RHEL/CentOS 6 OpenSSL client compatibility after DST Root CA X3 expiration

kstange · October 1, 2021, 12:31am

It's my understanding that OpenSSL 1.0.1 and 1.0.2 are intended to be ABI compatible. I'm currently doing some experimentation with rebuilding openssl-1.0.2k-21 (latest for CentOS 7) for CentOS 6. If that proves to work, it could be an option for anyone that needs this to work for a while longer. It needs to be combined with a ca-certificates update to version 2021.2.50 or removal of the DST cert from the trust store to have any chance of working. I'll try to report back with results soon.

kstange · October 1, 2021, 1:15am

I was able to successfully build the package after modifying a few things, and it installed without an issue. Programs built against openssl still run, and wget and openssl s_client work correctly and validate the certificate. This success requires you also have either removed the DST Root CA X3 certificate or have the EL6 ELS version of ca-certificates installed.

I picked up the source RPM from https://vault.centos.org/7.9.2009/updates/Source/SPackages/openssl-1.0.2k-21.el7_9.src.rpm

To build, I had to change ALL references in three patches from secure_getenv() to getenv():

openssl-1.0.2a-env-zlib.patch
openssl-1.0.2j-deprecate-algos.patch
openssl-1.0.2a-fips-ctor.patch

I also had to comment out this line (216) from the openssl.spec file:
%patch68 -p1 -b .secure-getenv

These references to secure_getenv() can't be used because glibc in CentOS 6 doesn't have the function. RH blindly added them without checking for support because they knew it was safe to assume CentOS 7 would have it.

Your mileage may vary, of course. Anything that depends on the specific 1.0.1e version might break, or might have incorrect expectations about what security features are available, leading to unexpected bad stuff, but so far I haven't had it happen to me. I'm not giving out any warranties or prebuilt packages, but hopefully this is enough to get people pointed in the right direction.

Edit: Just in case it may also help: To produce an updated version of ca-certificates, you can do something like this. Take these two packages:

Extract certdata.txt from the el7 SRPM and replace the file at SOURCES/certdata.txt for the el6 rpm build. Update the EL6 RPM spec file Version line to 2021.2.50, and build that package.

eva2000 · October 1, 2021, 3:00am

thanks @kstange was trying to find a way of just rebuild the ca-certificate cert files themselves - not sure if any info at GitHub - rjrelyea/ca-certificate-scripts: script to manage ca-certificates. helps

looks like cpanel users getting hit by this too https://forums.cpanel.net/threads/cpanel-33077-letsencrypt-transition-to-isrgs-root-important.673981/post-2877037

cloudlinux ELS 6 has updated packages for ca-certificates and seems to work https://forums.cpanel.net/threads/cpanel-33077-letsencrypt-transition-to-isrgs-root-important.673981/post-2877329 and DST Root CA X3 Expiration and Let's Encrypt – cPanel

remizyaka · October 1, 2021, 7:36am

Coukd you please share the package?

holdenger · October 1, 2021, 8:38am

I successfully build both packages, installec ca-certificates without any problems, but i have problems to install openssl-* since it is now splitting into many rpms like openssl-libs, openssl-static and so on...

How did you manage to install new openssl-1.0.2 packages without RPM DB conflits/problems?
I have bunch of errors like this:
https://paste.centos.org/view/82414818

Which is strange, because libcrypto.so.10 is in openssl-devel-1.0.2 for 100%

runlolarun · October 1, 2021, 2:18pm

I was able to build and install openssl 1.0.2k-8 package. I can provide you with SRPM if you'd like. It wasn't build for Centos, but RHEL based OS. Shouldn't be any different.

joconcha · October 1, 2021, 2:32pm

rpm --test -Uvf openssl-1.0.2k-21.el6.x86_64.rpm openssl-libs-1.0.2k-21.el6.x86_64.rpm

If ok, delete --test param

kstange · October 1, 2021, 4:14pm

As @joconcha indicated you need to install the packages using RPM at the same time as they are interdependent. If you look at rpm -qa openssl\* you should see what is already installed. openssl-libs is a new package since EL7, though, so you'll definitely need to add that to the list. Then, just install the same package files for the new version. I had to install openssl, openssl-libs, and openssl-devel to satisfy the dependencies.

joconcha · October 1, 2021, 8:20pm

I can confirm that the installation of the new openssl (1.0.2k) and the re-build of ca-certificates as indicated by @kstange, has solved the problem on my server.

Thanks

Tambour · October 1, 2021, 8:45pm

Good

curl works or you must recompile nss package ?

and php command file_get_contents() works ?

<?php $arrContextOptions=array( "ssl"=>array( "verify_peer"=>true, "verify_peer_name"=>true, ), ); $response = file_get_contents("https://community.letsencrypt.org", false, stream_context_create($arrContextOptions)); echo $response; ?>

bad result

PHP Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

joconcha · October 1, 2021, 9:24pm

curl works fine.

php file_get_contents("https://community.letsencrypt.org") works ok.

php file_get_contents("https://community.letsencrypt.org", false, stream_context_create($arrContextOptions)) not work;

marinv · October 2, 2021, 10:03am

@joconcha would you be kind enough to share the RPMs?

ghen · October 2, 2021, 11:23am

To ease the upgrade (and esp. downgrade!), I removed the separate -libs package from the EL7 spec file, moving the libraries back into the main package and adjusting the dependencies, to make it more "EL6 like".

Coleso007 · October 2, 2021, 6:22pm

Hello. Where i can download new ca-certificates for centos-6?

reetp · October 2, 2021, 7:28pm

You can't. See above.

If you know what you are doing, and understand the risks, you can build your own rpms following the notes above.

If you can't do that then you should upgrade to CentOS 7.

Coleso007 · October 2, 2021, 7:34pm

Why cant'?
RHEL released updated ca-certificates-2021.2.50-60.1.el6_10.noarch.rpm
But i not found links for download it.

ghen · October 3, 2021, 8:31am

RHEL6 is EOL and the updated ca-certificates package is available only for "extended support" customers, so you won't find it.

However fixing ca-certificates is the easy part -- you can just as well edit /etc/pki/tls/certs/ca-bundle.crt directly (simply remove the DST Root CA X3 bits). The tricky part is you need OpenSSL 1.0.2 as well -- see above procedure on how to build it for yourself with a modified EL7 spec file.

Coleso007 · October 3, 2021, 9:05am

I install OpenSSL 1.0.2 from source:
https://openssl.org/source/openssl-1.0.2k.tar.gz

And replace new ssl bin to /usr/bin. Then remove DST Root CA X3 /etc/pki/tls/certs/ca-bundle.crt. But it not work for me. Why?

ghen · October 3, 2021, 9:28am

Can you be more precise than "does not work" ?
Did you install only the openssl binary, without the corresponding libraries? (does /usr/bin/opensl version work?)

Coleso007 · October 3, 2021, 9:43am

openssl version

OpenSSL 1.0.2k 26 Jan 2017

But when i try connect to any ssl host i see error:

wget https://letsencrypt.org/certs/lets-encrypt-r3.pem

ERROR: cannot verify letsencrypt.org's certificate, issued by '/C=US/O=Let's Encrypt/CN=R3'
Unable to locally verify the issuer's authority.