openssl 1.1.1 update or manual build in XCP 8.2.1 possible ?

sapcode

Dear XCP team,

is it possible to update or manual build openssl 1.1.1 in 8.2.1 ?

1. Would it be safe to run yum remove openssl as the first step or would this break the XCP installation:

Dependencies Resolved
===========================================================================================================================================================================================
 Package                                         Arch                              Version                                           Repository                                       Size
===========================================================================================================================================================================================
Removing:
 openssl                                         x86_64                            1:1.0.2k-26.2.xcpng8.2                            @xcp-ng-testing                                 814 k
Removing for dependencies:
 awscli                                          noarch                            1.23.2-1.el7_9.1                                  @updates                                        9.0 M
 openssl-perl                                    x86_64                            1:1.0.2k-26.2.xcpng8.2                            @xcp-ng-testing                                  28 k
 python2-cryptography                            x86_64                            1.7.2-2.el7                                       @base                                           2.6 M
 xcp-ng-deps                                     noarch                            8.2.0-12                                          @install/$releasever                            0.0

Transaction Summary
===========================================================================================================================================================================================
Remove  1 Package (+4 Dependent packages)
Installed size: 12 M

We found the following manual steps how to build openssl 1.1.1 in CentOS 7 here: https://gist.github.com/Bill-tran/5e2ab062a9028bf693c934146249e68c but can't test it on our server:

# Requirements Upgrade the system
yum -y update

# Install required packages
yum install -y make gcc perl-core pcre-devel wget zlib-devel

# Download the latest version of OpenSSL source code
wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz

# Configure, build and install OpenSSL Uncompress the source file
tar -xzvf openssl-1.1.1k.tar.gz

# Change to the OpenSSL directory
cd openssl-1.1.1k

# Configure the package for compilation
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic

# Compile package
make

# Test compiled package
make test

# Install compiled package
make install

# Export library path Create environment variable file
vim /etc/profile.d/openssl.sh

# Add the following content
export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64

# Load the environment variable
source /etc/profile.d/openssl.sh

# Verify the OpenSSL version
openssl version

2. Can anyone here perform the test or are there any other possibilities to get openssl 1.1.1 in XCP 8.2.1 ?

Best regards
User

olivierlambert

Hi,

Can you explain what is the functional need first?

Danp

Check out the pending updates that were released earlier today.

sapcode

Hi Oliver,

the issue is when using curl and wget which both uses openssl (OpenSSL 1.0.2k-fips 26 Jan 2017), in bash scripts some servers are not allowing communication with TLS lower/equal than tls1_2 and the following error is thrown:

openssl s_client -connect ssl-tools.net:443
CONNECTED(00000003)
139843806320528:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:769
Secure Renegotiation IS NOT supported

We tested the same call from another linux machine using "OpenSSL 1.1.1t-freebsd 7 Feb 2023" and it worked fine:

openssl s_client -connect ssl-tools.net:443

Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2371 bytes and written 379 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported

Best regards
User

sapcode

Danp can you please do a quick test on you machine if this will work, after applying the pending updates:

openssl s_client -connect ssl-tools.net:443

olivierlambert

sapcode said in openssl 1.1.1 update or manual build in XCP 8.2.1 possible ?:

openssl s_client -connect ssl-tools.net:443

# openssl s_client -connect ssl-tools.net:443
CONNECTED(00000003)
140304244799376:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1730903848
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

sapcode

olivierlambert so you get the same error even after applying the pending updates ?

olivierlambert

I don't know I just made the update and executed the command, up to you to tell me what are you expecting from it

sapcode

olivierlambert this error line from your call shows that the updates are not fixing the issue

140304244799376:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:769:

A correct output which you can reproduce with any version openssl higher or equal to 1.1.1 looks like this:

openssl s_client -connect ssl-tools.net:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E6
verify return:1
depth=0 CN = ssl-tools.net
verify return:1
---
Certificate chain
 0 s:CN = ssl-tools.net
   i:C = US, O = Let's Encrypt, CN = E6
 1 s:C = US, O = Let's Encrypt, CN = E6
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDfDCCAwKgAwIBAgISAwe686407pktUx6L9xPVL1ZsMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNDA5MTYxNjMwMTZaFw0yNDEyMTUxNjMwMTVaMBgxFjAUBgNVBAMTDXNz
bC10b29scy5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASX0K6Lk50W7c5e
oInqD7aIThmZDpyP+fK8QSP6/bg77XrN/hxovn+ruTYWpfMiBAp4QI0JZbwYvUWs
0YNrpColo4ICEDCCAgwwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQIz+2YvUOQXQMM
lvk9SGwHxLrMZzAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggr
BgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAi
BggrBgEFBQcwAoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzAYBgNVHREEETAPgg1z
c2wtdG9vbHMubmV0MBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBQYKKwYBBAHWeQIE
AgSB9gSB8wDxAHYAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4AAAGR
++E2+wAABAMARzBFAiAndRz0BOt7p6ZPW0LM70zHu0hIsO0FzjSrL566uNLIuQIh
AL0VFL/qfax8P3qWTaXqlrETL6Ro4bDF1BMtZbLhF83nAHcA3+FW66oFr7WcD4Zx
jajAMk6uVtlup/WlagHRwTu+UlwAAAGR++E3xQAABAMASDBGAiEA9kbdYv9Jf+Lt
hE8I2IsYaW0cyTO1KP6Of8IFBn2y/W0CIQCaNM1+tvQ5eYKE3GN0Ln0IYZniWaH5
v7OhnxzdTgm+0jAKBggqhkjOPQQDAwNoADBlAjEAtffvHcb5z4g2MxxdD6aAK7M5
Nfdy0SeeGAgyzsxolMyyFwkMtmLi0svYVvBYznR1AjB1STPF0cvcy8S5CfEbt/sR
0L59P09hLMTvqV2xqumaXo5Upd6JbaF0oLaD8wXpGl0=
-----END CERTIFICATE-----
subject=CN = ssl-tools.net
issuer=C = US, O = Let's Encrypt, CN = E6
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2371 bytes and written 379 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: BC6467F92591807810680DA798C335BDE23409C87BB0A5BC3F2A07F8AD2557B8
    Session-ID-ctx:
    Resumption PSK: 285BC2D246C8D2026C71B0ADBAC8F93AC7287A44580AECE5B06881AAC701C037
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 4b ef 37 0e 69 7d 6e f9-2f 15 51 e1 2b 1a 22 78   K.7.i}n./.Q.+."x
    0010 - e1 ba 22 dd 99 ed 6a eb-c5 b1 8e 06 3c 63 65 fb   .."...j.....<ce.
    0020 - a3 a8 14 63 0f bf 43 f2-7a fb c4 cd 3f 3d 7b a0   ...c..C.z...?={.
    0030 - 73 cc b0 d1 1d a6 35 30-b9 51 48 1a e8 d5 45 67   s.....50.QH...Eg
    0040 - 9a c1 cf bf f3 1b 77 62-e0 91 0e a0 68 3d 5f 7d   ......wb....h=_}
    0050 - ae 3f d5 1e 58 3c 24 b2-bd 44 4d 22 41 c7 37 b5   .?..X<$..DM"A.7.
    0060 - 6b 64 9a dd 72 c2 85 d1-f4                        kd..r....

    Start Time: 1730967208
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

I guess that the error has to do with https://wiki.openssl.org/index.php/TLS1.3 support was introduced in openssl 1.1.1 and servers which don't allow to downgrade to TLS 1.2 / 1.1 will simply fail in opensll 1.0.2 with the above error line.

As per TLS 1.3: The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECDHE). This has implications for ciphersuite configuration, that looks like the root problem if servers enforce this then openssl 1.0.2 will fail to establish a connection at all.

The next option would be to manually build openssl 1.1.1 in XCP 8.2.1 itself, olivierlambert could you please test if this steps will work and not break an existing XCP installation ?

# uninstall - this may uninstall xcp-ng-deps as well, don't know if this has breaking impact to XCP
yum remove opensll

# Install required packages
yum install -y make gcc perl-core pcre-devel wget zlib-devel

# Download the latest version of OpenSSL source code
wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz

# Configure, build and install OpenSSL Uncompress the source file
tar -xzvf openssl-1.1.1k.tar.gz

# Change to the OpenSSL directory
cd openssl-1.1.1k

# Configure the package for compilation
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic

# Compile package
make

# Test compiled package
make test

# Install compiled package
make install

# Export library path Create environment variable file
vim /etc/profile.d/openssl.sh

# Add the following content
export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64

# Load the environment variable
source /etc/profile.d/openssl.sh

# Verify the OpenSSL version
openssl version

This two blogs shows how to build openssl 1.1.1 in CentOS 7 manually, i havn't tried them yet in an existing XCP installation:

Blog 1: https://gist.github.com/Bill-tran/5e2ab062a9028bf693c934146249e68c
Blog 2: https://computingforgeeks.com/how-to-install-openssl-1-1-on-centos-rhel-7/?utm_content=cmp-true

Hope it will work
Best regards
User

olivierlambert

Ping stormi

stormi

CCing bleader too.

sapcode said in openssl 1.1.1 update or manual build in XCP 8.2.1 possible ?:

Would it be safe to run yum remove openssl as the first step or would this break the XCP installation:

The second option. And actually it's not openssl you're looking for, it's openssl-libs, and removing it will not even work, as it attempts to remove yum and systemd which depend on it and are protected.

Note that we do offer openssl 1.1.1 through the xs-openssl-libs package, and that is what XAPI uses for communication instead of the system one. However you'd have to patch and rebuild curl or wget so that they use it, and this definitely voids your warranty.

You are going on a journey that is far more difficult than you initially expected, I fear. So I'd start questioning the initial needs again.

1. Why do you need to contact websites such as ssl-tools.net from dom0?
2. Can't you do it from a VM?