How to Enable Weak Ciphers OpenSSL 1.1.1h installation

Dmitry Belyavsky beldmit at gmail.com
Mon Oct 26 14:03:32 UTC 2020


Are the /usr/local/lib64/libssl.so.1.1 and
/usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you?
If yes, you should try running via gdb to get a backtrace.

On Mon, Oct 26, 2020 at 4:54 PM Satyam Mehrotra <satyam226 at gmail.com> wrote:

> Dear Dmitry,
>
> As suggested i have build the openssl with -ggdb  ( ./config -ggdb
> -enable-weak-ssl-ciphers ) and after building i did make install as well.
>
> The strace output is as below
> ==============================
>
> *strace ./openssl*
>
>
> execve("./openssl", ["./openssl"], 0x7ffc8151b3d0 /* 27 vars */) = 0
>
> brk(NULL)                               = 0x1b4f000
>
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f3046813000
>
> access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or
> directory)
>
> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
>
> fstat(3, {st_mode=S_IFREG|0644, st_size=35929, ...}) = 0
>
> mmap(NULL, 35929, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f304680a000
>
> close(3)                                = 0
>
> open("/usr/local/lib64/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3
>
> read(3,
> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\24\2\0\0\0\0\0"..., 832)
> = 832
>
> fstat(3, {st_mode=S_IFREG|0755, st_size=742664, ...}) = 0
>
> mmap(NULL, 2748352, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
> = 0x7f3046354000
>
> mprotect(0x7f30463e4000, 2097152, PROT_NONE) = 0
>
> mmap(0x7f30465e4000, 61440, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x90000) = 0x7f30465e4000
>
> close(3)                                = 0
>
> open("/usr/local/lib64/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3
>
> read(3,
> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0p\7\0\0\0\0\0"..., 832) =
> 832
>
> fstat(3, {st_mode=S_IFREG|0755, st_size=3397280, ...}) = 0
>
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f3046809000
>
> mmap(NULL, 5158840, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
> = 0x7f3045e68000
>
> mprotect(0x7f3046122000, 2097152, PROT_NONE) = 0
>
> mmap(0x7f3046322000, 188416, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2ba000) = 0x7f3046322000
>
> mmap(0x7f3046350000, 14264, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3046350000
>
> close(3)                                = 0
>
> open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
>
> read(3,
> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) =
> 832
>
> fstat(3, {st_mode=S_IFREG|0755, st_size=19248, ...}) = 0
>
> mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
> = 0x7f3045c64000
>
> mprotect(0x7f3045c66000, 2097152, PROT_NONE) = 0
>
> mmap(0x7f3045e66000, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f3045e66000
>
> close(3)                                = 0
>
> open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
>
> read(3,
> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200m\0\0\0\0\0\0"..., 832)
> = 832
>
> fstat(3, {st_mode=S_IFREG|0755, st_size=142144, ...}) = 0
>
> mmap(NULL, 2208904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
> = 0x7f3045a48000
>
> mprotect(0x7f3045a5f000, 2093056, PROT_NONE) = 0
>
> mmap(0x7f3045c5e000, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f3045c5e000
>
> mmap(0x7f3045c60000, 13448, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045c60000
>
> close(3)                                = 0
>
> open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
>
> read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"...,
> 832) = 832
>
> fstat(3, {st_mode=S_IFREG|0755, st_size=2156240, ...}) = 0
>
> mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
> = 0x7f304567a000
>
> mprotect(0x7f304583d000, 2097152, PROT_NONE) = 0
>
> mmap(0x7f3045a3d000, 24576, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7f3045a3d000
>
> mmap(0x7f3045a43000, 16896, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045a43000
>
> close(3)                                = 0
>
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f3046808000
>
> mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f3046806000
>
> arch_prctl(ARCH_SET_FS, 0x7f3046806740) = 0
>
> mprotect(0x7f3045a3d000, 16384, PROT_READ) = 0
>
> mprotect(0x7f3045c5e000, 4096, PROT_READ) = 0
>
> mprotect(0x7f3045e66000, 4096, PROT_READ) = 0
>
> mprotect(0x7f3046322000, 176128, PROT_READ) = 0
>
> mprotect(0x7f30465e4000, 40960, PROT_READ) = 0
>
> mprotect(0x692000, 4096, PROT_READ)     = 0
>
> mprotect(0x7f3046814000, 4096, PROT_READ) = 0
>
> munmap(0x7f304680a000, 35929)           = 0
>
> set_tid_address(0x7f3046806a10)         = 47865
>
> set_robust_list(0x7f3046806a20, 24)     = 0
>
> rt_sigaction(SIGRTMIN, {sa_handler=0x7f3045a4e860, sa_mask=[],
> sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f3045a57630}, NULL, 8) = 0
>
> rt_sigaction(SIGRT_1, {sa_handler=0x7f3045a4e8f0, sa_mask=[],
> sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f3045a57630},
> NULL, 8) = 0
>
> rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
>
> getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
>
> --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
>
> +++ killed by SIGSEGV (core dumped) +++
>
> Segmentation fault
>
>
>
> *Thanks*
>
> *Satyam*
>
>
>
> On Mon, 26 Oct 2020 at 17:50, Dmitry Belyavsky <beldmit at gmail.com> wrote:
>
>> Dear Satyam,
>>
>> First of all, I'll suggest checking whether the libcrypto/libssl are
>> those you've built. It can be done, e.g., via running strace.
>>
>> I also suggest building openssl with -ggdb (./config -ggdb should do the
>> trick).
>>
>> On Mon, Oct 26, 2020 at 11:34 AM Satyam Mehrotra <satyam226 at gmail.com>
>> wrote:
>>
>>> Hi Dmitry,
>>>
>>> >>If you have just built the openssl, try to set the LD_LIBRARY_PATH
>>> environment variable pointing to freshly built libcrypto/libssl
>>>
>>> I try setting the LD_LIBRARY_PATH but it is still crashing
>>>
>>>       *which openssl*
>>>
>>> *      /usr/local/bin/openssl*
>>>
>>>
>>>       *export LD_LIBRARY_PATH=/usr/local/lib64/*
>>>
>>>
>>>       ls -lhrt
>>>
>>>       total 11M
>>>
>>>       drwxr-xr-x. 2 root root   61 Oct 25 16:27 pkgconfig
>>>
>>>       -rwxr-xr-x. 1 root root 3.3M Oct 26 12:58 libcrypto.so.1.1
>>>
>>>       -rwxr-xr-x. 1 root root 726K Oct 26 12:58 libssl.so.1.1
>>>
>>>       -rw-r--r--. 1 root root 5.4M Oct 26 12:58 libcrypto.a
>>>
>>>       -rw-r--r--. 1 root root 1.1M Oct 26 12:58 libssl.a
>>>
>>>        lrwxrwxrwx. 1 root root   16 Oct 26 12:58 libcrypto.so ->
>>> libcrypto.so.1.1
>>>
>>>        lrwxrwxrwx. 1 root root   13 Oct 26 12:58 libssl.so ->
>>> libssl.so.1.1
>>>
>>>        drwxr-xr-x. 2 root root   39 Oct 26 12:58 engines-1.1
>>>
>>>
>>>
>>>        *openssl ciphers -V*
>>>
>>> *       Segmentation fault*
>>>
>>>
>>> *gdb ./openssl core.3370 *
>>>
>>>
>>> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7
>>>
>>> Copyright (C) 2013 Free Software Foundation, Inc.
>>>
>>> License GPLv3+: GNU GPL version 3 or later <
>>> http://gnu.org/licenses/gpl.html>
>>>
>>> This is free software: you are free to change and redistribute it.
>>>
>>> There is NO WARRANTY, to the extent permitted by law.  Type "show
>>> copying"
>>>
>>> and "show warranty" for details.
>>>
>>> This GDB was configured as "x86_64-redhat-linux-gnu".
>>>
>>> For bug reporting instructions, please see:
>>>
>>> <http://www.gnu.org/software/gdb/bugs/>...
>>>
>>> Reading symbols from
>>> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...(no debugging symbols
>>> found)...done.
>>>
>>> [New LWP 3370]
>>>
>>> [Thread debugging using libthread_db enabled]
>>>
>>> Using host libthread_db library "/lib64/libthread_db.so.1".
>>>
>>> Core was generated by `openssl ciphers -V'.
>>>
>>> Program terminated with signal 11, Segmentation fault.
>>>
>>> #0  0x000000000041c53d in do_body.isra.3 ()
>>>
>>> (gdb) bt
>>>
>>> #0  0x000000000041c53d in do_body.isra.3 ()
>>>
>>> (gdb)
>>>
>>>
>>>
>>>
>>> Thanks
>>>
>>> Satyam
>>>
>>>
>>>
>>>
>>> On Mon, 26 Oct 2020 at 12:16, Dmitry Belyavsky <beldmit at gmail.com>
>>> wrote:
>>>
>>>> If you have just built the openssl, try to set the LD_LIBRARY_PATH
>>>> environment variable pointing to freshly built libcrypto/libssl
>>>>
>>>> On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra <satyam226 at gmail.com>
>>>> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> Any Suggestions on how this can be done ?
>>>>> why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers
>>>>> ,* also what is the location of the crash file.
>>>>>
>>>>> Thanks
>>>>> Satyam
>>>>>
>>>>> On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra <satyam226 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hello Everyone,
>>>>>>
>>>>>> I have just joined the openssl users community.
>>>>>> My requirement is to have the SSLv3 and weak ciphers enable  with
>>>>>> openssl installation .
>>>>>> I have a query regarding enabling SSLv3 protocol and weak ciphers
>>>>>> with openssl-1.1.1h installation
>>>>>>
>>>>>> I have followed the below steps
>>>>>>
>>>>>> 1)  *./config -enable-weak-ssl-ciphers*
>>>>>>
>>>>>>
>>>>>> *2) The Makefile looks as below*
>>>>>>
>>>>>> *===============================*
>>>>>>
>>>>>>
>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>>>>
>>>>>>
>>>>>> ##
>>>>>>
>>>>>> ## Makefile for OpenSSL
>>>>>>
>>>>>> ##
>>>>>>
>>>>>> ## WARNING: do not edit!
>>>>>>
>>>>>> ## Generated by Configure from Configurations/common0.tmpl,
>>>>>> Configurations/unix-Makefile.tmpl, Configurations/common.tmpl
>>>>>>
>>>>>>
>>>>>> PLATFORM=linux-x86_64
>>>>>>
>>>>>> OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++
>>>>>> no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng
>>>>>> no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl
>>>>>> no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan
>>>>>> no-unit-test no-zlib no-zlib-dynamic
>>>>>>
>>>>>> CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers")
>>>>>>
>>>>>> SRCDIR=.
>>>>>>
>>>>>> BLDDIR=.
>>>>>>
>>>>>>
>>>>>> VERSION=1.1.1h
>>>>>>
>>>>>> MAJOR=1
>>>>>>
>>>>>> MINOR=1.1
>>>>>>
>>>>>> SHLIB_VERSION_NUMBER=1.1
>>>>>>
>>>>>> SHLIB_VERSION_HISTORY=
>>>>>>
>>>>>> SHLIB_MAJOR=1
>>>>>>
>>>>>> SHLIB_MINOR=1
>>>>>>
>>>>>> SHLIB_TARGET=linux-shared
>>>>>>
>>>>>> SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER)
>>>>>>
>>>>>> SHLIB_EXT_SIMPLE=.so
>>>>>>
>>>>>> SHLIB_EXT_IMPORT=
>>>>>>
>>>>>>
>>>>>> LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a
>>>>>>
>>>>>> SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT)
>>>>>>
>>>>>> SHLIB_INFO=";" "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)"
>>>>>> "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";"
>>>>>>
>>>>>> ENGINES=engines/afalg.so engines/capi.so engines/dasync.so
>>>>>> engines/ossltest.so engines/padlock.so
>>>>>>
>>>>>> @
>>>>>>
>>>>>>
>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>>>>
>>>>>>
>>>>>> if i do any openssl operations it gives error ( core dumped )
>>>>>>
>>>>>>
>>>>>>       *./openssl ciphers -V*
>>>>>>
>>>>>> *       Segmentation fault (core dumped)*
>>>>>>
>>>>>>
>>>>>> *Can someone help me in resolving this issue ?*
>>>>>>
>>>>>>
>>>>>> If i don't use option* "**-enable-weak-ssl-ciphers "  *then the
>>>>>> above issue is not seen but SSLv3 and weak ciphers do not get enable.
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Satyam
>>>>>>
>>>>>
>>>>
>>>> --
>>>> SY, Dmitry Belyavsky
>>>>
>>>
>>
>> --
>> SY, Dmitry Belyavsky
>>
>

-- 
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201026/718fa306/attachment-0001.html>


More information about the openssl-users mailing list