Log inUsernamePassword
Log me on automatically each visit    
Register
Register
Log in to check your private messages
Log in to check your private messages
SMS Forum Index » SMS User Support

Post new topic   Reply to topic
Upgrading OpenSSL 0.9.8r in S*M*S 1.6.0 [Solved!] Goto page Previous  1, 2
View previous topic :: View next topic  
Author Message
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Sun Aug 31, 2014 10:09 pm    Post subject: Suggestion: Close this thread Reply with quote

Hi again!

Perhaps it's time to finalize and close this thread now.

As you could see above the symlinks virtually seemed to solve most of the problems. At least when it came to boot messages.
The only two remaining were
OpenSSL mismatch...
Starting Dovecotconf:....
But when I looked into it more carefully i saw that only ftp and ftps (vsftpd) were running.
http, https (httpd) and ssh (sshd) were down, but without boot error msgs or warnings.
And, of course Dovecot, as warned.

Perhaps I would have been able to solve those later?

But Worse: tor crashed! ..and logged:
Code:
Aug 31 17:34:53.000 [warn] OpenSSL version from headers does not match the version we're running with. If you get weird crashes, that might be why. (Compiled with 9080ef: OpenSSL 0.9.8r 8 Feb 2011; running with 1000103f: OpenSSL 1.0.1h 5 Jun 2014).
....
Aug 31 17:35:11.000 [err] tor_tls_get_tlssecrets(): Bug: src/common/tortls.c:2763: tor_tls_get_tlssecrets: Assertion tls->ssl->session failed; aborting.


Perhaps this in somehow is related to what you described about "...this is due to 0.9.8za though included in openssl package. rather than 1.0.1h..."

And Tor was the only reason for my trying to upgrade OpenSSL. I now have come to a point giving up this tor-openssl problem and stick with what I've got. -I'm only glad that I didn't try this in my real server!

I finally must express my great gratitude for the ova-"sandbox" you provided me with! It prevented destroying my real server! Very Happy

Best regards!

Lars
Back to top
View user's profile Send private message
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Sun Aug 31, 2014 10:20 pm    Post subject: Reply with quote

gerasimos, I didn't notice you were writing simultaneously Wink ,

Some is explained in my post after yours, but to anwer your questions
Quote:
and openssl-solibs...
Did you upgrade packages or install over...?

Dovecot is missing /etc/ssh/certs/dovecot.pem, just create a dovecot.pem that's a .cert and a .key usually...
If you install sms-scripts which includes "smsconfig" you can create a new one with "smsconfig cert create".

Now where did you get the "OpenSSL mismatch. Built against 9080ef, you have 1000103f" ?


I didn't upgrade openssl-solibs, was uncertain of version (what you earlier described)
I upgraded.
About the mismatch I didn't know when I wrote, but as you can see in my previous post it came from tor.

Lars
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Sun Aug 31, 2014 10:28 pm    Post subject: Reply with quote

Didn't notice your message either...

As far as I remember tor was built from source, so if I remember correct you need to re-built it with new openssl...

You can try to install "installpkg" openssl and openssl-solibs again...
All the services you mentioned use the 0.9.8 libs...

You can also try to upgrade your current packages with 1.0.1i from SMS-Current too in you ova...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Sun Aug 31, 2014 10:38 pm    Post subject: Reply with quote

But what version of openssl-solibs?

I must admit I never really understood what you earlier described about openssl-solibs.
I thought openssl-solibs was included in openssl.
Think the openssl-site confirmed that.
Further I thought you built openssl-1.0.1h with openssl-solibs-09.8z(?) and that was essintial to make it work in SMS-1.6.0?

That's why I didn't dare upgrading openssl-solibs.

If I try, which version of openssl-solibs should I use?

You might very well be right about rebuliding tor against the higher openssl-version.
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Mon Sep 01, 2014 7:36 pm    Post subject: Reply with quote

If you upgrade openssl-1.0.1i you must upgrade openssl-solibs-1.0.1i too...
Openssl-solibs package handle the symlinks, you can remove it, but not leave the old one...

Openssl 1.0.1h includes 0.9.8za and 1.0.1i includes 0.9.8zb.

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Mon Sep 01, 2014 9:02 pm    Post subject: Reply with quote

Ok, while waiting for your answer today I made a wild guess: installed openssl-solibs-1.0.1h and rebuilt tor against openssl-1.0.1h
It all seemed to work all right! Thank you! Now my upgrade finally runs smooth (apart dovecotcert)! Very Happy

Perhaps you don't understand what I'm wondering about or I'm to unspecific in my asking?
But what is the relation between openssl and openssl-solibs?
In my SMS-1.6.0 i had no openssl-solibs, it was not among the packages on the CD either, just 2 textfiles.
-Now, after today I've got openssl-1.0.1h-i486-1sms and openssl-solibs-1.0.1h-i486-1sms in SMS-1.6.0.
Did your openssl-0.9.8r include the solibs or what? And your openssl-1.0.1h doesn't include openssl-solibs?
And what about the confusing differences in version?
You say Openssl 1.0.1h includes 0.9.8za and 1.0.1i includes 0.9.8zb, shouldn't it be 1.0.1h resp i?
Or do you mean that your openssl-1.0.1h-i486-1sms (in contrary to the official) includes 0.9.8za solibs?
And that's the reason I need to make a completing installation of openssl-solibs with the "official" version?

Finally, I searched around for your "smsconfig", and a deeper search among your downloads.
Where can I find a version that suits SMS-1.6.0 X86?

Best regards
Lars
Back to top
View user's profile Send private message
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Tue Sep 02, 2014 12:18 pm    Post subject: Reply with quote

A minor update

You really don't have to bother about "smsconfig"!

I read the manuals and managed to create a key and cert using
Code:
#  openssl req...


Anyway, I'm most grateful for all your help with this OpenSSL-upgrade problem!
At last all problems were solved Very Happy .

My best regards!

Lars
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Wed Sep 03, 2014 7:28 pm    Post subject: Reply with quote

You can download sms-scripts with slapt-get which includes smsconfig and a set of defaults certs like dovecot.pem, but since you create the cert your self it's the same thing....

You could also upgrade to openssl-1.0.1i instead of 1.0.1h though, since you end up upgrading...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Wed Sep 10, 2014 9:03 pm    Post subject: Reply with quote

Finally Very Happy!

With your kind guidance I finally upgraded my real SMS-1.6.0 server with the latest stable versions from openssl and torproject, that is 1.0.1i and 2.4.23 respectively.

And as you said from start, it met few problems:
rebuilding tor and creating ssl-key and -cert for Dovecot was all that was needed.
I had other applications built from source using ssl that I had not tested virtually, but they caused no problems.
And so far I've not noticed any consequences of the glibc mismatch.

I owe you great many thanks gerasimos!

Best regards
Lars
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    SMS Forum Index » SMS User Support All times are GMT + 2 Hours
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum

SMS - Superb! Mini Server Project © 2016
Powered by phpBB © 2001, 2002 phpBB Group
iCGstation v1.0 Template By Ray © 2003, 2004 iOptional