Re: Compile opensslß1.1.1k on CentOS8

[Jan Just Keijser]

Hi,

On 07/06/21 20:26, Lothar Belle wrote:
> Hi,
> recently I compiled openssl-1.1.1k on CentOS-8
> but when I am using libcrypto.so.1.1 I get errors like:
>
> libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b
>
> Obviously RedHat added additional features into there own libraries,
> but using the same version/naming.
> See https://bugzilla.redhat.com/show_bug.cgi?id=1829790
>
> I tried also to apply the patches, but they don‘t work with the latest
> source code
>
> https://git.centos.org/rpms/openssl/blob/c8/f/SOURCES/openssl-1.1.1-evp-kdf.patch
>
> The suggested solution renaming the libraries didn‘t work neither for me.
>
> But we want to use the latest version, including all security fixes,
> therefore I can‘t use the build-in version.
>
> Has anybody a solution for this?
> Is it planned to implement such features in official OpenSSL in the near future?
>
CentOS 8(.3) uses openssl 1.1.1g *with security backports*  . The whole 
idea of an enterprise OS like RHEL 8 is that you fix packages at certain 
version (e.g. kernel 4.18.0, gcc 8.3.1, openssl 1.1.1g) and that those 
versions will remain (mostly) constant throughout the life cycle of the OS.
Redhat backports security fixes from newer releases into this 1.1.1g 
release, thus one can claim that "rhel8 openssl 1.1.1g" is as safe (or 
unsafe) as the stock version of openssl 1.1.1k.

If you don't like this, then switch to a distro that does not use this 
"version pinning" - the downside of that will that you will be doing 
upgrades very frequently.

As you found out, it is nearly impossible to swap out the existing 
openssl 1.1.1g with a "stock" openssl version, as RedHat/CentOS have 
applied patches to it. My advice would be: don't even try. If you *have 
to* use openssl 1.1.1k, then switch to Fedora or to Ubuntu (not the LTS 
releases). But keep in mind:
- debian 10 uses openssl 1.1.1d
- ubuntu seems to be at openssl 1.1.1j
etc.

HTH,

JJK