[openssl-users] no version information available error

Scott Neugroschl scott_n at xypro.com
Fri Feb 12 20:15:15 UTC 2016 

OpenSSH does not work with the FIPS mode of OpenSSL.  This has been discussed both here and on the OpenSSH list.

From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of cloud force
Sent: Friday, February 12, 2016 11:44 AM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] no version information available error

Thanks Jakob for the detailed info.

On Thu, Feb 11, 2016 at 7:50 AM, Jakob Bohm <jb-openssl at wisemo.com<mailto:jb-openssl at wisemo.com>> wrote:
On 10/02/2016 22:46, cloud force wrote:
Hi Everyone,

I installed the FIPS capable openssl library (which was built by myself) on my Ubuntu linux box.

For some reason, I keep running into the following errors whenever I run ssh related command:


    ssh: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version
    information available (required by ssh)


The same error happens when I ran openssl command such as the following:

linux-fips at ubuntu:/usr/local/ssl/lib$ openssl ciphers -v | wc -l
openssl: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information available (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information available (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information available (required by /lib/x86_64-linux-gnu/libssl.so.1.0.0)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information available (required by /lib/x86_64-linux-gnu/libssl.so.1.0.0)
The Debian-family (includes Ubuntu) standard OpenSSL shared
libraries is built in a special way to include "version tags"
in the resulting .so files, and all the openssl-needing
binaries in Debian/Ubuntu/etc. produce the error message
above if you install copies of those libraries without those
extra "version tags".

There are two alternative ways to solve this:

A) Build your FIPS-cabable OpenSSL (not the FIPScanister)
  with all the extra steps and patches in the Ubuntu OpenSSL
  source package (.dsc etc.), just adding the FIPS canister.
   Note that some of the patches in the source package are
  backports of the security fixes included in the latest
  OpenSSL versions, you'll probably have to figure out the
  details yourself (unless Kurt Roeckz posts a recipe
  somewhere).

B) Patch your FIPS-capable OpenSSL makefile (not the
  FIPScanister makefile) to use a different .so-version, such
  as .so.1.0.2 .  Then your private openssl build will not be
  used by the prepackaged software while software explicitly
  compiled against your locally build OpenSSL will not
  accidentally pick up the standard non-FIPS OpenSSL.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10<tel:%2B45%2031%2013%2016%2010>
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
Thanks,
Rich

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160212/029ecbe5/attachment.html>

More information about the openssl-users mailing list