4

I have just manually upgraded OpenSSL from 3.0.2 to 3.0.7. I know a patch was available for 3.0.2, but, easier to answer to management this way vs. having to explain over and over again why the version still shows 3.0.2. So no need to comment on that.

I ran into the 'unable to lookup symbol BIO_f_zlib' error initially after the install when using:

config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl share zlib

Changed the config to:

config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl no-comp

and this was successful.

Now that my install is complete, I am seeing that the openssl version command is showing:

OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

How do I correct my installation so that the Library version matches the Binary version?
NOTE:

  • I updated /etc/ld.so.conf.d with a file named openssl-3.0.7.conf with /usr/local/ssl/lib for contents.
  • I have also changed the system environment PATH var to include /usr/local/ssl/bin.
  • I executed ldconfig -v and source /etc/environment after the updates (no joy) and finally rebooted (still no joy).

Still seeing the mismatch in the openssl version output.

I tried the suggestion to re-link libssl.so.3, with no success. See below environmental info and trailing openssl version output. New OpenSSL (3.0.7) was installed to /usr/local/ssl per the config option on the build.

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy
# find /usr/local -name 'libssl.so*'
/usr/local/qualys/cloud-agent/lib/libssl.so.1.1
/usr/local/qualys/cloud-agent/lib/libssl.so
/usr/local/ssl/lib64/libssl.so.3
/usr/local/ssl/lib64/libssl.so
/usr/local/lib64/libssl.so
/usr/local/lib64/libssl.so.3_3.0.2 <== renamed from libssl.so.3
/usr/local/src/openssl-3.0.7/libssl.so.3
/usr/local/src/openssl-3.0.7/libssl.so
# ls -l /usr/local/lib64/libssl.so*
lrwxrwxrwx 1 root root 32 Nov 2 17:07 /usr/local/lib64/libssl.so -> /usr/local/ssl/lib64/libssl.so.3
-rwxr-xr-x 1 root root 809464 Nov 1 15:55 /usr/local/lib64/libssl.so.3_3.0.2
# ls -l /usr/local/ssl/lib64/libssl.so*
lrwxrwxrwx 1 root root 11 Nov 1 21:23 /usr/local/ssl/lib64/libssl.so -> libssl.so.3
-rwxr-xr-x 1 root root 808704 Nov 1 21:23 /usr/local/ssl/lib64/libssl.so.3
# openssl version -a
OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
built on: Thu Oct 27 17:06:56 2022 UTC
platform: debian-amd64
options: bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-WsPfAX/openssl-3.0.2=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3"
MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0xfefa32035f8bffff:0x1c2ffb

What have I missed and how can I make sure processes using the library are using the correct version library?

asked Nov 1, 2022 at 22:37
3
  • Ubuntu has backported the changes to openssl 3.0.2 however it still suck that openssl 3 is not up to date Commented Jan 18, 2023 at 12:00
  • For context, as it wasn't directly referenced, though could be considered seriously by anyone looking for a genuinely secure against CVE(s) Ubuntu: askubuntu.com/a/1438590/355456 Commented Jan 23, 2024 at 1:56
  • easier to answer to management this way vs. having to explain over and over again why the version still shows 3.0.2 No, it's not. What happens for the next vulnerability? Distros like Ubuntu patch vulnerabilities in components like OpenSSL - that's why you run apt upgrade. Manually updating components yourself results in you becoming a Linux distro builder and maintainer. You're not qualified, are you? Did you test everything that depends on OpenSSL to make sure your manual update didn't break anything? Are you going to spend the time watching CVEs for the next time? Commented Mar 29, 2024 at 14:00

3 Answers 3

1

Seems like your libraries are not updated. Beside updating OpenSSL you also would need to update corresponding libraries (libssl in this case). Best would be to:

apt update
apt upgrade

And manually updating OpenSSL may corrupt some of its usage - libraries will not fit to other on the system, so the best way to do that is by the two above commands. Your system may not be ready to support newer version of OpenSSL than in the repo.

The other way around is to manually update all libraries along. So if you first update OpenSSL manually, then update libssl manually and going further into other libraries - manually too. However you may end up with need to upgrade the whole system to newer edition what is obviously not advised.

answered Nov 13, 2022 at 6:25
7
  • Look at the list of installed files: the updated library was installed, the problem is that it’s not found at runtime. Commented Nov 13, 2022 at 7:14
  • @StephenKitt and that's the reason manual installation does not work. If you go with these two commands it should install most recent version that this OS accepts. Commented Nov 13, 2022 at 8:11
  • Of course, but the OP explicitly doesn’t want that: "I know a patch was available for 3.0.2, but, easier to answer to management this way vs. having to explain over and over again why the version still shows 3.0.2. So no need to comment on that." Commented Nov 13, 2022 at 9:00
  • @StephenKitt I've given best resolution in that particular case. If you know better answer please feel free to share it. Commented Nov 13, 2022 at 9:49
  • Thanks for your responses. The apt update/upgrade was done first and, unfortunately, management did not like the result. @StephenKitt was correct. I find it hard to believe that there is no way to fix this. I provided all the displays above to show the resultant environment and hopefully shortcut this for anyone able to help with this. What library is missing or not updated causing the discrepancy in the version display? This is purely to resolve a hot and recently published vulnerability. Commented Nov 16, 2022 at 2:17
1

It appears that your OpenSSL binary was correctly upgraded to version 3.0.7, but the library is still pointing to the old version 3.0.2. To fix this, you need to update the library path to point to the new version.

First, check where your OpenSSL library is located. Based on your find command output, it seems to be in /usr/local/ssl/lib64/libssl.so.3.

Next, you need to update the library path for the system to look for the new version. You have already added /usr/local/ssl/lib to /etc/ld.so.conf.d/openssl-3.0.7.conf, but you need to also run the ldconfig command to update the library cache with the new path:

sudo ldconfig

This should update the library cache to include the new OpenSSL library path.

Finally, check if the library version has been updated by running:

ldd $(which openssl)

This should show the library path used by openssl. If it still shows the old version, try running ldd with the path to the openssl binary in /usr/local/ssl/bin.

If the library path has been updated, running openssl version should now show the correct version for both the binary and the library.

openssl version -a

I hope this helps!

answered Feb 24, 2023 at 14:44
2
  • The question says they've already done this Commented Feb 26, 2023 at 6:56
  • This risks breaking anything in the OS that relies on OpenSSL. You're not a Linux distro builder nor maintainer, you're not testing any of the components of the OS that rely on OpenSSL when you do this. And you're not prepared to spend the time and effort to keep your now-custom Linux install up-to-date for the next CVE that comes out. Commented Mar 29, 2024 at 14:05
0

The prefix=/usr/local/ssl is not the default OpenSSL isstalaltion prefix on Ubuntu 22. You now have a new version on /usr/local/ssl and a default one. You may try to build with the following options

export CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/x86_64-linux-gnu no-idea no-mdc2 no-rc5 no-zlib no-ssl3 enable-unit-test no-ssl3-method enable-rfc3779 enable-cms no-capieng
 
./Configure shared $(CONFARGS) linux-x86_64 && perl configdata.pm -d
make -j4 
make install

Maybe create a .deb package and test it before installing.

AdminBee
23.6k25 gold badges53 silver badges76 bronze badges
answered Nov 26, 2022 at 16:29
2
  • In what environment can you say export with whitespace before and after the =, and assign a multi-word string to a variable without quotes? Commented Jan 18, 2023 at 18:38
  • @G-ManSays'ReinstateMonica' looks like a line from the Makefile Commented Feb 26, 2023 at 6:56

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.