Menu
▾
▴
Re: [naviserver-devel] Connecting to OpenSSL
|
From: Gustaf N. <ne...@wu...> - 2022-11-08 05:37:50
|
From your original mail, i got the impression that you hand no "issues" with NaviServer either, but you are wondering, why OpenSSL 3.* is not "picked up automatically" and still linked against OpenSSL 1.*. Since there are many differences between OpenSSL 1.* and 3.* [1], many distributors do not replace the 1.* version upon installation of OpenSSL 3.* , but they install it side by side, simply to avoid problems (there are many API changes, see e.g. [2,3]). So, no all software compiled against the include files of OpenSSL 1.* will work out of the box with OpenSSL 3.* Coming to my questions of the last mail: - against which library is your nsd linked? - have you reconfigured and recompiled naviserver? let me know, if i can be of any further help. -g [1] https://www.openssl.org/docs/man3.0/man7/migration_guide.html [2] https://packages.debian.org/bullseye/amd64/libssl1.1/filelist [3] https://packages.debian.org/bookworm/amd64/libssl3/filelist On 07.11.22 14:52, THORPE MAYES via naviserver-devel wrote: > Hi Gustaf, > > Thank you for your response and the information. > > I did not have any issues with previous OpenSSL updates, although I > had not installed 3.x versions. > > Best regards. > > Thorpe > > Thorpe Mayes > (512) 394-8766 > >> On 6 Nov 2022, at 11:34, Gustaf Neumann <ne...@wu...> wrote: >> Dear Thorpe, >> >> it looks like you have now two versions of openssl installed on your >> system, since the output "1.0.2k-fips" comes straight from the >> library. So, if you see this string, the library is still there. >> >> One can check the version used during linkage via >> >> ldd /usr/local/ns/bin/nsd >> >> When upgrading to OpenSSL 3.*, it is recommended to recompile NaviServer >> (make clean, configure ..., make, make install) such that NaviServer >> can use >> the newer library calls. When the path to the openssl libary is not >> specified >> explicitly, configure uses "pkg-config --libs openssl" to determine the >> path the the library. >> >> all the best >> >> -g >> >> PS Btw, OpenACS.org runs with OpenSSL 3.2.0-dev >> >> On 06.11.22 13:47, THORPE MAYES via naviserver-devel wrote: >>> Hi, >>> >>> I updated OpenSSL on my server to version 3.0.7. >>> >>> Prior to updating, openssl version -a showed: >>> >>> OpenSSL 1.0.2k-fips 26 Jan 2017 >>> built on: reproducible build, date unspecified >>> platform: linux-x86_64 >>> options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) >>> idea(int) blowfish(idx) >>> compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB >>> -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT >>> -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 >>> -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 >>> -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack >>> -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT >>> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM >>> -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >>> -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM >>> OPENSSLDIR: "/etc/pki/tls" >>> engines: rdrand dynamic >>> >>> After updating, openssl version -a showed: >>> >>> OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022) >>> built on: Sat Nov 5 14:56:48 2022 UTC >>> platform: linux-x86_64 >>> options: bn(64,64) >>> compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 >>> -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC >>> -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG >>> OPENSSLDIR: "/etc/ssl" >>> ENGINESDIR: "/etc/ssl/lib64/engines-3" >>> MODULESDIR: "/etc/ssl/lib64/ossl-modules" >>> Seeding source: os-specific >>> CPUINFO: OPENSSL_ia32cap=0xfffa3203478bffff:0x7a9 >>> >>> When I restart naviserver I see this in the log file: >>> >>> Notice: OpenSSL OpenSSL 1.0.2k-fips 26 Jan 2017 initialized >>> >>> >>> That is the previous version of OpenSSL on the server. >>> >>> What do I need to change in order for naviserver to use the current >>> version of OpenSSL? Or, does it matter? >>> >>> When I updated to naviserver version 4.99.24 my configuration was: >>> ./configure --prefix=/usr/local/ns --with-tcl=/usr/local/ns/lib >>> --enable-symbols >>> >>> >>> Thorpe |
