[Bug 1194187] New: openssl broken
http://bugzilla.opensuse.org/show_bug.cgi?id=1194187 Bug ID: 1194187 Summary: openssl broken Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mrueckert@suse.com QA Contact: qa-bugs@suse.de CC: dleuenberger@suse.com Found By: --- Blocker: --- found this while debugging why my dehydrated job is erroring out. up2date Tumbleweed rpm -qa \*openssl\* libopenssl1_0_0-1.0.2u-6.2.x86_64 libopenssl1_0_0-steam-1.0.2u-6.2.x86_64 libopenssl1_0_0-steam-32bit-1.0.2u-6.2.x86_64 libopenssl1_1-32bit-1.1.1l-4.1.x86_64 openssl-1_1-1.1.1l-4.1.x86_64 libopenssl1_1-1.1.1l-4.1.x86_64 openssl-1.1.1l-1.2.noarch ``` Error configuring OpenSSL modules 139707710848960:error:08064066:object identifier routines:OBJ_create:oid exists:crypto/objects/obj_dat.c:698: 139707710848960:error:0D0AE0AB:asn1 encoding routines:oid_module_init:adding object:crypto/asn1/asn_moid.c:38: 139707710848960:error:0E07606D:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:177:module=oid_section, value=new_oids, retcode=-1 ``` -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194187 Marcus R�ckert <mrueckert@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Normal |Major -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194187 http://bugzilla.opensuse.org/show_bug.cgi?id=1194187#c1 Marcus R�ckert <mrueckert@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mpost@suse.com --- Comment #1 from Marcus R�ckert <mrueckert@suse.com> --- worked around it by commenting out: ``` # oid_section = new_oids # engines = engine_section ``` -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194187 http://bugzilla.opensuse.org/show_bug.cgi?id=1194187#c2 --- Comment #2 from Marcus R�ckert <mrueckert@suse.com> --- just commenting out the oid_section statement is enough. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194187 http://bugzilla.opensuse.org/show_bug.cgi?id=1194187#c4 Marcus R�ckert <mrueckert@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(mrueckert@suse.co | |m) | --- Comment #4 from Marcus R�ckert <mrueckert@suse.com> --- The call that triggers it is: "openssl req -new -sha256 -key /etc/dehydrated/certs/keyname_rsa/privkey-1640907684.pem -out /etc/dehydrated/certs/keyname_rsa/cert-1640907684.csr -subj /CN=keyname/ -reqexts SAN -config /tmp/dehydrated-DwFNuo" /tmp/dehydrated-DwFNuo is a copy of our /etc/ssl/openssl.cnf with a `[SAN]` section attached. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194187 http://bugzilla.opensuse.org/show_bug.cgi?id=1194187#c6 Marcus R�ckert <mrueckert@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(mrueckert@suse.co | |m) | --- Comment #6 from Marcus R�ckert <mrueckert@suse.com> --- cp /etc/ssl/openssl.cnf /tmp/dehydrated-DwFNuo Add something like ``` [SAN] subjectAltName=DNS:host1, DNS:host2 ``` -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194187 http://bugzilla.opensuse.org/show_bug.cgi?id=1194187#c7 Mark Post <mpost@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(mrueckert@suse.co | |m) --- Comment #7 from Mark Post <mpost@suse.com> --- (In reply to Marcus R�ckert from comment #6)
cp /etc/ssl/openssl.cnf /tmp/dehydrated-DwFNuo
Add something like
``` [SAN] subjectAltName=DNS:host1, DNS:host2 ```
Thanks, Marcus. Now I have to ask you to create something I can use for /etc/dehydrated/certs/keyname_rsa/privkey-1640907684.pem to see what's going on. Obviously I don't want you to send me a "real" private key, but something that gets created the same way would be really nice. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194187 http://bugzilla.opensuse.org/show_bug.cgi?id=1194187#c8 Marcus R�ckert <mrueckert@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(mrueckert@suse.co | |m) | --- Comment #8 from Marcus R�ckert <mrueckert@suse.com> --- it is something like this: "openssl genrsa -out /tmp/dehydrated-YLCP3U 4096" -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194187 http://bugzilla.opensuse.org/show_bug.cgi?id=1194187#c9 --- Comment #9 from Mark Post <mpost@suse.com> --- Thanks again. In playing around, it seems there is some sort of issue with the addition of these two lines: openssl_conf = openssl_init [openssl_init] When I added those, I was following the documentation at https://www.openssl.org/docs/man1.1.1/man5/config.html If I remove them or comment them out, the CSR file gets created, but the engines definitions don't get created, even though the include files are read. It's as though these two lines are being totally ignored without the section header: oid_section = new_oids engines = engine_section Which seems odd, since the documentation says: The first section of a configuration file is special and is referred to as the default section. This section is usually unnamed and spans from the start of file until the first named section. Without those two lines, the old_section and engines lines should be considered as being in the default section. This is starting to look more like an openssl bug to me, rather than the changes I made being somehow wrong. Just what that means for Marcus adding the [SAN] section for his needs is really not clear. It seems as though his particular command only requires the "[ req_distinguished_name ]" section from openssl.cnf. But, none of those values are customized by us, so it's all very generic. I don't know enough about openssl to be sure, but this kind of looks like this is relevant: https://github.com/openssl/openssl/issues/4598#issuecomment-341321065 Pedro, if you could take a look at this, I would appreciate it. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194187 http://bugzilla.opensuse.org/show_bug.cgi?id=1194187#c28 --- Comment #28 from Marcus R�ckert <mrueckert@suse.com> --- yes we could fix dehydrated. but we can _not_ control how everyone out there is calling openssl. so we really should fix this bug within openssl. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194187 http://bugzilla.opensuse.org/show_bug.cgi?id=1194187#c29 --- Comment #29 from Mark Post <mpost@suse.com> --- Based on what Pedro said, upstream is not willing to fix it. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194187 http://bugzilla.opensuse.org/show_bug.cgi?id=1194187#c48 Otto Hollmann <otto.hollmann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(mpost@suse.com) --- Comment #48 from Otto Hollmann <otto.hollmann@suse.com> --- @Mark Post, are you able to reproduce this issue using openssl-3? I prepared a patch (updated config file) and would like to know if you can verify/test it. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com