XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    openssl 1.1.1 update or manual build in XCP 8.2.1 possible ?

    Scheduled Pinned Locked Moved Development
    11 Posts 4 Posters 607 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sapcode
      last edited by sapcode

      Dear XCP team,

      is it possible to update or manual build openssl 1.1.1 in 8.2.1 ?

      1. Would it be safe to run yum remove openssl as the first step or would this break the XCP installation:
      Dependencies Resolved
      ===========================================================================================================================================================================================
       Package                                         Arch                              Version                                           Repository                                       Size
      ===========================================================================================================================================================================================
      Removing:
       openssl                                         x86_64                            1:1.0.2k-26.2.xcpng8.2                            @xcp-ng-testing                                 814 k
      Removing for dependencies:
       awscli                                          noarch                            1.23.2-1.el7_9.1                                  @updates                                        9.0 M
       openssl-perl                                    x86_64                            1:1.0.2k-26.2.xcpng8.2                            @xcp-ng-testing                                  28 k
       python2-cryptography                            x86_64                            1.7.2-2.el7                                       @base                                           2.6 M
       xcp-ng-deps                                     noarch                            8.2.0-12                                          @install/$releasever                            0.0
      
      Transaction Summary
      ===========================================================================================================================================================================================
      Remove  1 Package (+4 Dependent packages)
      Installed size: 12 M
      

      We found the following manual steps how to build openssl 1.1.1 in CentOS 7 here: https://gist.github.com/Bill-tran/5e2ab062a9028bf693c934146249e68c but can't test it on our server:

      # Requirements Upgrade the system
      yum -y update
      
      # Install required packages
      yum install -y make gcc perl-core pcre-devel wget zlib-devel
      
      # Download the latest version of OpenSSL source code
      wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz
      
      # Configure, build and install OpenSSL Uncompress the source file
      tar -xzvf openssl-1.1.1k.tar.gz
      
      # Change to the OpenSSL directory
      cd openssl-1.1.1k
      
      # Configure the package for compilation
      ./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic
      
      # Compile package
      make
      
      # Test compiled package
      make test
      
      # Install compiled package
      make install
      
      # Export library path Create environment variable file
      vim /etc/profile.d/openssl.sh
      
      # Add the following content
      export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64
      
      # Load the environment variable
      source /etc/profile.d/openssl.sh
      
      # Verify the OpenSSL version
      openssl version
      
      1. Can anyone here perform the test or are there any other possibilities to get openssl 1.1.1 in XCP 8.2.1 ?

      Best regards
      User

      stormiS 1 Reply Last reply Reply Quote 0
      • olivierlambertO Offline
        olivierlambert Vates 🪐 Co-Founder CEO
        last edited by

        Hi,

        Can you explain what is the functional need first?

        1 Reply Last reply Reply Quote 0
        • DanpD Offline
          Danp Pro Support Team
          last edited by

          Check out the pending updates that were released earlier today.

          S 1 Reply Last reply Reply Quote 0
          • S Offline
            sapcode
            last edited by

            Hi Oliver,

            the issue is when using curl and wget which both uses openssl (OpenSSL 1.0.2k-fips 26 Jan 2017), in bash scripts some servers are not allowing communication with TLS lower/equal than tls1_2 and the following error is thrown:

            openssl s_client -connect ssl-tools.net:443
            CONNECTED(00000003)
            139843806320528:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:769
            Secure Renegotiation IS NOT supported
            

            We tested the same call from another linux machine using "OpenSSL 1.1.1t-freebsd 7 Feb 2023" and it worked fine:

            openssl s_client -connect ssl-tools.net:443
            
            Peer signing digest: SHA256
            Peer signature type: ECDSA
            Server Temp Key: X25519, 253 bits
            ---
            SSL handshake has read 2371 bytes and written 379 bytes
            Verification: OK
            ---
            New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
            Server public key is 256 bit
            Secure Renegotiation IS NOT supported
            

            Best regards
            User

            1 Reply Last reply Reply Quote 0
            • S Offline
              sapcode @Danp
              last edited by sapcode

              @Danp can you please do a quick test on you machine if this will work, after applying the pending updates:

              openssl s_client -connect ssl-tools.net:443
              
              1 Reply Last reply Reply Quote 0
              • olivierlambertO Offline
                olivierlambert Vates 🪐 Co-Founder CEO
                last edited by

                @sapcode said in openssl 1.1.1 update or manual build in XCP 8.2.1 possible ?:

                openssl s_client -connect ssl-tools.net:443

                # openssl s_client -connect ssl-tools.net:443
                CONNECTED(00000003)
                140304244799376:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:769:
                ---
                no peer certificate available
                ---
                No client certificate CA names sent
                ---
                SSL handshake has read 7 bytes and written 289 bytes
                ---
                New, (NONE), Cipher is (NONE)
                Secure Renegotiation IS NOT supported
                Compression: NONE
                Expansion: NONE
                No ALPN negotiated
                SSL-Session:
                    Protocol  : TLSv1.2
                    Cipher    : 0000
                    Session-ID: 
                    Session-ID-ctx: 
                    Master-Key: 
                    Key-Arg   : None
                    Krb5 Principal: None
                    PSK identity: None
                    PSK identity hint: None
                    Start Time: 1730903848
                    Timeout   : 300 (sec)
                    Verify return code: 0 (ok)
                ---
                
                
                S 1 Reply Last reply Reply Quote 0
                • S Offline
                  sapcode @olivierlambert
                  last edited by

                  @olivierlambert so you get the same error even after applying the pending updates ?

                  1 Reply Last reply Reply Quote 0
                  • olivierlambertO Offline
                    olivierlambert Vates 🪐 Co-Founder CEO
                    last edited by olivierlambert

                    I don't know I just made the update and executed the command, up to you to tell me what are you expecting from it 🙂

                    S 1 Reply Last reply Reply Quote 0
                    • S Offline
                      sapcode @olivierlambert
                      last edited by sapcode

                      @olivierlambert this error line from your call shows that the updates are not fixing the issue

                      140304244799376:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:769:
                      

                      A correct output which you can reproduce with any version openssl higher or equal to 1.1.1 looks like this:

                      openssl s_client -connect ssl-tools.net:443
                      CONNECTED(00000003)
                      depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
                      verify return:1
                      depth=1 C = US, O = Let's Encrypt, CN = E6
                      verify return:1
                      depth=0 CN = ssl-tools.net
                      verify return:1
                      ---
                      Certificate chain
                       0 s:CN = ssl-tools.net
                         i:C = US, O = Let's Encrypt, CN = E6
                       1 s:C = US, O = Let's Encrypt, CN = E6
                         i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
                      ---
                      Server certificate
                      -----BEGIN CERTIFICATE-----
                      MIIDfDCCAwKgAwIBAgISAwe686407pktUx6L9xPVL1ZsMAoGCCqGSM49BAMDMDIx
                      CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
                      NjAeFw0yNDA5MTYxNjMwMTZaFw0yNDEyMTUxNjMwMTVaMBgxFjAUBgNVBAMTDXNz
                      bC10b29scy5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASX0K6Lk50W7c5e
                      oInqD7aIThmZDpyP+fK8QSP6/bg77XrN/hxovn+ruTYWpfMiBAp4QI0JZbwYvUWs
                      0YNrpColo4ICEDCCAgwwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUF
                      BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQIz+2YvUOQXQMM
                      lvk9SGwHxLrMZzAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggr
                      BgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAi
                      BggrBgEFBQcwAoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzAYBgNVHREEETAPgg1z
                      c2wtdG9vbHMubmV0MBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBQYKKwYBBAHWeQIE
                      AgSB9gSB8wDxAHYAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4AAAGR
                      ++E2+wAABAMARzBFAiAndRz0BOt7p6ZPW0LM70zHu0hIsO0FzjSrL566uNLIuQIh
                      AL0VFL/qfax8P3qWTaXqlrETL6Ro4bDF1BMtZbLhF83nAHcA3+FW66oFr7WcD4Zx
                      jajAMk6uVtlup/WlagHRwTu+UlwAAAGR++E3xQAABAMASDBGAiEA9kbdYv9Jf+Lt
                      hE8I2IsYaW0cyTO1KP6Of8IFBn2y/W0CIQCaNM1+tvQ5eYKE3GN0Ln0IYZniWaH5
                      v7OhnxzdTgm+0jAKBggqhkjOPQQDAwNoADBlAjEAtffvHcb5z4g2MxxdD6aAK7M5
                      Nfdy0SeeGAgyzsxolMyyFwkMtmLi0svYVvBYznR1AjB1STPF0cvcy8S5CfEbt/sR
                      0L59P09hLMTvqV2xqumaXo5Upd6JbaF0oLaD8wXpGl0=
                      -----END CERTIFICATE-----
                      subject=CN = ssl-tools.net
                      issuer=C = US, O = Let's Encrypt, CN = E6
                      ---
                      No client certificate CA names sent
                      Peer signing digest: SHA256
                      Peer signature type: ECDSA
                      Server Temp Key: X25519, 253 bits
                      ---
                      SSL handshake has read 2371 bytes and written 379 bytes
                      Verification: OK
                      ---
                      New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
                      Server public key is 256 bit
                      Secure Renegotiation IS NOT supported
                      Compression: NONE
                      Expansion: NONE
                      No ALPN negotiated
                      Early data was not sent
                      Verify return code: 0 (ok)
                      ---
                      ---
                      Post-Handshake New Session Ticket arrived:
                      SSL-Session:
                          Protocol  : TLSv1.3
                          Cipher    : TLS_AES_128_GCM_SHA256
                          Session-ID: BC6467F92591807810680DA798C335BDE23409C87BB0A5BC3F2A07F8AD2557B8
                          Session-ID-ctx:
                          Resumption PSK: 285BC2D246C8D2026C71B0ADBAC8F93AC7287A44580AECE5B06881AAC701C037
                          PSK identity: None
                          PSK identity hint: None
                          SRP username: None
                          TLS session ticket lifetime hint: 604800 (seconds)
                          TLS session ticket:
                          0000 - 4b ef 37 0e 69 7d 6e f9-2f 15 51 e1 2b 1a 22 78   K.7.i}n./.Q.+."x
                          0010 - e1 ba 22 dd 99 ed 6a eb-c5 b1 8e 06 3c 63 65 fb   .."...j.....<ce.
                          0020 - a3 a8 14 63 0f bf 43 f2-7a fb c4 cd 3f 3d 7b a0   ...c..C.z...?={.
                          0030 - 73 cc b0 d1 1d a6 35 30-b9 51 48 1a e8 d5 45 67   s.....50.QH...Eg
                          0040 - 9a c1 cf bf f3 1b 77 62-e0 91 0e a0 68 3d 5f 7d   ......wb....h=_}
                          0050 - ae 3f d5 1e 58 3c 24 b2-bd 44 4d 22 41 c7 37 b5   .?..X<$..DM"A.7.
                          0060 - 6b 64 9a dd 72 c2 85 d1-f4                        kd..r....
                      
                          Start Time: 1730967208
                          Timeout   : 7200 (sec)
                          Verify return code: 0 (ok)
                          Extended master secret: no
                          Max Early Data: 0
                      ---
                      read R BLOCK
                      

                      I guess that the error has to do with https://wiki.openssl.org/index.php/TLS1.3 support was introduced in openssl 1.1.1 and servers which don't allow to downgrade to TLS 1.2 / 1.1 will simply fail in opensll 1.0.2 with the above error line.

                      As per TLS 1.3: The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECDHE). This has implications for ciphersuite configuration, that looks like the root problem if servers enforce this then openssl 1.0.2 will fail to establish a connection at all.

                      The next option would be to manually build openssl 1.1.1 in XCP 8.2.1 itself, @olivierlambert could you please test if this steps will work and not break an existing XCP installation ?

                      # uninstall - this may uninstall xcp-ng-deps as well, don't know if this has breaking impact to XCP
                      yum remove opensll
                      
                      # Install required packages
                      yum install -y make gcc perl-core pcre-devel wget zlib-devel
                      
                      # Download the latest version of OpenSSL source code
                      wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz
                      
                      # Configure, build and install OpenSSL Uncompress the source file
                      tar -xzvf openssl-1.1.1k.tar.gz
                      
                      # Change to the OpenSSL directory
                      cd openssl-1.1.1k
                      
                      # Configure the package for compilation
                      ./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic
                      
                      # Compile package
                      make
                      
                      # Test compiled package
                      make test
                      
                      # Install compiled package
                      make install
                      
                      # Export library path Create environment variable file
                      vim /etc/profile.d/openssl.sh
                      
                      # Add the following content
                      export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64
                      
                      # Load the environment variable
                      source /etc/profile.d/openssl.sh
                      
                      # Verify the OpenSSL version
                      openssl version
                      

                      This two blogs shows how to build openssl 1.1.1 in CentOS 7 manually, i havn't tried them yet in an existing XCP installation:

                      Blog 1: https://gist.github.com/Bill-tran/5e2ab062a9028bf693c934146249e68c
                      Blog 2: https://computingforgeeks.com/how-to-install-openssl-1-1-on-centos-rhel-7/?utm_content=cmp-true

                      Hope it will work
                      Best regards
                      User

                      1 Reply Last reply Reply Quote 0
                      • olivierlambertO Offline
                        olivierlambert Vates 🪐 Co-Founder CEO
                        last edited by

                        Ping @stormi

                        1 Reply Last reply Reply Quote 0
                        • stormiS Offline
                          stormi Vates 🪐 XCP-ng Team @sapcode
                          last edited by stormi

                          CCing @bleader too.

                          @sapcode said in openssl 1.1.1 update or manual build in XCP 8.2.1 possible ?:

                          Would it be safe to run yum remove openssl as the first step or would this break the XCP installation:

                          The second option. And actually it's not openssl you're looking for, it's openssl-libs, and removing it will not even work, as it attempts to remove yum and systemd which depend on it and are protected.

                          Note that we do offer openssl 1.1.1 through the xs-openssl-libs package, and that is what XAPI uses for communication instead of the system one. However you'd have to patch and rebuild curl or wget so that they use it, and this definitely voids your warranty.

                          You are going on a journey that is far more difficult than you initially expected, I fear. So I'd start questioning the initial needs again.

                          1. Why do you need to contact websites such as ssl-tools.net from dom0?
                          2. Can't you do it from a VM?
                          1 Reply Last reply Reply Quote 2
                          • First post
                            Last post