On 5/3/21 6:20 AM, L A Walsh wrote:
I fixed my repo D/l prob with https mirrors:
D/l 183KB for aspell-mi-0.50-2.5 .status (500) SSL upgrade failed: SSL connect attempt failed with unknown error error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure. D/l 151KB for aspell-ms-0.50-2.5
The openssl packages I had for perl were a bit dated, as well as the openssl packages themselves. So upgrading openssl, and then the perl packages fetched from cpan. I also wanted to get node+npm running so I can play with node+canvas and try drawing things.
I noticed I didn't have npm (rpm for node) installed), and on trying to install it from the TW repo, it also wanted me to up the node-package I had installed.
So installed that as well -- not sure how to satisfy a user+group it wanted that's already installed (is there an rpm-option for that?).
Maybe see https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups
But now, get:
npm /usr/bin/node15: symbol lookup error: /usr/bin/node15: undefined symbol: FIPS_selftest, version OPENSSL_1_1_0g node node-default: symbol lookup error: node-default: undefined symbol: FIPS_selftest, version OPENSSL_1_1_0g
Um, why do I need a FIPS_selftest? More importantly, why does npm or node need such?
openssl needs it, node-default links against openssl so also needs it
I'm not running FIPS on my susebox nor on my winbox. So why it it trying to selftest it?
Its not, FIPS_selftest is a symbol in a .so library that openssl links to, the library is used as part of running the selftests but just having the library present isn't enough for them to run.
I can see it looking to see if FIPS was enabled for encryption stuff, but for most people, they won't need it nor have it enabled.
Enough customers care about it that SUSE Linux Enterprise Distro's are regularly certified as compliant, to do this on a distro level openssl needs to be compiled with fips support enabled. We are not interested in shipping a different openssl package for people who care about it when we don't really have the need to.
So why isn't a library to test for the symbol not dynamically loaded for the few that need FIPS compliance?
Because its probably more effort for us and the openssl community. Besides that the current setup should be zero additional effort for anyone using the standard distro packages and package manager.
Is there a dummy package to define FIPS_selftest as returning false?
If there was it wouldn't help you because libopenssl is looking for a symbol. You would likely need to rebuild our openssl package without fips support at which point you woudn't really have an openSUSE distro anymore. Having said that I just checked and nothing on my tumbleweed system is pulling in fips so I guess you can either figure out why your openssl version is built with fips support or just install libfipscheck1, i'm not sure which will be easier for you.
FWIW, to update my openssl, I was presented w/these packages:
libopenssl-1_1-devel-1.1.1k-2.1.x86_64 Sat May 1 20:11:32 2021 libopenssl1_1-1.1.1k-2.1.x86_64 Sat May 1 20:10:31 2021 openssl-1.1.1k-1.1.noarch Sat May 1 20:02:35 2021 libopts25-5.18.16-6.6.x86_64 Sat May 1
20:02:34 2021
libgnutls-dane0-3.7.1-1.2.x86_64 Sat May 1 20:02:34 2021 gnutls-3.7.1-1.2.x86_64 Sat May 1 20:02:34 2021 unbound-anchor-1.13.1-1.3.x86_64 Sat May 1 20:02:33 2021 libunbound8-1.13.1-1.3.x86_64 Sat May 1 20:02:33 2021 libp11-kit0-0.23.22-1.4.x86_64 Sat May 1 20:02:33 2021 libgnutls30-3.7.1-1.2.x86_64 Sat May 1 20:02:33 2021 openssl-1_1-1.1.1k-2.1.x86_64 Sat May 1 20:02:32 2021 libprotobuf-c1-1.3.3-1.8.x86_64 Sat May 1 20:02:32 2021 libhogweed6-3.7.2-2.1.x86_64 Sat May 1 20:02:32 2021 crypto-policies-20210225.05203d2-1.2.noarch Sat May 1 20:02:31 2021 libnettle8-3.7.2-2.1.x86_64 Sat May 1 20:02:30 2021
And to update the perl-packages, I needed:
libopenssl-1_1-devel-1.1.1k-2.1.x86_64 Sat May 1 20:11:32 2021 libopenssl1_1-1.1.1k-2.1.x86_64 Sat May 1 20:10:31 2021
But now npm/node want "version OPENSSL_1_1_0g"?
Um....seems a bit painful to add 'g' for node/npm, but have the perlmods work with 'k'. The perlmods might work for 'g', but now that they work, I'm a bit aversive to breaking them....
Maybe I just need to recompile npm+node against 'k'?
We ship both Perl and node/npm as part of tumbleweed if you are using our packages for both they will work with whichever version of openssl we have in tumbleweed. If you are using any of these components from elsewhere you'll be on your own and likely run into a bunch of headaches because some of these packages are updated. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B