RedHat 8.6 libk5crypto.so.3 misses symbol EVP_KDF with openssl 1.1.1l

Tue Nov 8 07:51:32 UTC 2022

El día martes, noviembre 08, 2022 a las 08:26:54a. m. +0100, Tomas Mraz escribió:

> Hi,
> 
> Red Hat patches its OpenSSL implementation with some additional API
> calls. That means you cannot use builds from an unpatched upstream
> OpenSSL tarball in place of the system libcrypto and libssl libraries.
> 
> The proper way is to always obtain updated system packages from your
> vendor, i.e., Red Hat. Otherwise you would have to try to update the
> source rpm package from RHEL with new openssl version keeping the
> patches that Red Hat adds to it. That is definitely not a trivial
> endeavour.
> 
> If, for some reason, you need newer OpenSSL package for some particular
> application that you install to the system, it should be possible to
> keep the system openssl package untouched, install the upstream OpenSSL
> package somewhere into /opt or /usr/local, and link that application
> against this installation of OpenSSL.
> 
> The primary question to ask is - why do you need to install
> openssl 1.1.1l on RHEL-8.6?
> 
> Tomas Mraz, OpenSSL

Thanks for your answer and explanation. We updated all our server on SuSE
Linux SLES and RedHat to openssl 1.1.1l due to an announced security problem (do
not remember the CVE, perhaps you will know better). The RH 8.6 server
has:

# /usr/bin/openssl version
OpenSSL 1.1.1k  FIPS 25 Mar 2021

we use:

# /usr/local/sisis-pap/bin/openssl version
OpenSSL 1.1.1l  24 Aug 2021

and have linked all our application servers agains this version.

	matthias

-- 
Matthias Apitz, ✉ guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20221108/acbb1c79/attachment.sig>