Compile opensslß1.1.1k on CentOS8
Hubert Kario
hkario at redhat.com
Tue Jun 8 12:05:18 UTC 2021
On Monday, 7 June 2021 20:26:28 CEST, Lothar Belle wrote:
> Hi,
> recently I compiled openssl-1.1.1k on CentOS-8
> but when I am using libcrypto.so.1.1 I get errors like:
>
> libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b
>
> Obviously RedHat added additional features into there own libraries,
> but using the same version/naming.
> See https://bugzilla.redhat.com/show_bug.cgi?id=1829790
>
> I tried also to apply the patches, but they don‘t work with the latest
> source code
>
> https://git.centos.org/rpms/openssl/blob/c8/f/SOURCES/openssl-1.1.1-evp-kdf.patch
>
> The suggested solution renaming the libraries didn‘t work neither for me.
>
> But we want to use the latest version, including all security fixes,
> therefore I can‘t use the build-in version.
Please note that packages in RHEL, and thus, later, in CentOS, include
security fixes: https://access.redhat.com/security/updates/backporting
even if their package version is older than the newest upstream release.
But that's not the only reason why those packages have additional patches,
they also have them to better integrate with the rest of the system:
https://access.redhat.com/articles/3655361
or integrate with features like system-wide crypto policies:
https://access.redhat.com/articles/3666211
or, as in the case of the openssl-1.1.1-evp-kdf.patch, to provide features
from newer releases (like 3.0.0) in an older ABI release.
So I'd strongly suggest against replacting the .so files of any low-level
library, in any distribution, not just RHEL or CentOS.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
More information about the openssl-users
mailing list