Question about Open SSL 1.0.2 series compatibility
Fox, Shawn D (US)
shawn.fox at baesystems.com
Thu Dec 7 00:33:43 UTC 2023
I'm supporting a project that has been using the openssl 1.0.0 series built for RHEL7 for some time now. OpenSSL 1.1.1 has breaking API changes, so I've built OpenSSL 1.0.2u for starters in order to upgrade to that version first, but I am building for both RHEL7 and RHEL8. I have a couple of questions that I haven't found answers for searching the web yet.
Is OpenSSL 1.0.2 compatible with native apps built for RHEL8? Although it might not be ideal can it work on RHEL8? I've built it on RHEL8 and I have used the openssl binary to read some cert files with the x509 sub-command, and it seems to produce the same results on RHEL7 and RHEL8 using the program from within bash shell. That leads me to believe that I should be able to link a native c++ app with openssl 1.0.2u and run that on RHEL8 successfully.
Is OpenSSL 1.1.1 compatible with RHEL7?
I have a particular key file with the sha1WithRSAEncryption signature algorithm which seems to work fine with our test cases on the RHEL7 OS, but when running the same test cases with software built for RHEL8 a segmentation fault is occurring due to a failure to read the certificate and clone the public key. Specifically the PEM_read_X509 function produces significantly different results when called using the library built for RHEL8. Subsequent operations fail to extract the public key out of that certificate which causes a seg fault downstream. However when I run the openssl program, that I have built from source, in a bash shell on RHEL7 and RHEL8 I get reasonable results. Using the same cert file with a command such as "x509 -in test.cer -pubkey" I do see that the public key can be accessed and printed to the screen. From what I can tell the openssl binary seems to run on RHEL7 and RHEL8 and the sub-commands produce reasonable results. However when link a native c++ program to the library on RHEL7 and RHEL8 then I get very different results.
I have also tried disabling optimization when compiling for RHEL8 using GCC12, which did not improve the situation. For some compression libraries that we have built from source for RHEL8 we had to lower or disable optimization options to avoid seg faults. There seems to be some significant differences with optimization using the GCC12 toolset on RHEL8 compared to using an older toolset such as GCC9 on RHEL7. Perhaps someone else in the community has had similar kinds of issues when migrating a native c++ application from RHEL7 to RHEL8 that could provide an idea of what could be wrong. Sorry I don't quite know how to post a reproducible example as we are using openssl underneath of Apache Santuario so it isn't particularly easy to try and build a separate program to reproduce it. I'm just wondering if anyone else working on c++ development has migrated an application from RHEL7 to RHEL8 and overcame similar kinds of issues, and would be open to sharing any relevant experience or lessons learned.
Thanks,
Shawn Fox
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231207/492569eb/attachment.htm>
More information about the openssl-users
mailing list