Log inUsernamePassword
Log me on automatically each visit    
Register
Register
Log in to check your private messages
Log in to check your private messages
SMS Forum Index » SMS User Support

Post new topic   Reply to topic
Upgrading OpenSSL 0.9.8r in S*M*S 1.6.0 [Solved!] Goto page 1, 2  Next
View previous topic :: View next topic  
Author Message
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Sun Jun 29, 2014 7:13 pm    Post subject: Upgrading OpenSSL 0.9.8r in S*M*S 1.6.0 [Solved!] Reply with quote

Hi again!

I've just succesfully upgraded tor (and libevent) to the latest stable versions using src.

Do you think it would be possible to upgrade OpenSSL from 0.9.8.r (the default version in SMS-1.6.0) to openssl-1.0.1h?
Are there more packages to OpenSSL that are needed?
Or are there any applications, for example Apache or vsftpd, that depend on that 0.9.8.r version?

Best regards

Lars


Last edited by Lars on Wed Sep 10, 2014 8:50 pm; edited 1 time in total
Back to top
View user's profile Send private message
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Tue Jul 01, 2014 12:15 pm    Post subject: Reply with quote

An additional question:
To make a reset possible i copied openssl-0.9.8r-i486-3.txz from the S*M*S-CD.
But in directory a/ I found openssl-solibs-0.9.8r-i486-3.txt and *.txz.asc, no package.
But I could not see that open-ssl-solibs is installed on my server.

Is openssl-solibs-0.9.8r-i486-3 necessary?

Regards
Lars
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1753
Location: Greece

PostPosted: Tue Jul 01, 2014 4:24 pm    Post subject: Reply with quote

I'll try later today to do a test on sms-1.6.0 and let you know about latest openssl package, although openssl-1.0.1h package includes 0.9.8za so you will probably don't have any issues...

openssl-solibs contains the libs only, in case you want a minimal install, might solibs package missing in 1.6.0 (due to mistake) but openssl in slackware/n is the full package...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Tue Jul 01, 2014 6:20 pm    Post subject: Reply with quote

Very kind of you gerasimos_h Smile!!
If you've got the time?

I also thought about some possible issues:
remaking the certificates for httpd and vsftpd
the encrypted passwords in /var/www/secure/.htpasswd
Not to mention all system user passwords, root for instance
Will they be decryptable with another version of openssl?

Lars
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1753
Location: Greece

PostPosted: Tue Jul 01, 2014 10:55 pm    Post subject: Reply with quote

Upgrading openssl-1.0.1h works on vanilla installation of SMS-1.6.0, this is due to 0.9.8za though included in openssl package. rather than 1.0.1h...

Glibc in 1.6.0 is 2.13 but doesn't affect openssl, but might affect other server packages if you choose a partial upgrade or their dependencies...

To reissue certificate or not, it's up to you, you don't have to do any changes in encrypted passwords as system, it uses md5 or ssha passwords, don;t use openssl.
Generally they will all work as they are now...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Wed Jul 02, 2014 12:09 pm    Post subject: Reply with quote

Thank you very much indeed gerasimos!!

Though you've already spent so much time with my question, can I ask you about some things I do not quite understand in your answer?

Yes, I've got an almost vanilla installation, the only divergences are the KDE-desktop and devel packages (you helped me with both).

1. You said that openssl-1.0.1h package includes 0.9.8za? And in your last reply: this is due to 0.9.8za though included in openssl package. rather than 1.0.1h.
What does that mean? Are you referring to 0.9.8za openssllibs (I read something about that). Or do you mean that openssl-1.0.1h and my old -0.9.8r have this(?) in common?

Thank you for sorting the system user pwd question out to me! I did'nt know.

2. OpenSSL and glibc: I wasn't aware of that relation, that's one of the reasons I asked.
As you say I've got glibc-2.13 and further gcc-4.5.2-packages installed. Having read your answer I made a quick search and found these:
http://superuser.com/questions/643649/compile-with-openssl-1-0-1e-but-linked-against-old-glibc
http://superuser.com/questions/343517/suse-10-3-wont-do-anything-after-openssl-upgrade-lib64-libc-so-6-version-gl?rq=1
-Do you think I can meet some problems trying to compile anything due to openssl-1.0.1h requiring a higher version of glibc or gcc?
I'm not aware of having compiled anything with openssl. Of course openssl might have been involved without my knowledge? The only things related to openssl I've done is generating httpd and vsftpd certificates and letting my tor node use it.
(My tor-node was my only reason for asking this openssl upgrade question, since my openssl-0.9.8r were not affected by the Heartbleed vulnerability. At least as far as I could find out.)

Best regards

Lars

PS. By now you've through these 3 years helped me so much with my "old" 1.6.0 so I think the least I can do is to send you some economic support (not one large, that I can't afford, but a smaller, on regular basis) DS.
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1753
Location: Greece

PostPosted: Wed Jul 02, 2014 4:39 pm    Post subject: Reply with quote

Openssl-1.0.1 includes solibs from 0.9.8 too, every time I build 1.0.1 it rebuild/build 0.9.8 too and add them to package for backward compatibility with older apps...
I was able not only to run but to connect through openssl to dovecot, so no problem...
I even upgrade dovecot and postfix along with mysql, pcre from SMS-Current and have no issues actually using openssl, even with glibc mismatch...

You can test before doing anything final to virtualbox by downloading
http://sms.it-ccs.com/isos/Testing/Virtualbox/SMS-1.6.0RC1%20Virtualbox%204.0.4/SMS-1.6.0.ova
That's what I did too anyway, and see what's running what's not...

Was tor build from source or was the static binary that tor site provide?

If you are building packages from sources, the best solutions is to build openssl-1.0.1h yourself too...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Wed Jul 02, 2014 6:59 pm    Post subject: Reply with quote

Well thank you again gerasimos Smile !! You've been marvellously helpful.

I'll try your 1.6.0.ova out in my Virtualbox.

Besides, I copied out openssl-0.9.8r-i486-3.txz from the S*M*S-1.6.0-CD and could do a downgrade if anything I didn't think of trying in your VM should make a major problem.

I've always built my tor-libevent upgrades from sources from the tor-project repo.

I'll keep your remark on building opennsl-1.0.1h from source too. But to avoid the glibc mismatch I guess I would also have to build an upgrade glibc and gcc too and going that far I think would rather upgrade my SMS Smile.

Perhaps I have already said that my reason for not upgrading my SMS is that I'm very pleased with it, as it is.
It's not the SMS installation or configuration that makes me hesitate! So far it was fairly simple. -But since then I've built and installed so much extra facilities and functonality. And that part took me about 1½ year to get ready and working. -I would rather not go through that again
Shocked a least not in the nearest future.

Again, many many thanks!

Lars
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1753
Location: Greece

PostPosted: Wed Jul 02, 2014 8:23 pm    Post subject: Reply with quote

Building openssl from source doesn't require to rebuild anything as long as you built 0.9.8za too, all your apps will be happy...
Building openssl-1.0.1h means recompile dovecot, postfix and a lot of other packages...

You can also upgrade openssl to 0.9.8za only...

Nevertheless you can try to upgrade openssl only and see how thing will go with tor...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Wed Jul 02, 2014 9:40 pm    Post subject: Reply with quote

Thank you for clearing that out!

Perhaps I misunderstood "...., even with glibc mismatch... " as you had mismatch problems with glibc, but it didn't affect the other things you tried.

You've supplied me with an excellent ova"laboratory". Started to try it out tonight Very Happy!

Thank you again gerasimos!

Regards
Lars
Back to top
View user's profile Send private message
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Thu Jul 03, 2014 11:27 pm    Post subject: Reply with quote

You've helped me so far with this openssl-problem that I hardly dare to ask:
Have you ever tried to access your virtual server from your host?

Since this really is an Oracle-question, skip it if you will!

Lars
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1753
Location: Greece

PostPosted: Thu Jul 03, 2014 11:39 pm    Post subject: Reply with quote

Lars wrote:
You've helped me so far with this openssl-problem that I hardly dare to ask:
Have you ever tried to access your virtual server from your host?

Since this really is an Oracle-question, skip it if you will!

Lars


Might be because I'm little bit tired right now, but I don't understand what you mean... Confused
Which virtual server and from which host?

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Fri Jul 04, 2014 12:38 pm    Post subject: Reply with quote

Well you already have had so much patience with me Embarassed !

I wrote very shortly, but I meant connecting to my now configured server in SMS-1.6.0 on VirtualBox from my host OS' browser. I.e. from the "outside".

When I wrote I had studied the Oracle VirtualBox manual back- and forwards and had read and tried so many contradictory incomplete descriptions
(http://superuser.com/questions/74709/how-to-access-my-local-server-on-my-virtualbox-virtual-machine
http://stackoverflow.com/questions/1261975/addressing-localhost-from-a-virtualbox-virtual-machine
https://coderwall.com/p/yx23qw
http://forums.opensuse.org/showthread.php/445676-Used-to-be-able-to-access-web-server-on-VirtualBox-Guest-from-host-OS to mentione some) that I was quite exhausted.

But since yesterday I finally a found a solution that was simpler than I thought:
My real, physical local network is configured with static IP's.
Up to now, not having a server in any Virtual Machine it was quite enough to let the Virtual Machine run with DHCP and set VirtualBox Network to Attach to NAT. Then I could reach internet from the Virtual Machine.

Now, having a server, SMS-1.6.0, that I wanted to connect to from my real physical host this no longer worked.
-The solution was simpler than I thought:
I used your *.ova's initial network setting with "Bridged adapter" and configured the Virtual SMS to be a part of my real, physical network with static IP's and then it worked lika a charm Very Happy !

There may be many other solutions, but I'm glad to have found this one!

I'm sorry to have bothered you so much with thes openssl-related questions, but am very grateful for the help you have given!!

Best regards

Lars
Back to top
View user's profile Send private message
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Sun Aug 31, 2014 3:41 pm    Post subject: Reply with quote

Please gerasimos don't bother with my question below!!
My gratefulness though remains!

I'll get back to you as soon as I can to explain why the question in someway went obsolete!


First of all a late but very grateful Thank you for supplying me with the *ova "sandbox" and doing a successful test long before me!

The reason for taking so long since last time is that I used your ova to setup a stripped version of my server.

Today I upgraded OpenSSL from 0.9.8r to 1.0.1h using the package from your repo: http://ftp.superbminiserver.org/SMS-2.0.7/slackware/n/openssl-1.0.1h-i486-1sms.txz.

I noted your test result: "Upgrading openssl-1.0.1h works on vanilla installation of SMS-1.6.0, this is due to 0.9.8za though included in openssl package. rather than 1.0.1h..." but perhaps i misunderstood or missed something concerning openssl-solibs here?

The upgrade almost blew my servers functionality: Neither http, https, ftp, ftps, dovecot, ssh nor tor works and X won't start.
Most of the problems seems related to "error while loading shared libraries", primarily libcrypto.so.0 and libssl.so.0.
Dovecots startup problems seem related to a missing ssl_cert: ssl_cert: Can't open file /etc/ssl/certs/dovecot.pem
(I really don't use Dovecot but it has always started without problems during boot.)

Maybe as I said, I missed something you meant about openssl-1.0.1h and openssl-solibs?

Or, can I correct the problems using symlinks?

Regards and sorry for the late feedback

Lars

A short immediate update
I tried creating two symlinks in /lib/
Code:
libcrypto.so.0 --> libcrypto.so.1.0.0
libssl.so.0 --> libssl.so.1.0.0

and it seems to have solved most of the problems.
I thought I'd had to run some ld-command but the symlinks were obviously enough (perhaps the ldconfig & during boot helped)?

The only two that remains is a mismatch warning:
Code:
OpenSSL mismatch. Built against 9080ef, you have 1000103f

and the Dovecot ssl_cert missing
Code:
Starting Dovecotconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 27: ssl_cert: Can't open /etc/ssl/certs/dovecot.pem: No such file or directory.


I wasn't aware of having a sll_cert for Dovecot earlier but never had any startup problems?

Regards

Lars Very Happy
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1753
Location: Greece

PostPosted: Sun Aug 31, 2014 9:52 pm    Post subject: Reply with quote

Hi,
as I said did't have problems updating my ova, upgrading openssl and openssl-solibs...
Did you upgrade packages or install over...?

Dovecot is missing /etc/ssh/certs/dovecot.pem, just create a dovecot.pem that's a .cert and a .key usually...
If you install sms-scripts which includes "smsconfig" you can create a new one with "smsconfig cert create".

Now where did you get the "OpenSSL mismatch. Built against 9080ef, you have 1000103f" ?

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    SMS Forum Index » SMS User Support All times are GMT + 2 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum

SMS - Superb! Mini Server Project © 2016
Powered by phpBB © 2001, 2002 phpBB Group
iCGstation v1.0 Template By Ray © 2003, 2004 iOptional