Bug 29841

This shouldn't be an issue, but it happened because apache was built against the openssl 1.1.1m update in updates_testing.  It's just a bugfix update, but we might as well push it.

libopenssl-devel-1.1.1m-1.mga8
libopenssl-static-devel-1.1.1m-1.mga8
libopenssl1.1-1.1.1m-1.mga8
openssl-1.1.1m-1.mga8
openssl-perl-1.1.1m-1.mga8

from openssl-1.1.1m-1.mga8.src.rpm

References:
https://www.openssl.org/news/cl111.txt

Source RPM: apache-2.4.52-1.mga8.src.rpm => openssl-1.1.1l-1.mga8.src.rpm
Summary: mod_ssl was compiled against a newer library => openssl 1.1.1m
Assignee: bugsquad => qa-bugs

MGA8-64 Plasma on Lenovo B50
No installation issues, omitting the static-devel, that one conflicted with nss-static-devel
Following wiki:
$ openssl version
OpenSSL 1.1.1m  14 Dec 2021
$ openssl version -a
OpenSSL 1.1.1m  14 Dec 2021
built on: Tue Dec 14 22:41:32 2021 UTC
platform: linux-x86_64
options:  bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-1.1"
Seeding source: os-specific
engines:  rdrand dynamic 

$ openssl ciphers -v
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
TLS_AES_128_CCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
and a load more....
$ openssl ciphers -v -tls1
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
TLS_AES_128_CCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
etc.....
$ openssl ciphers -v 'HIGH'
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
.........
$ openssl ciphers -v 'AES+HIGH'
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
TLS_AES_128_CCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD
......
$ openssl speed
Doing md2 for 3s on 16 size blocks: 420495 md2's in 2.98s
Doing md2 for 3s on 64 size blocks: 211379 md2's in 2.93s
Doing md2 for 3s on 256 size blocks: 70779 md2's in 2.88s
Doing md2 for 3s on 1024 size blocks: 19389 md2's in 2.88s
Doing md2 for 3s on 8192 size blocks: 2504 md2's in 2.93s
and a lot more....
$ openssl speed rsa
Doing 512 bits private rsa's for 10s: 146356 512 bits private RSA's in 9.69s
Doing 512 bits public rsa's for 10s: 2369821 512 bits public RSA's in 9.68s
Doing 1024 bits private rsa's for 10s: 69235 1024 bits private RSA's in 9.68s
Doing 1024 bits public rsa's for 10s: 1045610 1024 bits public RSA's in 9.66s
Doing 2048 bits private rsa's for 10s: 10290 2048 bits private RSA's in 9.57s
Doing 2048 bits public rsa's for 10s: 351822 2048 bits public RSA's in 9.68s
Doing 3072 bits private rsa's for 10s: ^C
[tester8@mach5 ~]$ openssl speed rsa -multi 2
speed: Unknown algorithm -multi
I did go to find what the correct options ae here, continuing
$ openssl s_time -connect <mydessktop>:443
Collecting connection statistics for 30 seconds
lots of *** and at the end

3245 connections in 2.68s; 1210.82 connections/user sec, bytes read 0
3245 connections in 31 real seconds, 0 bytes read per connection


Now timing with session id reuse.
starting
*****.......
3487 connections in 2.62s; 1330.92 connections/user sec, bytes read 0
3487 connections in 31 real seconds, 0 bytes read per connection

Looks all good to me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

openssl-1.1.1 m-1.mga 8 has been running for two days together with apache-mod_ssl-2.4.52-1.mga8 everything seems to be ok.

But I don't know which other applications were compiled against a certain version of openssl

This is a machine running apache, nextcloud.  So in this case I add ssl.

The following 3 packages are going to be installed:

- apache-mod_ssl-2.4.52-1.mga8.i586
- libopenssl1.1-1.1.1m-1.mga8.i586
- openssl-1.1.1m-1.mga8.i586

270KB of additional disk space will be used.


----

This is using a test nextcloud service - I shifted it to https

here is the log.  No errors:

[Thu Jan 06 10:48:02.638502 2022] [ssl:warn] [pid 1343] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Thu Jan 06 10:48:02.667956 2022] [mpm_prefork:notice] [pid 1343] AH00163: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.0.14 configured -- resuming normal operations
[Thu Jan 06 10:48:02.668010 2022] [core:notice] [pid 1343] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

This server is short on memory so stopped httpd so I can do this post.

working for me

CC: (none) => brtians1

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2022-0003.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

This update fixed CVE-2021-4160:
https://www.openssl.org/news/secadv/20220128.txt

Debian has issued an advisory for this on March 15:
https://www.debian.org/security/2022/dsa-5103

Summary: openssl 1.1.1m => openssl 1.1.1m (fixes CVE-2021-4160)