How to Enable Weak Ciphers OpenSSL 1.1.1h installation
Satyam Mehrotra
satyam226 at gmail.com
Mon Oct 26 14:18:44 UTC 2020
Dear Dmitry,
>>Are the /usr/local/lib64/libssl.so.1.1 and
/usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you?
Yes, they are same
gdb openssl core.50178
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html
>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from
/home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...done.
[New LWP 50178]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/local/bin/openssl'.
Program terminated with signal 11, Segmentation fault.
#0 do_body (xret=0x7f2bc6a6dcf0, pkey=0x7ffddd58d888, x509=0x7f2bc6a7de80
<_dl_fini>, dgst=0x7f2bc6a8af5a, sigopts=0x0, policy=0xfffa320300000000,
serial=0x7ffddd58f693,
subj=0x7ffddd58f6a6 "HOSTNAME=CentOS7", chtype=140728317048503,
multirdn=-581372209, email_dn=-581372189, startdate=0x7ffddd58f6f3
"HISTSIZE=1000",
enddate=0x7ffddd58f701 "SSH_CLIENT=10.101.14.61 17471 22",
days=140728317048610, batch=-581372099, verbose=-581372056,
req=0x7ffddd58f77b,
ext_sect=0x7ffddd58f785 "LD_LIBRARY_PATH=/usr/local/lib64/",
lconf=0x7ffddd58f7a7, certopt=140728317050463, nameopt=140728317050489,
default_op=-581370182,
ext_copy=-581370137, selfsign=-581370120, db=<optimized out>,
db=<optimized out>) at apps/ca.c:1410
1410 row[i] = NULL;
Thanks
Satyam
On Mon, 26 Oct 2020 at 19:34, Dmitry Belyavsky <beldmit at gmail.com> wrote:
> Are the /usr/local/lib64/libssl.so.1.1 and
> /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you?
> If yes, you should try running via gdb to get a backtrace.
>
> On Mon, Oct 26, 2020 at 4:54 PM Satyam Mehrotra <satyam226 at gmail.com>
> wrote:
>
>> Dear Dmitry,
>>
>> As suggested i have build the openssl with -ggdb ( ./config -ggdb
>> -enable-weak-ssl-ciphers ) and after building i did make install as well.
>>
>> The strace output is as below
>> ==============================
>>
>> *strace ./openssl*
>>
>>
>> execve("./openssl", ["./openssl"], 0x7ffc8151b3d0 /* 27 vars */) = 0
>>
>> brk(NULL) = 0x1b4f000
>>
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>> = 0x7f3046813000
>>
>> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
>> directory)
>>
>> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
>>
>> fstat(3, {st_mode=S_IFREG|0644, st_size=35929, ...}) = 0
>>
>> mmap(NULL, 35929, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f304680a000
>>
>> close(3) = 0
>>
>> open("/usr/local/lib64/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3
>>
>> read(3,
>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\24\2\0\0\0\0\0"..., 832)
>> = 832
>>
>> fstat(3, {st_mode=S_IFREG|0755, st_size=742664, ...}) = 0
>>
>> mmap(NULL, 2748352, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
>> = 0x7f3046354000
>>
>> mprotect(0x7f30463e4000, 2097152, PROT_NONE) = 0
>>
>> mmap(0x7f30465e4000, 61440, PROT_READ|PROT_WRITE,
>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x90000) = 0x7f30465e4000
>>
>> close(3) = 0
>>
>> open("/usr/local/lib64/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3
>>
>> read(3,
>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0p\7\0\0\0\0\0"..., 832) =
>> 832
>>
>> fstat(3, {st_mode=S_IFREG|0755, st_size=3397280, ...}) = 0
>>
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>> = 0x7f3046809000
>>
>> mmap(NULL, 5158840, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
>> = 0x7f3045e68000
>>
>> mprotect(0x7f3046122000, 2097152, PROT_NONE) = 0
>>
>> mmap(0x7f3046322000, 188416, PROT_READ|PROT_WRITE,
>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2ba000) = 0x7f3046322000
>>
>> mmap(0x7f3046350000, 14264, PROT_READ|PROT_WRITE,
>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3046350000
>>
>> close(3) = 0
>>
>> open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
>>
>> read(3,
>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) =
>> 832
>>
>> fstat(3, {st_mode=S_IFREG|0755, st_size=19248, ...}) = 0
>>
>> mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
>> = 0x7f3045c64000
>>
>> mprotect(0x7f3045c66000, 2097152, PROT_NONE) = 0
>>
>> mmap(0x7f3045e66000, 8192, PROT_READ|PROT_WRITE,
>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f3045e66000
>>
>> close(3) = 0
>>
>> open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
>>
>> read(3,
>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200m\0\0\0\0\0\0"..., 832)
>> = 832
>>
>> fstat(3, {st_mode=S_IFREG|0755, st_size=142144, ...}) = 0
>>
>> mmap(NULL, 2208904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
>> = 0x7f3045a48000
>>
>> mprotect(0x7f3045a5f000, 2093056, PROT_NONE) = 0
>>
>> mmap(0x7f3045c5e000, 8192, PROT_READ|PROT_WRITE,
>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f3045c5e000
>>
>> mmap(0x7f3045c60000, 13448, PROT_READ|PROT_WRITE,
>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045c60000
>>
>> close(3) = 0
>>
>> open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
>>
>> read(3,
>> "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., 832) =
>> 832
>>
>> fstat(3, {st_mode=S_IFREG|0755, st_size=2156240, ...}) = 0
>>
>> mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
>> = 0x7f304567a000
>>
>> mprotect(0x7f304583d000, 2097152, PROT_NONE) = 0
>>
>> mmap(0x7f3045a3d000, 24576, PROT_READ|PROT_WRITE,
>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7f3045a3d000
>>
>> mmap(0x7f3045a43000, 16896, PROT_READ|PROT_WRITE,
>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045a43000
>>
>> close(3) = 0
>>
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>> = 0x7f3046808000
>>
>> mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>> = 0x7f3046806000
>>
>> arch_prctl(ARCH_SET_FS, 0x7f3046806740) = 0
>>
>> mprotect(0x7f3045a3d000, 16384, PROT_READ) = 0
>>
>> mprotect(0x7f3045c5e000, 4096, PROT_READ) = 0
>>
>> mprotect(0x7f3045e66000, 4096, PROT_READ) = 0
>>
>> mprotect(0x7f3046322000, 176128, PROT_READ) = 0
>>
>> mprotect(0x7f30465e4000, 40960, PROT_READ) = 0
>>
>> mprotect(0x692000, 4096, PROT_READ) = 0
>>
>> mprotect(0x7f3046814000, 4096, PROT_READ) = 0
>>
>> munmap(0x7f304680a000, 35929) = 0
>>
>> set_tid_address(0x7f3046806a10) = 47865
>>
>> set_robust_list(0x7f3046806a20, 24) = 0
>>
>> rt_sigaction(SIGRTMIN, {sa_handler=0x7f3045a4e860, sa_mask=[],
>> sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f3045a57630}, NULL, 8) = 0
>>
>> rt_sigaction(SIGRT_1, {sa_handler=0x7f3045a4e8f0, sa_mask=[],
>> sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f3045a57630},
>> NULL, 8) = 0
>>
>> rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
>>
>> getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) =
>> 0
>>
>> --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
>>
>> +++ killed by SIGSEGV (core dumped) +++
>>
>> Segmentation fault
>>
>>
>>
>> *Thanks*
>>
>> *Satyam*
>>
>>
>>
>> On Mon, 26 Oct 2020 at 17:50, Dmitry Belyavsky <beldmit at gmail.com> wrote:
>>
>>> Dear Satyam,
>>>
>>> First of all, I'll suggest checking whether the libcrypto/libssl are
>>> those you've built. It can be done, e.g., via running strace.
>>>
>>> I also suggest building openssl with -ggdb (./config -ggdb should do the
>>> trick).
>>>
>>> On Mon, Oct 26, 2020 at 11:34 AM Satyam Mehrotra <satyam226 at gmail.com>
>>> wrote:
>>>
>>>> Hi Dmitry,
>>>>
>>>> >>If you have just built the openssl, try to set the LD_LIBRARY_PATH
>>>> environment variable pointing to freshly built libcrypto/libssl
>>>>
>>>> I try setting the LD_LIBRARY_PATH but it is still crashing
>>>>
>>>> *which openssl*
>>>>
>>>> * /usr/local/bin/openssl*
>>>>
>>>>
>>>> *export LD_LIBRARY_PATH=/usr/local/lib64/*
>>>>
>>>>
>>>> ls -lhrt
>>>>
>>>> total 11M
>>>>
>>>> drwxr-xr-x. 2 root root 61 Oct 25 16:27 pkgconfig
>>>>
>>>> -rwxr-xr-x. 1 root root 3.3M Oct 26 12:58 libcrypto.so.1.1
>>>>
>>>> -rwxr-xr-x. 1 root root 726K Oct 26 12:58 libssl.so.1.1
>>>>
>>>> -rw-r--r--. 1 root root 5.4M Oct 26 12:58 libcrypto.a
>>>>
>>>> -rw-r--r--. 1 root root 1.1M Oct 26 12:58 libssl.a
>>>>
>>>> lrwxrwxrwx. 1 root root 16 Oct 26 12:58 libcrypto.so ->
>>>> libcrypto.so.1.1
>>>>
>>>> lrwxrwxrwx. 1 root root 13 Oct 26 12:58 libssl.so ->
>>>> libssl.so.1.1
>>>>
>>>> drwxr-xr-x. 2 root root 39 Oct 26 12:58 engines-1.1
>>>>
>>>>
>>>>
>>>> *openssl ciphers -V*
>>>>
>>>> * Segmentation fault*
>>>>
>>>>
>>>> *gdb ./openssl core.3370 *
>>>>
>>>>
>>>> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7
>>>>
>>>> Copyright (C) 2013 Free Software Foundation, Inc.
>>>>
>>>> License GPLv3+: GNU GPL version 3 or later <
>>>> http://gnu.org/licenses/gpl.html>
>>>>
>>>> This is free software: you are free to change and redistribute it.
>>>>
>>>> There is NO WARRANTY, to the extent permitted by law. Type "show
>>>> copying"
>>>>
>>>> and "show warranty" for details.
>>>>
>>>> This GDB was configured as "x86_64-redhat-linux-gnu".
>>>>
>>>> For bug reporting instructions, please see:
>>>>
>>>> <http://www.gnu.org/software/gdb/bugs/>...
>>>>
>>>> Reading symbols from
>>>> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...(no debugging symbols
>>>> found)...done.
>>>>
>>>> [New LWP 3370]
>>>>
>>>> [Thread debugging using libthread_db enabled]
>>>>
>>>> Using host libthread_db library "/lib64/libthread_db.so.1".
>>>>
>>>> Core was generated by `openssl ciphers -V'.
>>>>
>>>> Program terminated with signal 11, Segmentation fault.
>>>>
>>>> #0 0x000000000041c53d in do_body.isra.3 ()
>>>>
>>>> (gdb) bt
>>>>
>>>> #0 0x000000000041c53d in do_body.isra.3 ()
>>>>
>>>> (gdb)
>>>>
>>>>
>>>>
>>>>
>>>> Thanks
>>>>
>>>> Satyam
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, 26 Oct 2020 at 12:16, Dmitry Belyavsky <beldmit at gmail.com>
>>>> wrote:
>>>>
>>>>> If you have just built the openssl, try to set the LD_LIBRARY_PATH
>>>>> environment variable pointing to freshly built libcrypto/libssl
>>>>>
>>>>> On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra <satyam226 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> Any Suggestions on how this can be done ?
>>>>>> why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers
>>>>>> ,* also what is the location of the crash file.
>>>>>>
>>>>>> Thanks
>>>>>> Satyam
>>>>>>
>>>>>> On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra <satyam226 at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello Everyone,
>>>>>>>
>>>>>>> I have just joined the openssl users community.
>>>>>>> My requirement is to have the SSLv3 and weak ciphers enable with
>>>>>>> openssl installation .
>>>>>>> I have a query regarding enabling SSLv3 protocol and weak ciphers
>>>>>>> with openssl-1.1.1h installation
>>>>>>>
>>>>>>> I have followed the below steps
>>>>>>>
>>>>>>> 1) *./config -enable-weak-ssl-ciphers*
>>>>>>>
>>>>>>>
>>>>>>> *2) The Makefile looks as below*
>>>>>>>
>>>>>>> *===============================*
>>>>>>>
>>>>>>>
>>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>>>>>
>>>>>>>
>>>>>>> ##
>>>>>>>
>>>>>>> ## Makefile for OpenSSL
>>>>>>>
>>>>>>> ##
>>>>>>>
>>>>>>> ## WARNING: do not edit!
>>>>>>>
>>>>>>> ## Generated by Configure from Configurations/common0.tmpl,
>>>>>>> Configurations/unix-Makefile.tmpl, Configurations/common.tmpl
>>>>>>>
>>>>>>>
>>>>>>> PLATFORM=linux-x86_64
>>>>>>>
>>>>>>> OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++
>>>>>>> no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng
>>>>>>> no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl
>>>>>>> no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan
>>>>>>> no-unit-test no-zlib no-zlib-dynamic
>>>>>>>
>>>>>>> CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers")
>>>>>>>
>>>>>>> SRCDIR=.
>>>>>>>
>>>>>>> BLDDIR=.
>>>>>>>
>>>>>>>
>>>>>>> VERSION=1.1.1h
>>>>>>>
>>>>>>> MAJOR=1
>>>>>>>
>>>>>>> MINOR=1.1
>>>>>>>
>>>>>>> SHLIB_VERSION_NUMBER=1.1
>>>>>>>
>>>>>>> SHLIB_VERSION_HISTORY=
>>>>>>>
>>>>>>> SHLIB_MAJOR=1
>>>>>>>
>>>>>>> SHLIB_MINOR=1
>>>>>>>
>>>>>>> SHLIB_TARGET=linux-shared
>>>>>>>
>>>>>>> SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER)
>>>>>>>
>>>>>>> SHLIB_EXT_SIMPLE=.so
>>>>>>>
>>>>>>> SHLIB_EXT_IMPORT=
>>>>>>>
>>>>>>>
>>>>>>> LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a
>>>>>>>
>>>>>>> SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT)
>>>>>>>
>>>>>>> SHLIB_INFO=";" "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)"
>>>>>>> "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";"
>>>>>>>
>>>>>>> ENGINES=engines/afalg.so engines/capi.so engines/dasync.so
>>>>>>> engines/ossltest.so engines/padlock.so
>>>>>>>
>>>>>>> @
>>>>>>>
>>>>>>>
>>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>>>>>
>>>>>>>
>>>>>>> if i do any openssl operations it gives error ( core dumped )
>>>>>>>
>>>>>>>
>>>>>>> *./openssl ciphers -V*
>>>>>>>
>>>>>>> * Segmentation fault (core dumped)*
>>>>>>>
>>>>>>>
>>>>>>> *Can someone help me in resolving this issue ?*
>>>>>>>
>>>>>>>
>>>>>>> If i don't use option* "**-enable-weak-ssl-ciphers " *then the
>>>>>>> above issue is not seen but SSLv3 and weak ciphers do not get enable.
>>>>>>>
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Satyam
>>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> SY, Dmitry Belyavsky
>>>>>
>>>>
>>>
>>> --
>>> SY, Dmitry Belyavsky
>>>
>>
>
> --
> SY, Dmitry Belyavsky
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201026/8f36f733/attachment-0001.html>
More information about the openssl-users
mailing list