How to Enable Weak Ciphers OpenSSL 1.1.1h installation
Dmitry Belyavsky
beldmit at gmail.com
Mon Oct 26 14:51:02 UTC 2020
It has nothing to do with the ciphers command...
On Mon, Oct 26, 2020 at 5:18 PM Satyam Mehrotra <satyam226 at gmail.com> wrote:
> Dear Dmitry,
>
> >>Are the /usr/local/lib64/libssl.so.1.1 and
> /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you?
> Yes, they are same
>
> gdb openssl core.50178
>
> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7
>
> Copyright (C) 2013 Free Software Foundation, Inc.
>
> License GPLv3+: GNU GPL version 3 or later <
> http://gnu.org/licenses/gpl.html>
>
> This is free software: you are free to change and redistribute it.
>
> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
>
> and "show warranty" for details.
>
> This GDB was configured as "x86_64-redhat-linux-gnu".
>
> For bug reporting instructions, please see:
>
> <http://www.gnu.org/software/gdb/bugs/>...
>
> Reading symbols from
> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...done.
>
> [New LWP 50178]
>
> [Thread debugging using libthread_db enabled]
>
> Using host libthread_db library "/lib64/libthread_db.so.1".
>
> Core was generated by `/usr/local/bin/openssl'.
>
> Program terminated with signal 11, Segmentation fault.
>
> #0 do_body (xret=0x7f2bc6a6dcf0, pkey=0x7ffddd58d888,
> x509=0x7f2bc6a7de80 <_dl_fini>, dgst=0x7f2bc6a8af5a, sigopts=0x0,
> policy=0xfffa320300000000, serial=0x7ffddd58f693,
>
> subj=0x7ffddd58f6a6 "HOSTNAME=CentOS7", chtype=140728317048503,
> multirdn=-581372209, email_dn=-581372189, startdate=0x7ffddd58f6f3
> "HISTSIZE=1000",
>
> enddate=0x7ffddd58f701 "SSH_CLIENT=10.101.14.61 17471 22",
> days=140728317048610, batch=-581372099, verbose=-581372056,
> req=0x7ffddd58f77b,
>
> ext_sect=0x7ffddd58f785 "LD_LIBRARY_PATH=/usr/local/lib64/",
> lconf=0x7ffddd58f7a7, certopt=140728317050463, nameopt=140728317050489,
> default_op=-581370182,
>
> ext_copy=-581370137, selfsign=-581370120, db=<optimized out>,
> db=<optimized out>) at apps/ca.c:1410
>
> 1410 row[i] = NULL;
>
>
>
> Thanks
>
> Satyam
>
>
> On Mon, 26 Oct 2020 at 19:34, Dmitry Belyavsky <beldmit at gmail.com> wrote:
>
>> Are the /usr/local/lib64/libssl.so.1.1 and
>> /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you?
>> If yes, you should try running via gdb to get a backtrace.
>>
>> On Mon, Oct 26, 2020 at 4:54 PM Satyam Mehrotra <satyam226 at gmail.com>
>> wrote:
>>
>>> Dear Dmitry,
>>>
>>> As suggested i have build the openssl with -ggdb ( ./config -ggdb
>>> -enable-weak-ssl-ciphers ) and after building i did make install as well.
>>>
>>> The strace output is as below
>>> ==============================
>>>
>>> *strace ./openssl*
>>>
>>>
>>> execve("./openssl", ["./openssl"], 0x7ffc8151b3d0 /* 27 vars */) = 0
>>>
>>> brk(NULL) = 0x1b4f000
>>>
>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>>> = 0x7f3046813000
>>>
>>> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
>>> directory)
>>>
>>> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
>>>
>>> fstat(3, {st_mode=S_IFREG|0644, st_size=35929, ...}) = 0
>>>
>>> mmap(NULL, 35929, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f304680a000
>>>
>>> close(3) = 0
>>>
>>> open("/usr/local/lib64/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3
>>>
>>> read(3,
>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\24\2\0\0\0\0\0"..., 832)
>>> = 832
>>>
>>> fstat(3, {st_mode=S_IFREG|0755, st_size=742664, ...}) = 0
>>>
>>> mmap(NULL, 2748352, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
>>> 0) = 0x7f3046354000
>>>
>>> mprotect(0x7f30463e4000, 2097152, PROT_NONE) = 0
>>>
>>> mmap(0x7f30465e4000, 61440, PROT_READ|PROT_WRITE,
>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x90000) = 0x7f30465e4000
>>>
>>> close(3) = 0
>>>
>>> open("/usr/local/lib64/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3
>>>
>>> read(3,
>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0p\7\0\0\0\0\0"..., 832) =
>>> 832
>>>
>>> fstat(3, {st_mode=S_IFREG|0755, st_size=3397280, ...}) = 0
>>>
>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>>> = 0x7f3046809000
>>>
>>> mmap(NULL, 5158840, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
>>> 0) = 0x7f3045e68000
>>>
>>> mprotect(0x7f3046122000, 2097152, PROT_NONE) = 0
>>>
>>> mmap(0x7f3046322000, 188416, PROT_READ|PROT_WRITE,
>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2ba000) = 0x7f3046322000
>>>
>>> mmap(0x7f3046350000, 14264, PROT_READ|PROT_WRITE,
>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3046350000
>>>
>>> close(3) = 0
>>>
>>> open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
>>>
>>> read(3,
>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) =
>>> 832
>>>
>>> fstat(3, {st_mode=S_IFREG|0755, st_size=19248, ...}) = 0
>>>
>>> mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
>>> 0) = 0x7f3045c64000
>>>
>>> mprotect(0x7f3045c66000, 2097152, PROT_NONE) = 0
>>>
>>> mmap(0x7f3045e66000, 8192, PROT_READ|PROT_WRITE,
>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f3045e66000
>>>
>>> close(3) = 0
>>>
>>> open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
>>>
>>> read(3,
>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200m\0\0\0\0\0\0"..., 832)
>>> = 832
>>>
>>> fstat(3, {st_mode=S_IFREG|0755, st_size=142144, ...}) = 0
>>>
>>> mmap(NULL, 2208904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
>>> 0) = 0x7f3045a48000
>>>
>>> mprotect(0x7f3045a5f000, 2093056, PROT_NONE) = 0
>>>
>>> mmap(0x7f3045c5e000, 8192, PROT_READ|PROT_WRITE,
>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f3045c5e000
>>>
>>> mmap(0x7f3045c60000, 13448, PROT_READ|PROT_WRITE,
>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045c60000
>>>
>>> close(3) = 0
>>>
>>> open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
>>>
>>> read(3,
>>> "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., 832) =
>>> 832
>>>
>>> fstat(3, {st_mode=S_IFREG|0755, st_size=2156240, ...}) = 0
>>>
>>> mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
>>> 0) = 0x7f304567a000
>>>
>>> mprotect(0x7f304583d000, 2097152, PROT_NONE) = 0
>>>
>>> mmap(0x7f3045a3d000, 24576, PROT_READ|PROT_WRITE,
>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7f3045a3d000
>>>
>>> mmap(0x7f3045a43000, 16896, PROT_READ|PROT_WRITE,
>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045a43000
>>>
>>> close(3) = 0
>>>
>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>>> = 0x7f3046808000
>>>
>>> mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>>> = 0x7f3046806000
>>>
>>> arch_prctl(ARCH_SET_FS, 0x7f3046806740) = 0
>>>
>>> mprotect(0x7f3045a3d000, 16384, PROT_READ) = 0
>>>
>>> mprotect(0x7f3045c5e000, 4096, PROT_READ) = 0
>>>
>>> mprotect(0x7f3045e66000, 4096, PROT_READ) = 0
>>>
>>> mprotect(0x7f3046322000, 176128, PROT_READ) = 0
>>>
>>> mprotect(0x7f30465e4000, 40960, PROT_READ) = 0
>>>
>>> mprotect(0x692000, 4096, PROT_READ) = 0
>>>
>>> mprotect(0x7f3046814000, 4096, PROT_READ) = 0
>>>
>>> munmap(0x7f304680a000, 35929) = 0
>>>
>>> set_tid_address(0x7f3046806a10) = 47865
>>>
>>> set_robust_list(0x7f3046806a20, 24) = 0
>>>
>>> rt_sigaction(SIGRTMIN, {sa_handler=0x7f3045a4e860, sa_mask=[],
>>> sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f3045a57630}, NULL, 8) = 0
>>>
>>> rt_sigaction(SIGRT_1, {sa_handler=0x7f3045a4e8f0, sa_mask=[],
>>> sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f3045a57630},
>>> NULL, 8) = 0
>>>
>>> rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
>>>
>>> getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY})
>>> = 0
>>>
>>> --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
>>>
>>> +++ killed by SIGSEGV (core dumped) +++
>>>
>>> Segmentation fault
>>>
>>>
>>>
>>> *Thanks*
>>>
>>> *Satyam*
>>>
>>>
>>>
>>> On Mon, 26 Oct 2020 at 17:50, Dmitry Belyavsky <beldmit at gmail.com>
>>> wrote:
>>>
>>>> Dear Satyam,
>>>>
>>>> First of all, I'll suggest checking whether the libcrypto/libssl are
>>>> those you've built. It can be done, e.g., via running strace.
>>>>
>>>> I also suggest building openssl with -ggdb (./config -ggdb should do
>>>> the trick).
>>>>
>>>> On Mon, Oct 26, 2020 at 11:34 AM Satyam Mehrotra <satyam226 at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Dmitry,
>>>>>
>>>>> >>If you have just built the openssl, try to set the LD_LIBRARY_PATH
>>>>> environment variable pointing to freshly built libcrypto/libssl
>>>>>
>>>>> I try setting the LD_LIBRARY_PATH but it is still crashing
>>>>>
>>>>> *which openssl*
>>>>>
>>>>> * /usr/local/bin/openssl*
>>>>>
>>>>>
>>>>> *export LD_LIBRARY_PATH=/usr/local/lib64/*
>>>>>
>>>>>
>>>>> ls -lhrt
>>>>>
>>>>> total 11M
>>>>>
>>>>> drwxr-xr-x. 2 root root 61 Oct 25 16:27 pkgconfig
>>>>>
>>>>> -rwxr-xr-x. 1 root root 3.3M Oct 26 12:58 libcrypto.so.1.1
>>>>>
>>>>> -rwxr-xr-x. 1 root root 726K Oct 26 12:58 libssl.so.1.1
>>>>>
>>>>> -rw-r--r--. 1 root root 5.4M Oct 26 12:58 libcrypto.a
>>>>>
>>>>> -rw-r--r--. 1 root root 1.1M Oct 26 12:58 libssl.a
>>>>>
>>>>> lrwxrwxrwx. 1 root root 16 Oct 26 12:58 libcrypto.so ->
>>>>> libcrypto.so.1.1
>>>>>
>>>>> lrwxrwxrwx. 1 root root 13 Oct 26 12:58 libssl.so ->
>>>>> libssl.so.1.1
>>>>>
>>>>> drwxr-xr-x. 2 root root 39 Oct 26 12:58 engines-1.1
>>>>>
>>>>>
>>>>>
>>>>> *openssl ciphers -V*
>>>>>
>>>>> * Segmentation fault*
>>>>>
>>>>>
>>>>> *gdb ./openssl core.3370 *
>>>>>
>>>>>
>>>>> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7
>>>>>
>>>>> Copyright (C) 2013 Free Software Foundation, Inc.
>>>>>
>>>>> License GPLv3+: GNU GPL version 3 or later <
>>>>> http://gnu.org/licenses/gpl.html>
>>>>>
>>>>> This is free software: you are free to change and redistribute it.
>>>>>
>>>>> There is NO WARRANTY, to the extent permitted by law. Type "show
>>>>> copying"
>>>>>
>>>>> and "show warranty" for details.
>>>>>
>>>>> This GDB was configured as "x86_64-redhat-linux-gnu".
>>>>>
>>>>> For bug reporting instructions, please see:
>>>>>
>>>>> <http://www.gnu.org/software/gdb/bugs/>...
>>>>>
>>>>> Reading symbols from
>>>>> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...(no debugging symbols
>>>>> found)...done.
>>>>>
>>>>> [New LWP 3370]
>>>>>
>>>>> [Thread debugging using libthread_db enabled]
>>>>>
>>>>> Using host libthread_db library "/lib64/libthread_db.so.1".
>>>>>
>>>>> Core was generated by `openssl ciphers -V'.
>>>>>
>>>>> Program terminated with signal 11, Segmentation fault.
>>>>>
>>>>> #0 0x000000000041c53d in do_body.isra.3 ()
>>>>>
>>>>> (gdb) bt
>>>>>
>>>>> #0 0x000000000041c53d in do_body.isra.3 ()
>>>>>
>>>>> (gdb)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>> Satyam
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Mon, 26 Oct 2020 at 12:16, Dmitry Belyavsky <beldmit at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> If you have just built the openssl, try to set the LD_LIBRARY_PATH
>>>>>> environment variable pointing to freshly built libcrypto/libssl
>>>>>>
>>>>>> On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra <satyam226 at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> Any Suggestions on how this can be done ?
>>>>>>> why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers
>>>>>>> ,* also what is the location of the crash file.
>>>>>>>
>>>>>>> Thanks
>>>>>>> Satyam
>>>>>>>
>>>>>>> On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra <satyam226 at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hello Everyone,
>>>>>>>>
>>>>>>>> I have just joined the openssl users community.
>>>>>>>> My requirement is to have the SSLv3 and weak ciphers enable with
>>>>>>>> openssl installation .
>>>>>>>> I have a query regarding enabling SSLv3 protocol and weak ciphers
>>>>>>>> with openssl-1.1.1h installation
>>>>>>>>
>>>>>>>> I have followed the below steps
>>>>>>>>
>>>>>>>> 1) *./config -enable-weak-ssl-ciphers*
>>>>>>>>
>>>>>>>>
>>>>>>>> *2) The Makefile looks as below*
>>>>>>>>
>>>>>>>> *===============================*
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>>>>>>
>>>>>>>>
>>>>>>>> ##
>>>>>>>>
>>>>>>>> ## Makefile for OpenSSL
>>>>>>>>
>>>>>>>> ##
>>>>>>>>
>>>>>>>> ## WARNING: do not edit!
>>>>>>>>
>>>>>>>> ## Generated by Configure from Configurations/common0.tmpl,
>>>>>>>> Configurations/unix-Makefile.tmpl, Configurations/common.tmpl
>>>>>>>>
>>>>>>>>
>>>>>>>> PLATFORM=linux-x86_64
>>>>>>>>
>>>>>>>> OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++
>>>>>>>> no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng
>>>>>>>> no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl
>>>>>>>> no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan
>>>>>>>> no-unit-test no-zlib no-zlib-dynamic
>>>>>>>>
>>>>>>>> CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers")
>>>>>>>>
>>>>>>>> SRCDIR=.
>>>>>>>>
>>>>>>>> BLDDIR=.
>>>>>>>>
>>>>>>>>
>>>>>>>> VERSION=1.1.1h
>>>>>>>>
>>>>>>>> MAJOR=1
>>>>>>>>
>>>>>>>> MINOR=1.1
>>>>>>>>
>>>>>>>> SHLIB_VERSION_NUMBER=1.1
>>>>>>>>
>>>>>>>> SHLIB_VERSION_HISTORY=
>>>>>>>>
>>>>>>>> SHLIB_MAJOR=1
>>>>>>>>
>>>>>>>> SHLIB_MINOR=1
>>>>>>>>
>>>>>>>> SHLIB_TARGET=linux-shared
>>>>>>>>
>>>>>>>> SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER)
>>>>>>>>
>>>>>>>> SHLIB_EXT_SIMPLE=.so
>>>>>>>>
>>>>>>>> SHLIB_EXT_IMPORT=
>>>>>>>>
>>>>>>>>
>>>>>>>> LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a
>>>>>>>>
>>>>>>>> SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT)
>>>>>>>>
>>>>>>>> SHLIB_INFO=";" "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)"
>>>>>>>> "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";"
>>>>>>>>
>>>>>>>> ENGINES=engines/afalg.so engines/capi.so engines/dasync.so
>>>>>>>> engines/ossltest.so engines/padlock.so
>>>>>>>>
>>>>>>>> @
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>>>>>>
>>>>>>>>
>>>>>>>> if i do any openssl operations it gives error ( core dumped )
>>>>>>>>
>>>>>>>>
>>>>>>>> *./openssl ciphers -V*
>>>>>>>>
>>>>>>>> * Segmentation fault (core dumped)*
>>>>>>>>
>>>>>>>>
>>>>>>>> *Can someone help me in resolving this issue ?*
>>>>>>>>
>>>>>>>>
>>>>>>>> If i don't use option* "**-enable-weak-ssl-ciphers " *then the
>>>>>>>> above issue is not seen but SSLv3 and weak ciphers do not get enable.
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> Satyam
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> SY, Dmitry Belyavsky
>>>>>>
>>>>>
>>>>
>>>> --
>>>> SY, Dmitry Belyavsky
>>>>
>>>
>>
>> --
>> SY, Dmitry Belyavsky
>>
>
--
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201026/0cefecec/attachment-0001.html>
More information about the openssl-users
mailing list