OpenSSL 3.1.1 and sddm are not compatible
hi, when i yesterday updated openssl (amongst many other packages) from 3.0.8 to 3.1.1, from tumbleweed repo and after that rebooted i could not login any more using sddm. after hours searching i finally found that there is a sddm log file ~/.local/share/sddm/xorg-session.log in that i found the following: OpenSSL version mismatch. Built against 30000080, you have 30100010 after downgrading openssl back to 3.0.8 using packages from https://download.opensuse.org/history/ it works again. so, please be aware not to upgrade openssl to 3.1.1 -- Best Regards | Freundliche Grüße | Cordialement | Cordiali Saluti | Atenciosamente | Saludos Cordiales *DI Rainer Klier* DevOps, Research & Development
On Tue, Jun 06, 2023 at 11:37:20AM +0200, Rainer Klier wrote:
hi,
when i yesterday updated openssl (amongst many other packages) from 3.0.8 to 3.1.1, from tumbleweed repo and after that rebooted i could not login any more using sddm.
after hours searching i finally found that there is a sddm log file ~/.local/share/sddm/xorg-session.log
in that i found the following: OpenSSL version mismatch. Built against 30000080, you have 30100010
after downgrading openssl back to 3.0.8 using packages from https://download.opensuse.org/history/ it works again.
so, please be aware not to upgrade openssl to 3.1.1
It might not necessary be sddm, as it does not build with openssl. but one of its dependend libraries like one of the QT oness. so far it might be libqt5-qtbase . We will fixing this. Also sddm is tested, so it is weird it was not spotted by our openqa. Ciao, Marcus
Am Dienstag, 6. Juni 2023, 13:27:16 CEST schrieb Marcus Meissner:
Also sddm is tested, so it is weird it was not spotted by our openqa.
It works here. So I guess not all use-cases are broken and maybe the test cases we run via openQA are not covering the broken one. Other Qt 5 based software on my system works also just fine with OpenSSL 3.1.1 and that includes making HTTPS requests via Qt Network. So I'm wondering how to reproduce this problem.
On Jun 06 2023, Marcus Meissner wrote:
On Tue, Jun 06, 2023 at 11:37:20AM +0200, Rainer Klier wrote:
hi,
when i yesterday updated openssl (amongst many other packages) from 3.0.8 to 3.1.1, from tumbleweed repo and after that rebooted i could not login any more using sddm.
after hours searching i finally found that there is a sddm log file ~/.local/share/sddm/xorg-session.log
in that i found the following: OpenSSL version mismatch. Built against 30000080, you have 30100010
after downgrading openssl back to 3.0.8 using packages from https://download.opensuse.org/history/ it works again.
so, please be aware not to upgrade openssl to 3.1.1
It might not necessary be sddm, as it does not build with openssl. but one of its dependend libraries like one of the QT oness.
so far it might be libqt5-qtbase .
At least the version test is embedded into libQt5Network. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different."
On Tue, Jun 06, 2023 at 02:49:48PM +0200, Andreas Schwab wrote:
On Jun 06 2023, Marcus Meissner wrote:
On Tue, Jun 06, 2023 at 11:37:20AM +0200, Rainer Klier wrote:
hi,
when i yesterday updated openssl (amongst many other packages) from 3.0.8 to 3.1.1, from tumbleweed repo and after that rebooted i could not login any more using sddm.
after hours searching i finally found that there is a sddm log file ~/.local/share/sddm/xorg-session.log
in that i found the following: OpenSSL version mismatch. Built against 30000080, you have 30100010
after downgrading openssl back to 3.0.8 using packages from https://download.opensuse.org/history/ it works again.
so, please be aware not to upgrade openssl to 3.1.1
It might not necessary be sddm, as it does not build with openssl. but one of its dependend libraries like one of the QT oness.
so far it might be libqt5-qtbase .
At least the version test is embedded into libQt5Network.
The team so far had not rebuilt all openssl users, as they were not aware of this strict check and it did not show otherwise in openQA. They have now done a big rebuild of all packages using openssl, which should be in the next TW snapshot. Ciao, Marcus
On Tuesday 2023-06-06 17:50, Marcus Meissner wrote:
in that i found the following: OpenSSL version mismatch. Built against 30000080, you have 30100010
It might not necessary be sddm, as it does not build with openssl. but one of its dependend libraries like one of the QT oness.
Either Qt is wrong to do this check, or openssl should have bumped the SO version. I think it's the former.
On Jun 06 2023, Jan Engelhardt wrote:
On Tuesday 2023-06-06 17:50, Marcus Meissner wrote:
in that i found the following: OpenSSL version mismatch. Built against 30000080, you have 30100010
It might not necessary be sddm, as it does not build with openssl. but one of its dependend libraries like one of the QT oness.
Either Qt is wrong to do this check, or openssl should have bumped the SO version. I think it's the former.
It's a red herring. The error is coming from openssh, it is emitted early in all its programs, including ssh-agent and ssh-add (the openQA tests probably don't use any ssh keys which would explain why it doesn't happen there). The version is only embedded in libQt5Network because it exports a function to return the buildtime version of the used ssl library. Incidentally, there is a patch in our openssh package that is supposed to disable this check, but it wasn't reactivated when this patch was updated during the move from openssh version 6 to version 7. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different."
On Tue, 6 Jun 2023, Marcus Meissner wrote:
On Tue, Jun 06, 2023 at 02:49:48PM +0200, Andreas Schwab wrote:
On Jun 06 2023, Marcus Meissner wrote:
On Tue, Jun 06, 2023 at 11:37:20AM +0200, Rainer Klier wrote:
hi,
when i yesterday updated openssl (amongst many other packages) from 3.0.8 to 3.1.1, from tumbleweed repo and after that rebooted i could not login any more using sddm.
after hours searching i finally found that there is a sddm log file ~/.local/share/sddm/xorg-session.log
in that i found the following: OpenSSL version mismatch. Built against 30000080, you have 30100010
after downgrading openssl back to 3.0.8 using packages from https://download.opensuse.org/history/ it works again.
so, please be aware not to upgrade openssl to 3.1.1
It might not necessary be sddm, as it does not build with openssl. but one of its dependend libraries like one of the QT oness.
so far it might be libqt5-qtbase .
At least the version test is embedded into libQt5Network.
The team so far had not rebuilt all openssl users, as they were not aware of this strict check and it did not show otherwise in openQA.
Can we simply patch those strict version tests out? If the application dynamically links successfully and openssl didn't break ABI compatibility such check should not be necessary (at least the check should be directional - reject a _lower_ runtime openssl compared to build time but not the other way around). Please also report this upstream to Qt folks. Richard.
They have now done a big rebuild of all packages using openssl, which should be in the next TW snapshot.
Ciao, Marcus
-- Richard Biener <rguenther@suse.de> SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany; GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman; HRB 36809 (AG Nuernberg)
Am 06.06.23 um 17:50 schrieb Marcus Meissner:
The team so far had not rebuilt all openssl users, as they were not aware of this strict check and it did not show otherwise in openQA.
They have now done a big rebuild of all packages using openssl, which should be in the next TW snapshot.
today i updated TW again, but did not update openssl, because i don't know if the issue might return, if i update openssl. and guess what happened? login again not possible. error message in ~/.local/share/sddm/xorg-session.log: OpenSSL version mismatch. Built against 30100010, you have 30000080 so, this time it is the other way around. i have to update openssl now. but there was no auto-update for this dependecy. -- Best Regards | Freundliche Grüße | Cordialement | Cordiali Saluti | Atenciosamente | Saludos Cordiales *DI Rainer Klier* DevOps, Research & Development
participants (6)
-
Andreas Schwab -
Jan Engelhardt -
Marcus Meissner -
Marius Kittler -
Rainer Klier -
Richard Biener