Re: Upgrading to OpenSSL 1.1.0

[ummeegge <ummeegge@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 5553 bytes --]

Hi all,
have tried to build IPFire with the new OpenSSL-1.1.0 and have had a couple of other packages (beneath Michaels already announced ones) which did not build properly.

Have had problems with:

1) wget:
openssl.o: In function `ssl_init':
openssl.c:(.text+0x72e): undefined reference to `ENGINE_load_builtin_engines'
collect2: error: ld returned 1 exit status
make[4]: *** [Makefile:1569: wget] Error 1

there is a patch for OpenSSL-1.1.0 --> https://git.savannah.gnu.org/cgit/wget.git/commit/?h=openssl-1.1 available which do not fixes this problem.

2) openvmtools:
../lib/sslDirect/.libs/libSslDirect.a(libSslDirect_la-sslDirect.o): In function `SSL_Init':
sslDirect.c:(.text+0x25e): undefined reference to `ENGINE_register_all_ciphers'
sslDirect.c:(.text+0x263): undefined reference to `ENGINE_register_all_digests'
collect2: error: ld returned 1 exit status
make[2]: *** [Makefile:548: libvmtools.la] Error 1
make[2]: Leaving directory '/usr/src/open-vm-tools-10.0.5-3227872/libvmtools'
make[1]: *** [Makefile:505: all-recursive] Error 1
make[1]: Leaving directory '/usr/src/open-vm-tools-10.0.5-3227872'
make: *** [openvmtools:85: /usr/src/log/open-vm-tools-10.0.5-3227872] Error 2

3) Asterisk:
which pointed Michael already out.


4) crda:
Also with the new 3.18 version --> http://drvbp1.linux-foundation.org/~mcgrof/rel-html/crda/ the building process do not work.
make[1]: Entering directory '/usr/src/crda-3.13'
  GEN  keys-gcrypt.c
  Trusted pubkeys: pubkeys/linville.key.pub.pem
ERROR: Failed to import the "M2Crypto" module: No module named _m2crypto
Please install the "M2Crypto" Python module.
On Debian GNU/Linux the package is called "python-m2crypto".
make[1]: *** [Makefile:114: keys-gcrypt.c] Error 1
make[1]: Leaving directory '/usr/src/crda-3.13'
make: *** [crda:75: /usr/src/log/crda-3.13] Error 2

whereby python-m2crypt is presant also a newer M2Crypto version do not solves this.

5) tor:
src/common/crypto.c:3435:3: warning: nested extern declaration of 'ENGINE_cleanup' [-Wnested-externs]
make[2]: *** [Makefile:5213: src/common/crypto.o] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: Leaving directory '/usr/src/tor-0.3.1.7'
make[1]: *** [Makefile:3106: all] Error 2
make[1]: Leaving directory '/usr/src/tor-0.3.1.7'
make: *** [tor:81: /usr/src/log/tor-0.3.1.7] Error 2

also updates to 0.3.1.9 but also 0.3.2.6_alpha do not solves this issue.

6) freeradius:
build/objs/src/main/tls.o: In function `tls_global_cleanup':
tls.c:(.text+0x4670): undefined reference to `ENGINE_cleanup'
collect2: error: ld returned 1 exit status
make[1]: *** [scripts/boiler.mk:629: build/bin/local/radiusd] Error 1
make[1]: *** Waiting for unfinished jobs....
build/objs/src/main/tls.o: In function `tls_global_cleanup':
tls.c:(.text+0x4670): undefined reference to `ENGINE_cleanup'
collect2: error: ld returned 1 exit status
make[1]: *** [scripts/boiler.mk:630: build/bin/radiusd] Error 1
make[1]: Leaving directory '/usr/src/freeradius-server-3.0.14'
make: *** [freeradius:81: /usr/src/log/freeradius-server-3.0.14] Error 2

Tried to find all packages which do not build with the new OpenSSL version, since i haven´t found fixes (fast search around) i commented them to get a full picture of what works and what not.

Some ROOTFILES seems to be also problematic.


It was possible to build:

1) php-7.2.0
but haven´t test it yet.

2) OpenVPN-2.4.4

But an installation of the ISO is currently not possible cause a problem with the language cache "der sprachdateizwischenspeicher konnte nicht erstellt werden" . So i currently stuck here (make nevertheless currently again a clean build).


Some news from here.

Greetings,

Erik


Am 29.11.2017 um 14:12 schrieb Michael Tremer:

> Hello,
> 
> I have started working on upgrading the entire distribution to OpenSSL 1.1.0.
> This is however not the easiest task since many packages are just incompatible
> with the API changes of OpenSSL.
> 
> Therefore, I started this in an own branch, upgraded all sorts of packages that
> won't build and patched those who could be patched. However, this is still quite
> chaotic and I need some help of the maintainers of some of the packages to do
> this for their own packages.
> 
> I have already dropped some packages in this process that a) were incompatible
> with OpenSSL 1.1.0, b) where no patches were available and c) that are not
> maintained upstream any longer. I also cherry-picked those commits to the
> current next tree. If someone disagrees, please open a separate discussion.
> 
> The packages dropped are:
> 
> * Pound
> * vsftp
> * sslscan
> 
> Packages which currently don't build and I could not patch very easily:
> 
> * php
> * asterisk
> * openvpn
> 
> I suppose Erik is best to upgrade to openvpn 2.4, Dirk upgrades asterisk and I
> am quite sure that there is a few people out there who have been working on php.
> Please raise your hands.
> 
> I would like to have the openssl 1.1 branch ready for merge into next at the end
> of December. Please make sure that any patches have been submitted until then.
> 
> Please work on top of this branch:
> 
>  https://git.ipfire.org/pub/git/people/ms/ipfire-2.x.git openssl-11
> 
>  https://git.ipfire.org/?p=people/ms/ipfire-2.x.git;a=shortlog;h=refs/heads/openssl-11
> 
> Please also submit improvements of other packages that we can make sure of (i.e.
> better cipher suites for Apache, etc.)...
> 
> Best,
> -Michael