[SMS]

[Lars]

Hi again!

I've just succesfully upgraded tor (and libevent) to the latest stable versions using src.

Do you think it would be possible to upgrade OpenSSL from 0.9.8.r (the default version in SMS-1.6.0) to openssl-1.0.1h?
Are there more packages to OpenSSL that are needed?
Or are there any applications, for example Apache or vsftpd, that depend on that 0.9.8.r version?

Best regards

Lars

[Lars]

An additional question:
To make a reset possible i copied openssl-0.9.8r-i486-3.txz from the S*M*S-CD.
But in directory a/ I found openssl-solibs-0.9.8r-i486-3.txt and *.txz.asc, no package.
But I could not see that open-ssl-solibs is installed on my server.

Is openssl-solibs-0.9.8r-i486-3 necessary?

Regards
Lars

[gerasimos_h]

I'll try later today to do a test on sms-1.6.0 and let you know about latest openssl package, although openssl-1.0.1h package includes 0.9.8za so you will probably don't have any issues...

openssl-solibs contains the libs only, in case you want a minimal install, might solibs package missing in 1.6.0 (due to mistake) but openssl in slackware/n is the full package...

gerasimos_h

[Lars]

Very kind of you gerasimos_h !!
If you've got the time?

I also thought about some possible issues:
remaking the certificates for httpd and vsftpd
the encrypted passwords in /var/www/secure/.htpasswd
Not to mention all system user passwords, root for instance
Will they be decryptable with another version of openssl?

Lars

[gerasimos_h]

Upgrading openssl-1.0.1h works on vanilla installation of SMS-1.6.0, this is due to 0.9.8za though included in openssl package. rather than 1.0.1h...

Glibc in 1.6.0 is 2.13 but doesn't affect openssl, but might affect other server packages if you choose a partial upgrade or their dependencies...

To reissue certificate or not, it's up to you, you don't have to do any changes in encrypted passwords as system, it uses md5 or ssha passwords, don;t use openssl.
Generally they will all work as they are now...

gerasimos_h

[Lars]

Thank you very much indeed gerasimos!!

Though you've already spent so much time with my question, can I ask you about some things I do not quite understand in your answer?

Yes, I've got an almost vanilla installation, the only divergences are the KDE-desktop and devel packages (you helped me with both).

1. You said that openssl-1.0.1h package includes 0.9.8za? And in your last reply: this is due to 0.9.8za though included in openssl package. rather than 1.0.1h.
What does that mean? Are you referring to 0.9.8za openssllibs (I read something about that). Or do you mean that openssl-1.0.1h and my old -0.9.8r have this(?) in common?

Thank you for sorting the system user pwd question out to me! I did'nt know.

2. OpenSSL and glibc: I wasn't aware of that relation, that's one of the reasons I asked.
As you say I've got glibc-2.13 and further gcc-4.5.2-packages installed. Having read your answer I made a quick search and found these:
http://superuser.com/questions/643649/compile-with-openssl-1-0-1e-but-linked-against-old-glibc
http://superuser.com/questions/343517/suse-10-3-wont-do-anything-after-openssl-upgrade-lib64-libc-so-6-version-gl?rq=1
-Do you think I can meet some problems trying to compile anything due to openssl-1.0.1h requiring a higher version of glibc or gcc?
I'm not aware of having compiled anything with openssl. Of course openssl might have been involved without my knowledge? The only things related to openssl I've done is generating httpd and vsftpd certificates and letting my tor node use it.
(My tor-node was my only reason for asking this openssl upgrade question, since my openssl-0.9.8r were not affected by the Heartbleed vulnerability. At least as far as I could find out.)

Best regards

Lars

PS. By now you've through these 3 years helped me so much with my "old" 1.6.0 so I think the least I can do is to send you some economic support (not one large, that I can't afford, but a smaller, on regular basis) DS.

[gerasimos_h]

Openssl-1.0.1 includes solibs from 0.9.8 too, every time I build 1.0.1 it rebuild/build 0.9.8 too and add them to package for backward compatibility with older apps...
I was able not only to run but to connect through openssl to dovecot, so no problem...
I even upgrade dovecot and postfix along with mysql, pcre from SMS-Current and have no issues actually using openssl, even with glibc mismatch...

You can test before doing anything final to virtualbox by downloading
http://sms.it-ccs.com/isos/Testing/Virtualbox/SMS-1.6.0RC1%20Virtualbox%204.0.4/SMS-1.6.0.ova
That's what I did too anyway, and see what's running what's not...

Was tor build from source or was the static binary that tor site provide?

If you are building packages from sources, the best solutions is to build openssl-1.0.1h yourself too...

gerasimos_h

[Lars]

Well thank you again gerasimos !! You've been marvellously helpful.

I'll try your 1.6.0.ova out in my Virtualbox.

Besides, I copied out openssl-0.9.8r-i486-3.txz from the S*M*S-1.6.0-CD and could do a downgrade if anything I didn't think of trying in your VM should make a major problem.

I've always built my tor-libevent upgrades from sources from the tor-project repo.

I'll keep your remark on building opennsl-1.0.1h from source too. But to avoid the glibc mismatch I guess I would also have to build an upgrade glibc and gcc too and going that far I think would rather upgrade my SMS .

Perhaps I have already said that my reason for not upgrading my SMS is that I'm very pleased with it, as it is.
It's not the SMS installation or configuration that makes me hesitate! So far it was fairly simple. -But since then I've built and installed so much extra facilities and functonality. And that part took me about 1½ year to get ready and working. -I would rather not go through that again
a least not in the nearest future.

Again, many many thanks!

Lars

[gerasimos_h]

Building openssl from source doesn't require to rebuild anything as long as you built 0.9.8za too, all your apps will be happy...
Building openssl-1.0.1h means recompile dovecot, postfix and a lot of other packages...

You can also upgrade openssl to 0.9.8za only...

Nevertheless you can try to upgrade openssl only and see how thing will go with tor...

gerasimos_h

[Lars]

Thank you for clearing that out!

Perhaps I misunderstood "...., even with glibc mismatch... " as you had mismatch problems with glibc, but it didn't affect the other things you tried.

You've supplied me with an excellent ova"laboratory". Started to try it out tonight !

Thank you again gerasimos!

Regards
Lars

[Lars]

You've helped me so far with this openssl-problem that I hardly dare to ask:
Have you ever tried to access your virtual server from your host?

Since this really is an Oracle-question, skip it if you will!

Lars

[gerasimos_h]

[Lars]

Well you already have had so much patience with me !

I wrote very shortly, but I meant connecting to my now configured server in SMS-1.6.0 on VirtualBox from my host OS' browser. I.e. from the "outside".

When I wrote I had studied the Oracle VirtualBox manual back- and forwards and had read and tried so many contradictory incomplete descriptions
(http://superuser.com/questions/74709/how-to-access-my-local-server-on-my-virtualbox-virtual-machine
http://stackoverflow.com/questions/1261975/addressing-localhost-from-a-virtualbox-virtual-machine
https://coderwall.com/p/yx23qw
http://forums.opensuse.org/showthread.php/445676-Used-to-be-able-to-access-web-server-on-VirtualBox-Guest-from-host-OS to mentione some) that I was quite exhausted.

But since yesterday I finally a found a solution that was simpler than I thought:
My real, physical local network is configured with static IP's.
Up to now, not having a server in any Virtual Machine it was quite enough to let the Virtual Machine run with DHCP and set VirtualBox Network to Attach to NAT. Then I could reach internet from the Virtual Machine.

Now, having a server, SMS-1.6.0, that I wanted to connect to from my real physical host this no longer worked.
-The solution was simpler than I thought:
I used your *.ova's initial network setting with "Bridged adapter" and configured the Virtual SMS to be a part of my real, physical network with static IP's and then it worked lika a charm !

There may be many other solutions, but I'm glad to have found this one!

I'm sorry to have bothered you so much with thes openssl-related questions, but am very grateful for the help you have given!!

Best regards

Lars

[Lars]

Please gerasimos don't bother with my question below!!
My gratefulness though remains!

I'll get back to you as soon as I can to explain why the question in someway went obsolete!


First of all a late but very grateful Thank you for supplying me with the *ova "sandbox" and doing a successful test long before me!

The reason for taking so long since last time is that I used your ova to setup a stripped version of my server.

Today I upgraded OpenSSL from 0.9.8r to 1.0.1h using the package from your repo: http://ftp.superbminiserver.org/SMS-2.0.7/slackware/n/openssl-1.0.1h-i486-1sms.txz.

I noted your test result: "Upgrading openssl-1.0.1h works on vanilla installation of SMS-1.6.0, this is due to 0.9.8za though included in openssl package. rather than 1.0.1h..." but perhaps i misunderstood or missed something concerning openssl-solibs here?

The upgrade almost blew my servers functionality: Neither http, https, ftp, ftps, dovecot, ssh nor tor works and X won't start.
Most of the problems seems related to "error while loading shared libraries", primarily libcrypto.so.0 and libssl.so.0.
Dovecots startup problems seem related to a missing ssl_cert: ssl_cert: Can't open file /etc/ssl/certs/dovecot.pem
(I really don't use Dovecot but it has always started without problems during boot.)

Maybe as I said, I missed something you meant about openssl-1.0.1h and openssl-solibs?

Or, can I correct the problems using symlinks?

Regards and sorry for the late feedback

Lars

A short immediate update
I tried creating two symlinks in /lib/

[gerasimos_h]

Hi,
as I said did't have problems updating my ova, upgrading openssl and openssl-solibs...
Did you upgrade packages or install over...?

Dovecot is missing /etc/ssh/certs/dovecot.pem, just create a dovecot.pem that's a .cert and a .key usually...
If you install sms-scripts which includes "smsconfig" you can create a new one with "smsconfig cert create".

Now where did you get the "OpenSSL mismatch. Built against 9080ef, you have 1000103f" ?

gerasimos_h