RHEL/CentOS 6 OpenSSL client compatibility after DST Root CA X3 expiration

Help
62

Hi, i have (for me successfully) tried little bit more conservative approach on Centos 6. After normal 6.10 ca-certificates upgrade, which solved problem for me for NSS based apps, i found somewhere, that openssl (even Centos6 1.0.1) -trusted_first cli option works fine. So i created openssl-1.0.1e-58.pd1trfir.el6.src.rpm with this flag default on primarily for me. If you find this version useful, you can see it.. It is simply based on crypto/x509/x509_vfy.c patch:

- if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
+ if (/* Dufek - always - ctx->param->flags & */ X509_V_FLAG_TRUSTED_FIRST)

Sorry for maybe problematic typography here in discussion, suppose the key info is shown here.

2 Likes
63

This is the bit I can't figure, I've tried rpmbuild -bb ~/rpmbuild/SPECS/openssl.spec which has built the rpms, but then I get conflicts. Wish the explanation was a bit clearer for each step.

2 Likes
64

I can rpmbuild -bb ~/rpmbuild/SPECS/openssl.spec for example, which seems to create the various RPMs.
It's the step after that...there are various rpms, and if I try and install them it comes up with various conflicts, and doesn't seem to update the .so file, so a bit confused. It would be helpful if you could expand on the exact steps you did after the patch and build.
Thanks for the help.

1 Like
65

This looks like you built the packages on a CentOS 7 server and then copied them to a CentOS 6 server. They must be built on a CentOS 6 server. Yours seem compiled against a newer glibc version than CentOS 6 has available and have the 'el7' in the filename.

1 Like
66

I can't give exact installation instructions for everyone because it somewhat depends on what you already have installed. You will need to add all the packages you need at the same time to avoid conflict messages as the packages are interdependent. Because this version of the package separated openssl-libs from the main package you will definitely need at least this one. You can see what's already installed by running rpm -qa openssl\*. If you have i686 packages installed as well, you will need to remove them or cross compile openssl for i686 as well, but we are getting deeper and deeper into the weeds and it's impossible to elucidate every corner case in this thread.

For me I had to do: cd ~/rpmbuild/RPMS/x86_64/; rpm -Uhv openssl-1.0.2k-21.el6.x86_64.rpm openssl-libs-1.0.2k-21.el6.x86_64.rpm openssl-devel-1.0.2k-21.el6.x86_64.rpm but this may not be the same for everyone.

1 Like
67

ok, they are here:

Index of /openssl-rhel6 both RPM and SRPMS

credits for @kstange and for me.

4 Likes
68

Woohoo! I did it too! Full list of commands on a "fresh" CentOS 6 Docker image:

yum install wget
yum install krb5-devel zlib-devel lksctp-tools-devel util-linux make gcc rpm-build
curl -o openssl-1.0.2k-21.el7_9.src.rpm https://vault.centos.org/7.9.2009/updates/Source/SPackages/openssl-1.0.2k-21.el7_9.src.rpm
rpm -i openssl-1.0.2k-21.el7_9.src.rpm
cd ~/rpmbuild/SOURCES/
sed -i 's/secure_getenv(/getenv(/g' *patch
cd ../SPECS/
sed -i 's/%patch68 -p1 -b .secure-getenv/#%patch68 -p1 -b .secure-getenv/g' openssl.spec
rpmbuild -bb openssl.spec
cd ../RPMS/x86_64
rpm -U openssl-libs-1.0.2k-21.el6.x86_64.rpm openssl-1.0.2k-21.el6.x86_64.rpm

Not sure if openssl-devel-1.0.2k-21.el6.x86_64.rpm would be required, but for regular use I'm guessing it's not.

6 Likes
69

@Osiris The -devel package (for any package) contains just include files, only needed to build other packages depending on this one, not needed for regular operations. You can safely remove them.

@alan3188 The dependency failures are because on CentOS 7 (where we took the spec file from), the openssl package is split into "openssl" and "openssl-libs", but on CentOS 6 you had only "openssl". So you need to explicitly install the -libs package at the same time.

(which is why I suggested to merge them back into one, but that's another bit more work on the spec file. once you get it installed, it doesn't matter anymore.)

2 Likes
70

Thanks for the help folks, I still get a curious error when trying to update/install the rpm (existing latest openssl in centos 6 is 1.0.1e)...

error: Failed dependencies:
openssl-devel = 1.0.1e-58.el6_10 is needed by (installed) openssl-static-1.0.1e-58.el6_10.x86_64

However, yum install openssl-devel
Package openssl-devel-1.0.1e-58.el6_10.x86_64 already installed and latest version

EDIT think I fixed it by including the static and source file rpms as well at the same time.
Thanks for all the help.

1 Like
71

You won't need to install the source RPM, but that message indicates that your existing version of openssl-static doesn't like that you are upgrading openssl-devel and trying to leave it back on the old version, so the correct fix is just to install openssl-static in the same command like you did!

2 Likes
72

Those work nicely for me, thank you!

3 Likes
73

@ Osiris - thx - it's working like a charm with the manually compiled RPMs! :wink:

For the sake of completeness, here again the complete workflow to solve the DST Root CA X3 expiration problem with Centos / RHEL 6 ...

yum install wget
yum install krb5-devel zlib-devel lksctp-tools-devel util-linux make gcc rpm-build
curl -o openssl-1.0.2k-21.el7_9.src.rpm https://vault.centos.org/7.9.2009/updates/Source/SPackages/openssl-1.0.2k-21.el7_9.src.rpm
rpm -i openssl-1.0.2k-21.el7_9.src.rpm
cd ~/rpmbuild/SOURCES/
sed -i 's/secure_getenv(/getenv(/g' *patch
cd ../SPECS/
sed -i 's/%patch68 -p1 -b .secure-getenv/#%patch68 -p1 -b .secure-getenv/g' openssl.spec
rpmbuild -bb openssl.spec
cd ../RPMS/x86_64
rpm -U openssl-libs-1.0.2k-21.el6.x86_64.rpm openssl-1.0.2k-21.el6.x86_64.rpm

I also compiled a current ca-certificates so one doesn't need to manually remove the X3 Cert ...

How to build the ca-certificates RPM:

yum install asciidoc java-1.6.0-openjdk
mkdir -p /dl/ca-cert; cd /dl/ca-cert;
curl -o ca-certificates-2020.2.41-65.1.el6_10.src.rpm https://vault.centos.org/6.10/updates/Source/SPackages/ca-certificates-2020.2.41-65.1.el6_10.src.rpm
rpm -i ca-certificates-2020.2.41-65.1.el6_10.src.rpm
curl -o ca-certificates-2021.2.50-72.el7_9.src.rpm https://vault.centos.org/7.9.2009/updates/Source/SPackages/ca-certificates-2021.2.50-72.el7_9.src.rpm
rpm2cpio ca-certificates-2021.2.50-72.el7_9.src.rpm | cpio -idmv
cp certdata.txt ~/rpmbuild/SOURCES/
sed -i 's/Version: 2020.2.41/Version: 2021.2.50/g' ~/rpmbuild/SPECS/ca-certificates.spec
cd ~/rpmbuild/SPECS
rpmbuild -bb ca-certificates.spec
cd /root/rpmbuild/RPMS/noarch/
rpm -U ca-certificates-2021.2.50-65.1.el6.noarch.rpm

If someone is interested I could also publish the RPMs ... (I personally wouldn't install any RPMs from "foreign sources" on my servers ... ^^)

thx, bye from Austria
Andreas Schnederle-Wagner

8 Likes
74

For all interested parties. I've modified openssl.spec to incorporate shared files back into monolitic RPM file to match EL6 package contents.
URL for corresponding binary and source packages (openssl and ca-certificates) + openssl.spec is
https://server-support.co/openssl-el6/

3 Likes
75

I have problem with manually compiled RPMs on centos 6.

# rpm -U openssl-libs-1.0.2k-21.el6.x86_64.rpm openssl-1.0.2k-21.el6.x86_64.rpm
error: Failed dependencies:
openssl = 1.0.1e-58.el6_10 is needed by (installed) openssl-devel-1.0.1e-58.el6_10.x86_64
openssl = 1.0.1e-58.el6_10 is needed by (installed) openssl-perl-1.0.1e-58.el6_10.x86_64

How i can solve it? I have installed openssl-devel and openssl-perl x86_64.

1 Like
76

add the devel and perl RPM to the "rpm -U" call ... they are all there ... :wink:

5 Likes
77

Thank you very much for the summation @futureweb!

For openssl update needed to remove a python-libs-2.6.6-68.el6_10.i686 package from 6.10 @updates repo, as it had a fixed dependency that prevented the openssl install. It removed cleanly though, nothing using it apparently.

yum remove python-libs-2.6.6-68.el6_10.i686

due to:

error: Failed dependencies:
        libcrypto.so.10 is needed by (installed) python-libs-2.6.6-68.el6_10.i686
        libcrypto.so.10(libcrypto.so.10) is needed by (installed) python-libs-2.6.6-68.el6_10.i686
        libssl.so.10 is needed by (installed) python-libs-2.6.6-68.el6_10.i686
        libssl.so.10(libssl.so.10) is needed by (installed) python-libs-2.6.6-68.el6_10.i686

For the certificates update, I needed following changes:

  1. Add "-p": mkdir -p /dl/ca-cert; cd /dl/ca-cert;
  2. Add "cd ~/rpmbuild/SPECS" before "rpmbuild -bb ca-certificates.spec"
3 Likes
78

Signed up just to say thanks. The comments in this thread are pure gold. @futureweb incorporated the comments from many in this thread into a perfect post on building the openssl & ca-certificate packages in post #73. I happened to load these into Spacewalk, and yum is smart enough to install the openssl-libs on upgrade of openssl.

Thanks!

5 Likes
79

Hi @yaylife and welcome to the LE community forum :slight_smile:

I can't think of a better compliment :+1:

2 Likes
80

Your work is greatly appreciated Andreas

3 Likes
81

Wow, this openssl mailing list post has a much simpler solution for CentOS 6 / openssl < 1.0.2

Since openssl apparantly doesn't check the self-signature on root CA's, you can simply alter the expiration date of DST Root CA X3, and it will be trusted again. The following command fudges the expiration date to 30 September 2024 (the end-date of the ISRG Root X1 cross-signature) directly in the PEM-encoded certificate:

sudo sed -i s/xMDkzMDE0MDExNVow/0MDkzMDE4MTQwM1ow/ /etc/pki/tls/certs/ca-bundle.crt

This works :cowboy_hat_face: no openssl upgrade needed!

6 Likes