Description of problem: with a fresh install of apache and apache-mod_ssl i got some warnings in the error_log Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1m 14 Dec 2021, version currently loaded is OpenSSL 1.1.1l 24 Aug 2021) - may result in undefined or erroneous behavior There is a difference between mod_ssl and the library mod_ssl is compiled against openssl 1.1.1m and the installed openssl is lib64openssl1.1-1.1.1l-1.mga8 lib64openssl1.1-1.1.1l-1.mga8 is the latest version. Version-Release number of selected component (if applicable): apache-mod_ssl-2.4.52-1.mga8 apache-2.4.52-1.mga8 How reproducible: Steps to Reproduce: 1. install a fresh apache-mod_ssl-2.4.52-1.mga8 and apache-2.4.52-1.mga8 2. start apache (systemctl start apache.service) 3. view the log file /var/log/httpd/error_log
This shouldn't be an issue, but it happened because apache was built against the openssl 1.1.1m update in updates_testing. It's just a bugfix update, but we might as well push it. libopenssl-devel-1.1.1m-1.mga8 libopenssl-static-devel-1.1.1m-1.mga8 libopenssl1.1-1.1.1m-1.mga8 openssl-1.1.1m-1.mga8 openssl-perl-1.1.1m-1.mga8 from openssl-1.1.1m-1.mga8.src.rpm References: https://www.openssl.org/news/cl111.txt
Source RPM: apache-2.4.52-1.mga8.src.rpm => openssl-1.1.1l-1.mga8.src.rpmSummary: mod_ssl was compiled against a newer library => openssl 1.1.1mAssignee: bugsquad => qa-bugs
MGA8-64 Plasma on Lenovo B50 No installation issues, omitting the static-devel, that one conflicted with nss-static-devel Following wiki: $ openssl version OpenSSL 1.1.1m 14 Dec 2021 $ openssl version -a OpenSSL 1.1.1m 14 Dec 2021 built on: Tue Dec 14 22:41:32 2021 UTC platform: linux-x86_64 options: bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config" OPENSSLDIR: "/etc/pki/tls" ENGINESDIR: "/usr/lib64/engines-1.1" Seeding source: os-specific engines: rdrand dynamic $ openssl ciphers -v TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD and a load more.... $ openssl ciphers -v -tls1 TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD etc..... $ openssl ciphers -v 'HIGH' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD ......... $ openssl ciphers -v 'AES+HIGH' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD ...... $ openssl speed Doing md2 for 3s on 16 size blocks: 420495 md2's in 2.98s Doing md2 for 3s on 64 size blocks: 211379 md2's in 2.93s Doing md2 for 3s on 256 size blocks: 70779 md2's in 2.88s Doing md2 for 3s on 1024 size blocks: 19389 md2's in 2.88s Doing md2 for 3s on 8192 size blocks: 2504 md2's in 2.93s and a lot more.... $ openssl speed rsa Doing 512 bits private rsa's for 10s: 146356 512 bits private RSA's in 9.69s Doing 512 bits public rsa's for 10s: 2369821 512 bits public RSA's in 9.68s Doing 1024 bits private rsa's for 10s: 69235 1024 bits private RSA's in 9.68s Doing 1024 bits public rsa's for 10s: 1045610 1024 bits public RSA's in 9.66s Doing 2048 bits private rsa's for 10s: 10290 2048 bits private RSA's in 9.57s Doing 2048 bits public rsa's for 10s: 351822 2048 bits public RSA's in 9.68s Doing 3072 bits private rsa's for 10s: ^C [tester8@mach5 ~]$ openssl speed rsa -multi 2 speed: Unknown algorithm -multi I did go to find what the correct options ae here, continuing $ openssl s_time -connect <mydessktop>:443 Collecting connection statistics for 30 seconds lots of *** and at the end 3245 connections in 2.68s; 1210.82 connections/user sec, bytes read 0 3245 connections in 31 real seconds, 0 bytes read per connection Now timing with session id reuse. starting *****....... 3487 connections in 2.62s; 1330.92 connections/user sec, bytes read 0 3487 connections in 31 real seconds, 0 bytes read per connection Looks all good to me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
openssl-1.1.1 m-1.mga 8 has been running for two days together with apache-mod_ssl-2.4.52-1.mga8 everything seems to be ok. But I don't know which other applications were compiled against a certain version of openssl
This is a machine running apache, nextcloud. So in this case I add ssl. The following 3 packages are going to be installed: - apache-mod_ssl-2.4.52-1.mga8.i586 - libopenssl1.1-1.1.1m-1.mga8.i586 - openssl-1.1.1m-1.mga8.i586 270KB of additional disk space will be used. ---- This is using a test nextcloud service - I shifted it to https here is the log. No errors: [Thu Jan 06 10:48:02.638502 2022] [ssl:warn] [pid 1343] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name [Thu Jan 06 10:48:02.667956 2022] [mpm_prefork:notice] [pid 1343] AH00163: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.0.14 configured -- resuming normal operations [Thu Jan 06 10:48:02.668010 2022] [core:notice] [pid 1343] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' This server is short on memory so stopped httpd so I can do this post. working for me
CC: (none) => brtians1
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2022-0003.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This update fixed CVE-2021-4160: https://www.openssl.org/news/secadv/20220128.txt Debian has issued an advisory for this on March 15: https://www.debian.org/security/2022/dsa-5103
Summary: openssl 1.1.1m => openssl 1.1.1m (fixes CVE-2021-4160)