whackamole: fix 1 prob (ssl errs on some https mirrors), get another...FIPS_selftest? Why do I need this?
I fixed my repo D/l prob with https mirrors: D/l 183KB for aspell-mi-0.50-2.5 .status (500) SSL upgrade failed: SSL connect attempt failed with unknown error error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure. D/l 151KB for aspell-ms-0.50-2.5 The openssl packages I had for perl were a bit dated, as well as the openssl packages themselves. So upgrading openssl, and then the perl packages fetched from cpan. I also wanted to get node+npm running so I can play with node+canvas and try drawing things. I noticed I didn't have npm (rpm for node) installed), and on trying to install it from the TW repo, it also wanted me to up the node-package I had installed. So installed that as well -- not sure how to satisfy a user+group it wanted that's already installed (is there an rpm-option for that?). But now, get:
npm /usr/bin/node15: symbol lookup error: /usr/bin/node15: undefined symbol: FIPS_selftest, version OPENSSL_1_1_0g node node-default: symbol lookup error: node-default: undefined symbol: FIPS_selftest, version OPENSSL_1_1_0g
Um, why do I need a FIPS_selftest? More importantly, why does npm or node need such? I'm not running FIPS on my susebox nor on my winbox. So why it it trying to selftest it? I can see it looking to see if FIPS was enabled for encryption stuff, but for most people, they won't need it nor have it enabled. So why isn't a library to test for the symbol not dynamically loaded for the few that need FIPS compliance? Is there a dummy package to define FIPS_selftest as returning false? FWIW, to update my openssl, I was presented w/these packages: libopenssl-1_1-devel-1.1.1k-2.1.x86_64 Sat May 1 20:11:32 2021 libopenssl1_1-1.1.1k-2.1.x86_64 Sat May 1 20:10:31 2021 openssl-1.1.1k-1.1.noarch Sat May 1 20:02:35 2021 libopts25-5.18.16-6.6.x86_64 Sat May 1 20:02:34 2021 libgnutls-dane0-3.7.1-1.2.x86_64 Sat May 1 20:02:34 2021 gnutls-3.7.1-1.2.x86_64 Sat May 1 20:02:34 2021 unbound-anchor-1.13.1-1.3.x86_64 Sat May 1 20:02:33 2021 libunbound8-1.13.1-1.3.x86_64 Sat May 1 20:02:33 2021 libp11-kit0-0.23.22-1.4.x86_64 Sat May 1 20:02:33 2021 libgnutls30-3.7.1-1.2.x86_64 Sat May 1 20:02:33 2021 openssl-1_1-1.1.1k-2.1.x86_64 Sat May 1 20:02:32 2021 libprotobuf-c1-1.3.3-1.8.x86_64 Sat May 1 20:02:32 2021 libhogweed6-3.7.2-2.1.x86_64 Sat May 1 20:02:32 2021 crypto-policies-20210225.05203d2-1.2.noarch Sat May 1 20:02:31 2021 libnettle8-3.7.2-2.1.x86_64 Sat May 1 20:02:30 2021 And to update the perl-packages, I needed: libopenssl-1_1-devel-1.1.1k-2.1.x86_64 Sat May 1 20:11:32 2021 libopenssl1_1-1.1.1k-2.1.x86_64 Sat May 1 20:10:31 2021 But now npm/node want "version OPENSSL_1_1_0g"? Um....seems a bit painful to add 'g' for node/npm, but have the perlmods work with 'k'. The perlmods might work for 'g', but now that they work, I'm a bit aversive to breaking them.... Maybe I just need to recompile npm+node against 'k'?
On 5/3/21 6:20 AM, L A Walsh wrote:
I fixed my repo D/l prob with https mirrors:
D/l 183KB for aspell-mi-0.50-2.5 .status (500) SSL upgrade failed: SSL connect attempt failed with unknown error error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure. D/l 151KB for aspell-ms-0.50-2.5
The openssl packages I had for perl were a bit dated, as well as the openssl packages themselves. So upgrading openssl, and then the perl packages fetched from cpan. I also wanted to get node+npm running so I can play with node+canvas and try drawing things.
I noticed I didn't have npm (rpm for node) installed), and on trying to install it from the TW repo, it also wanted me to up the node-package I had installed.
So installed that as well -- not sure how to satisfy a user+group it wanted that's already installed (is there an rpm-option for that?).
Maybe see https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups
But now, get:
npm /usr/bin/node15: symbol lookup error: /usr/bin/node15: undefined symbol: FIPS_selftest, version OPENSSL_1_1_0g node node-default: symbol lookup error: node-default: undefined symbol: FIPS_selftest, version OPENSSL_1_1_0g
Um, why do I need a FIPS_selftest? More importantly, why does npm or node need such?
openssl needs it, node-default links against openssl so also needs it
I'm not running FIPS on my susebox nor on my winbox. So why it it trying to selftest it?
Its not, FIPS_selftest is a symbol in a .so library that openssl links to, the library is used as part of running the selftests but just having the library present isn't enough for them to run.
I can see it looking to see if FIPS was enabled for encryption stuff, but for most people, they won't need it nor have it enabled.
Enough customers care about it that SUSE Linux Enterprise Distro's are regularly certified as compliant, to do this on a distro level openssl needs to be compiled with fips support enabled. We are not interested in shipping a different openssl package for people who care about it when we don't really have the need to.
So why isn't a library to test for the symbol not dynamically loaded for the few that need FIPS compliance?
Because its probably more effort for us and the openssl community. Besides that the current setup should be zero additional effort for anyone using the standard distro packages and package manager.
Is there a dummy package to define FIPS_selftest as returning false?
If there was it wouldn't help you because libopenssl is looking for a symbol. You would likely need to rebuild our openssl package without fips support at which point you woudn't really have an openSUSE distro anymore. Having said that I just checked and nothing on my tumbleweed system is pulling in fips so I guess you can either figure out why your openssl version is built with fips support or just install libfipscheck1, i'm not sure which will be easier for you.
FWIW, to update my openssl, I was presented w/these packages:
libopenssl-1_1-devel-1.1.1k-2.1.x86_64 Sat May 1 20:11:32 2021 libopenssl1_1-1.1.1k-2.1.x86_64 Sat May 1 20:10:31 2021 openssl-1.1.1k-1.1.noarch Sat May 1 20:02:35 2021 libopts25-5.18.16-6.6.x86_64 Sat May 1
20:02:34 2021
libgnutls-dane0-3.7.1-1.2.x86_64 Sat May 1 20:02:34 2021 gnutls-3.7.1-1.2.x86_64 Sat May 1 20:02:34 2021 unbound-anchor-1.13.1-1.3.x86_64 Sat May 1 20:02:33 2021 libunbound8-1.13.1-1.3.x86_64 Sat May 1 20:02:33 2021 libp11-kit0-0.23.22-1.4.x86_64 Sat May 1 20:02:33 2021 libgnutls30-3.7.1-1.2.x86_64 Sat May 1 20:02:33 2021 openssl-1_1-1.1.1k-2.1.x86_64 Sat May 1 20:02:32 2021 libprotobuf-c1-1.3.3-1.8.x86_64 Sat May 1 20:02:32 2021 libhogweed6-3.7.2-2.1.x86_64 Sat May 1 20:02:32 2021 crypto-policies-20210225.05203d2-1.2.noarch Sat May 1 20:02:31 2021 libnettle8-3.7.2-2.1.x86_64 Sat May 1 20:02:30 2021
And to update the perl-packages, I needed:
libopenssl-1_1-devel-1.1.1k-2.1.x86_64 Sat May 1 20:11:32 2021 libopenssl1_1-1.1.1k-2.1.x86_64 Sat May 1 20:10:31 2021
But now npm/node want "version OPENSSL_1_1_0g"?
Um....seems a bit painful to add 'g' for node/npm, but have the perlmods work with 'k'. The perlmods might work for 'g', but now that they work, I'm a bit aversive to breaking them....
Maybe I just need to recompile npm+node against 'k'?
We ship both Perl and node/npm as part of tumbleweed if you are using our packages for both they will work with whichever version of openssl we have in tumbleweed. If you are using any of these components from elsewhere you'll be on your own and likely run into a bunch of headaches because some of these packages are updated. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
On 2021/05/04 01:59, Simon Lees wrote:
On 5/3/21 6:20 AM, L A Walsh wrote:
I fixed my repo D/l prob with https mirrors:
The openssl packages I had for perl were a bit dated, as well as the openssl packages themselves. So upgrading openssl, and then the perl packages fetched from cpan.
not sure how to satisfy a user+group it wanted that's already installed (is there an rpm-option for that?).
Maybe see https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups
---- That's not very helpful in specific cases, but more about adding in user+groups for packages. Thing is, I know I've tons of users/groups added over the years, but user/group nobody? Um...that's basic. So there is some new paradigm in new rpms' that's forcing re-addition or re-creation of existing groups -- That's not real helpful, especially since the package installation doesn't ask or check if they are already created. They (in the URL you mention above) mention if they checked if already created, they might stomp on another package's usage, so they don't check and install over it instead! ??!?! I don't see how that is better in any case. At least if they check if it is already present, they will solve the redundant install case.
But now, get:
npm, node
symbol lookup error: /usr/bin/node15: undefined symbol: FIPS_selftest, version OPENSSL_1_1_0g
Um, why do I need a FIPS_selftest? More importantly, why does npm or node need such?
openssl needs it, node-default links against openssl so also needs it
---- Alright, fine...not that important, but that it requires something other than the one I have installed is a pain.... I mentioned above I installed openssl, new above, in fact: rpm --queryformat="%17{BUILDTIME:date}-%{DISTRIBUTION} %{NVR}\n" -qa |grep -i openssl Thu Apr 8 12:28:31 2021-openSUSE Tumbleweed openssl-1.1.1k-1.1 Tue Aug 7 00:57:47 2018-openSUSE Tumbleweed libopenssl1_0_0-1.0.2o-1.1 Mon Apr 19 12:08:31 2021-openSUSE Tumbleweed openssl-1_1-1.1.1k-2.1 Mon Apr 19 12:08:31 2021-openSUSE Tumbleweed libopenssl-1_1-devel-1.1.1k-2.1 Mon Apr 19 12:08:31 2021-openSUSE Tumbleweed libopenssl1_1-1.1.1k-2.1 ---- So I installed openssl from TW, with the one I installed, not having the FIPS label. The problem is I need FIPS from 1_1_0g, and silly me, I looked at the...45 openssl packages and tried to go for more recent ones from the alphabet -- thinking they might be less quickly obsoleted. So... /home/cache/suse/tumbleweed/repo/oss/x86_64/libopenssl10-1.0.2u-4.2.x86_64.rpm /home/cache/suse/tumbleweed/repo/oss/x86_64/libopenssl1_0_0-1.0.2u-4.2.x86_64.rpm /home/cache/suse/tumbleweed/repo/oss/x86_64/libopenssl1_0_0-hmac-1.0.2u-4.2.x86_64.rpm /home/cache/suse/tumbleweed/repo/oss/x86_64/libopenssl1_0_0-steam-1.0.2u-4.2.x86_64.rpm /home/cache/suse/tumbleweed/repo/oss/x86_64/libopenssl1_1-1.1.1j-2.1.x86_64.rpm /home/cache/suse/tumbleweed/repo/oss/x86_64/libopenssl1_1-1.1.1k-2.1.x86_64.rpm /home/cache/suse/tumbleweed/repo/oss/x86_64/libopenssl1_1-hmac-1.1.1j-2.1.x86_64.rpm /home/cache/suse/tumbleweed/repo/oss/x86_64/libopenssl1_1-hmac-1.1.1k-2.1.x86_64.rpm Anyway, I guessed wrong for FIPS, I see a 1.1.1j,k + 1.0.2u[hmac,steam] for libopenssl...BUT...no 1.1.0g -- which I don't see.... All of them may have FIPS, but even if I knew to pick 'g-fips' doesn't seem to be in the TW rpms I have for TW.
We ship both Perl and node/npm as part of tumbleweed if you are using our packages for both they will work with whichever version of openssl we have in tumbleweed.
---- Not so! There are multiple versions in the TW repo. I suspect that 'g' is included in one of the others, but that's not of great help. My perl is less picky since I usually try to build it myself from the perl website. It's the packaging (for node/npm) that' is complaining! I do have TW openssl packages installed, just not the right ones to support g-fips. Hmmm... So am paused on that front, but have plenty of other "fronts" to work on (way too many for me to remember them all...sigh)...
participants (2)
-
L A Walsh -
Simon Lees