF1BMtZbLhF83nAHcA3+FW66oFr7WcD4Zx
jajAMk6uVtlup/WlagHRwTu+UlwAAAGR++E3xQAABAMASDBGAiEA9kbdYv9Jf+Lt
hE8I2IsYaW0cyTO1KP6Of8IFBn2y/W0CIQCaNM1+tvQ5eYKE3GN0Ln0IYZniWaH5
v7OhnxzdTgm+0jAKBggqhkjOPQQDAwNoADBlAjEAtffvHcb5z4g2MxxdD6aAK7M5
Nfdy0SeeGAgyzsxolMyyFwkMtmLi0svYVvBYznR1AjB1STPF0cvcy8S5CfEbt/sR
0L59P09hLMTvqV2xqumaXo5Upd6JbaF0oLaD8wXpGl0=
-----END CERTIFICATE-----
subject=CN = ssl-tools.net
issuer=C = US, O = Let's Encrypt, CN = E6
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2371 bytes and written 379 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: BC6467F92591807810680DA798C335BDE23409C87BB0A5BC3F2A07F8AD2557B8
    Session-ID-ctx:
    Resumption PSK: 285BC2D246C8D2026C71B0ADBAC8F93AC7287A44580AECE5B06881AAC701C037
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 4b ef 37 0e 69 7d 6e f9-2f 15 51 e1 2b 1a 22 78   K.7.i}n./.Q.+."x
    0010 - e1 ba 22 dd 99 ed 6a eb-c5 b1 8e 06 3c 63 65 fb   .."...j.....<ce.
    0020 - a3 a8 14 63 0f bf 43 f2-7a fb c4 cd 3f 3d 7b a0   ...c..C.z...?={.
    0030 - 73 cc b0 d1 1d a6 35 30-b9 51 48 1a e8 d5 45 67   s.....50.QH...Eg
    0040 - 9a c1 cf bf f3 1b 77 62-e0 91 0e a0 68 3d 5f 7d   ......wb....h=_}
    0050 - ae 3f d5 1e 58 3c 24 b2-bd 44 4d 22 41 c7 37 b5   .?..X<$..DM"A.7.
    0060 - 6b 64 9a dd 72 c2 85 d1-f4                        kd..r....

    Start Time: 1730967208
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

                    I guess that the error has to do with https://wiki.openssl.org/index.php/TLS1.3 support was introduced in openssl 1.1.1 and servers which don't allow to downgrade to TLS 1.2 / 1.1 will simply fail in opensll 1.0.2 with the above error line.

                    As per TLS 1.3: The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECDHE). This has implications for ciphersuite configuration, that looks like the root problem if servers enforce this then openssl 1.0.2 will fail to establish a connection at all.

                    The next option would be to manually build openssl 1.1.1 in XCP 8.2.1 itself, @olivierlambert could you please test if this steps will work and not break an existing XCP installation ?

                    # uninstall - this may uninstall xcp-ng-deps as well, don't know if this has breaking impact to XCP
yum remove opensll

# Install required packages
yum install -y make gcc perl-core pcre-devel wget zlib-devel

# Download the latest version of OpenSSL source code
wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz

# Configure, build and install OpenSSL Uncompress the source file
tar -xzvf openssl-1.1.1k.tar.gz

# Change to the OpenSSL directory
cd openssl-1.1.1k

# Configure the package for compilation
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic

# Compile package
make

# Test compiled package
make test

# Install compiled package
make install

# Export library path Create environment variable file
vim /etc/profile.d/openssl.sh

# Add the following content
export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64

# Load the environment variable
source /etc/profile.d/openssl.sh

# Verify the OpenSSL version
openssl version

                    This two blogs shows how to build openssl 1.1.1 in CentOS 7 manually, i havn't tried them yet in an existing XCP installation:

                    Blog 1: https://gist.github.com/Bill-tran/5e2ab062a9028bf693c934146249e68c
                    Blog 2: https://computingforgeeks.com/how-to-install-openssl-1-1-on-centos-rhel-7/?utm_content=cmp-true

                    Hope it will work
                    Best regards
                    User

                    1 Reply Last reply Reply Quote 0
                    • olivierlambertO Online
                      olivierlambert Vates 🪐 Co-Founder CEO
                      last edited by

                      Ping @stormi

                      1 Reply Last reply Reply Quote 0
                      • stormiS Offline
                        stormi Vates 🪐 XCP-ng Team @sapcode
                        last edited by stormi

                        CCing @bleader too.

                        @sapcode said in openssl 1.1.1 update or manual build in XCP 8.2.1 possible ?:

                        Would it be safe to run yum remove openssl as the first step or would this break the XCP installation:

                        The second option. And actually it's not openssl you're looking for, it's openssl-libs, and removing it will not even work, as it attempts to remove yum and systemd which depend on it and are protected.

                        Note that we do offer openssl 1.1.1 through the xs-openssl-libs package, and that is what XAPI uses for communication instead of the system one. However you'd have to patch and rebuild curl or wget so that they use it, and this definitely voids your warranty.

                        You are going on a journey that is far more difficult than you initially expected, I fear. So I'd start questioning the initial needs again.

                        1. Why do you need to contact websites such as ssl-tools.net from dom0?
                        2. Can't you do it from a VM?
                        1 Reply Last reply Reply Quote 2
                        • First post
                          Last post