openssl 1.1.1 update or manual build in XCP 8.2.1 possible ?
-
Dear XCP team,
is it possible to update or manual build openssl 1.1.1 in 8.2.1 ?
- Would it be safe to run yum remove openssl as the first step or would this break the XCP installation:
Dependencies Resolved =========================================================================================================================================================================================== Package Arch Version Repository Size =========================================================================================================================================================================================== Removing: openssl x86_64 1:1.0.2k-26.2.xcpng8.2 @xcp-ng-testing 814 k Removing for dependencies: awscli noarch 1.23.2-1.el7_9.1 @updates 9.0 M openssl-perl x86_64 1:1.0.2k-26.2.xcpng8.2 @xcp-ng-testing 28 k python2-cryptography x86_64 1.7.2-2.el7 @base 2.6 M xcp-ng-deps noarch 8.2.0-12 @install/$releasever 0.0 Transaction Summary =========================================================================================================================================================================================== Remove 1 Package (+4 Dependent packages) Installed size: 12 MWe found the following manual steps how to build openssl 1.1.1 in CentOS 7 here: https://gist.github.com/Bill-tran/5e2ab062a9028bf693c934146249e68c but can't test it on our server:
# Requirements Upgrade the system yum -y update # Install required packages yum install -y make gcc perl-core pcre-devel wget zlib-devel # Download the latest version of OpenSSL source code wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz # Configure, build and install OpenSSL Uncompress the source file tar -xzvf openssl-1.1.1k.tar.gz # Change to the OpenSSL directory cd openssl-1.1.1k # Configure the package for compilation ./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic # Compile package make # Test compiled package make test # Install compiled package make install # Export library path Create environment variable file vim /etc/profile.d/openssl.sh # Add the following content export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64 # Load the environment variable source /etc/profile.d/openssl.sh # Verify the OpenSSL version openssl version- Can anyone here perform the test or are there any other possibilities to get openssl 1.1.1 in XCP 8.2.1 ?
Best regards
User -
Hi,
Can you explain what is the functional need first?
-
Check out the pending updates that were released earlier today.
-
Hi Oliver,
the issue is when using curl and wget which both uses openssl (OpenSSL 1.0.2k-fips 26 Jan 2017), in bash scripts some servers are not allowing communication with TLS lower/equal than tls1_2 and the following error is thrown:
openssl s_client -connect ssl-tools.net:443 CONNECTED(00000003) 139843806320528:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:769 Secure Renegotiation IS NOT supportedWe tested the same call from another linux machine using "OpenSSL 1.1.1t-freebsd 7 Feb 2023" and it worked fine:
openssl s_client -connect ssl-tools.net:443 Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2371 bytes and written 379 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 256 bit Secure Renegotiation IS NOT supportedBest regards
User -
@Danp can you please do a quick test on you machine if this will work, after applying the pending updates:
openssl s_client -connect ssl-tools.net:443 -
@sapcode said in openssl 1.1.1 update or manual build in XCP 8.2.1 possible ?:
openssl s_client -connect ssl-tools.net:443
# openssl s_client -connect ssl-tools.net:443 CONNECTED(00000003) 140304244799376:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:769: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 289 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1730903848 Timeout : 300 (sec) Verify return code: 0 (ok) --- -
@olivierlambert so you get the same error even after applying the pending updates ?
-
I don't know I just made the update and executed the command, up to you to tell me what are you expecting from it
-
@olivierlambert this error line from your call shows that the updates are not fixing the issue
140304244799376:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:769:A correct output which you can reproduce with any version openssl higher or equal to 1.1.1 looks like this:
openssl s_client -connect ssl-tools.net:443 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = E6 verify return:1 depth=0 CN = ssl-tools.net verify return:1 --- Certificate chain 0 s:CN = ssl-tools.net i:C = US, O = Let's Encrypt, CN = E6 1 s:C = US, O = Let's Encrypt, CN = E6 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 --- Server certificate -----BEGIN CERTIFICATE----- MIIDfDCCAwKgAwIBAgISAwe686407pktUx6L9xPVL1ZsMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF NjAeFw0yNDA5MTYxNjMwMTZaFw0yNDEyMTUxNjMwMTVaMBgxFjAUBgNVBAMTDXNz bC10b29scy5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASX0K6Lk50W7c5e oInqD7aIThmZDpyP+fK8QSP6/bg77XrN/hxovn+ruTYWpfMiBAp4QI0JZbwYvUWs 0YNrpColo4ICEDCCAgwwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUF BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQIz+2YvUOQXQMM lvk9SGwHxLrMZzAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggr BgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAi BggrBgEFBQcwAoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzAYBgNVHREEETAPgg1z c2wtdG9vbHMubmV0MBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBQYKKwYBBAHWeQIE AgSB9gSB8wDxAHYAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4AAAGR ++E2+wAABAMARzBFAiAndRz0BOt7p6ZPW0LM70zHu0hIsO0FzjSrL566uNLIuQIh AL0VFL/qfax8P3qWTaXqlrETL6Ro4bDF1BMtZbLhF83nAHcA3+FW66oFr7WcD4Zx jajAMk6uVtlup/WlagHRwTu+UlwAAAGR++E3xQAABAMASDBGAiEA9kbdYv9Jf+Lt hE8I2IsYaW0cyTO1KP6Of8IFBn2y/W0CIQCaNM1+tvQ5eYKE3GN0Ln0IYZniWaH5 v7OhnxzdTgm+0jAKBggqhkjOPQQDAwNoADBlAjEAtffvHcb5z4g2MxxdD6aAK7M5 Nfdy0SeeGAgyzsxolMyyFwkMtmLi0svYVvBYznR1AjB1STPF0cvcy8S5CfEbt/sR 0L59P09hLMTvqV2xqumaXo5Upd6JbaF0oLaD8wXpGl0= -----END CERTIFICATE----- subject=CN = ssl-tools.net issuer=C = US, O = Let's Encrypt, CN = E6 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2371 bytes and written 379 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 256 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_128_GCM_SHA256 Session-ID: BC6467F92591807810680DA798C335BDE23409C87BB0A5BC3F2A07F8AD2557B8 Session-ID-ctx: Resumption PSK: 285BC2D246C8D2026C71B0ADBAC8F93AC7287A44580AECE5B06881AAC701C037 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 604800 (seconds) TLS session ticket: 0000 - 4b ef 37 0e 69 7d 6e f9-2f 15 51 e1 2b 1a 22 78 K.7.i}n./.Q.+."x 0010 - e1 ba 22 dd 99 ed 6a eb-c5 b1 8e 06 3c 63 65 fb .."...j.....<ce. 0020 - a3 a8 14 63 0f bf 43 f2-7a fb c4 cd 3f 3d 7b a0 ...c..C.z...?={. 0030 - 73 cc b0 d1 1d a6 35 30-b9 51 48 1a e8 d5 45 67 s.....50.QH...Eg 0040 - 9a c1 cf bf f3 1b 77 62-e0 91 0e a0 68 3d 5f 7d ......wb....h=_} 0050 - ae 3f d5 1e 58 3c 24 b2-bd 44 4d 22 41 c7 37 b5 .?..X<$..DM"A.7. 0060 - 6b 64 9a dd 72 c2 85 d1-f4 kd..r.... Start Time: 1730967208 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCKI guess that the error has to do with https://wiki.openssl.org/index.php/TLS1.3 support was introduced in openssl 1.1.1 and servers which don't allow to downgrade to TLS 1.2 / 1.1 will simply fail in opensll 1.0.2 with the above error line.
As per TLS 1.3: The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECDHE). This has implications for ciphersuite configuration, that looks like the root problem if servers enforce this then openssl 1.0.2 will fail to establish a connection at all.
The next option would be to manually build openssl 1.1.1 in XCP 8.2.1 itself, @olivierlambert could you please test if this steps will work and not break an existing XCP installation ?
# uninstall - this may uninstall xcp-ng-deps as well, don't know if this has breaking impact to XCP yum remove opensll # Install required packages yum install -y make gcc perl-core pcre-devel wget zlib-devel # Download the latest version of OpenSSL source code wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz # Configure, build and install OpenSSL Uncompress the source file tar -xzvf openssl-1.1.1k.tar.gz # Change to the OpenSSL directory cd openssl-1.1.1k # Configure the package for compilation ./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic # Compile package make # Test compiled package make test # Install compiled package make install # Export library path Create environment variable file vim /etc/profile.d/openssl.sh # Add the following content export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64 # Load the environment variable source /etc/profile.d/openssl.sh # Verify the OpenSSL version openssl versionThis two blogs shows how to build openssl 1.1.1 in CentOS 7 manually, i havn't tried them yet in an existing XCP installation:
Blog 1: https://gist.github.com/Bill-tran/5e2ab062a9028bf693c934146249e68c
Blog 2: https://computingforgeeks.com/how-to-install-openssl-1-1-on-centos-rhel-7/?utm_content=cmp-trueHope it will work
Best regards
User -
Ping @stormi
-
CCing @bleader too.
@sapcode said in openssl 1.1.1 update or manual build in XCP 8.2.1 possible ?:
Would it be safe to run yum remove openssl as the first step or would this break the XCP installation:
The second option. And actually it's not openssl you're looking for, it's openssl-libs, and removing it will not even work, as it attempts to remove
yumandsystemdwhich depend on it and are protected.Note that we do offer openssl 1.1.1 through the xs-openssl-libs package, and that is what XAPI uses for communication instead of the system one. However you'd have to patch and rebuild curl or wget so that they use it, and this definitely voids your warranty.
You are going on a journey that is far more difficult than you initially expected, I fear. So I'd start questioning the initial needs again.
- Why do you need to contact websites such as ssl-tools.net from dom0?
- Can't you do it from a VM?
