Re: How to Enable Weak Ciphers OpenSSL 1.1.1h installation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear Satyam,

Do I correctly understand that 
- you built openssl-1.1.1h from scratch with -enable-weak-ssl-ciphers
- installed it
-run some command? Which one(s)? Initially, you were speaking about 'ciphers', but the stack trace is from the 'ca'.

On Mon, Oct 26, 2020 at 7:26 PM Satyam Mehrotra <satyam226@xxxxxxxxx> wrote:
Segmentation fault is not seen if i don't compile ./config with -enable-weak-ssl-ciphers.

Is it something I am missing or some more options needs to be provided to ./config ?

Thanks
Satyam

On Mon, 26 Oct 2020 at 20:21, Dmitry Belyavsky <beldmit@xxxxxxxxx> wrote:
It has nothing to do with the ciphers command...

On Mon, Oct 26, 2020 at 5:18 PM Satyam Mehrotra <satyam226@xxxxxxxxx> wrote:
Dear Dmitry,

>>Are the /usr/local/lib64/libssl.so.1.1 and /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you?
Yes, they are same

gdb openssl core.50178

GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7

Copyright (C) 2013 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "x86_64-redhat-linux-gnu".

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>...

Reading symbols from /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...done.

[New LWP 50178]

[Thread debugging using libthread_db enabled]

Using host libthread_db library "/lib64/libthread_db.so.1".

Core was generated by `/usr/local/bin/openssl'.

Program terminated with signal 11, Segmentation fault.

#0  do_body (xret=0x7f2bc6a6dcf0, pkey=0x7ffddd58d888, x509=0x7f2bc6a7de80 <_dl_fini>, dgst=0x7f2bc6a8af5a, sigopts=0x0, policy=0xfffa320300000000, serial=0x7ffddd58f693, 

    subj=0x7ffddd58f6a6 "HOSTNAME=CentOS7", chtype=140728317048503, multirdn=-581372209, email_dn=-581372189, startdate=0x7ffddd58f6f3 "HISTSIZE=1000", 

    enddate=0x7ffddd58f701 "SSH_CLIENT=10.101.14.61 17471 22", days=140728317048610, batch=-581372099, verbose=-581372056, req=0x7ffddd58f77b, 

    ext_sect=0x7ffddd58f785 "LD_LIBRARY_PATH=/usr/local/lib64/", lconf=0x7ffddd58f7a7, certopt=140728317050463, nameopt=140728317050489, default_op=-581370182, 

    ext_copy=-581370137, selfsign=-581370120, db=<optimized out>, db=<optimized out>) at apps/ca.c:1410

1410         row[i] = NULL;



Thanks

Satyam



On Mon, 26 Oct 2020 at 19:34, Dmitry Belyavsky <beldmit@xxxxxxxxx> wrote:
Are the /usr/local/lib64/libssl.so.1.1 and /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you?
If yes, you should try running via gdb to get a backtrace.

On Mon, Oct 26, 2020 at 4:54 PM Satyam Mehrotra <satyam226@xxxxxxxxx> wrote:
Dear Dmitry,

As suggested i have build the openssl with -ggdb  ( ./config -ggdb -enable-weak-ssl-ciphers ) and after building i did make install as well.

The strace output is as below
==============================

strace ./openssl


execve("./openssl", ["./openssl"], 0x7ffc8151b3d0 /* 27 vars */) = 0

brk(NULL)                               = 0x1b4f000

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3046813000

access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)

open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3

fstat(3, {st_mode=S_IFREG|0644, st_size=35929, ...}) = 0

mmap(NULL, 35929, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f304680a000

close(3)                                = 0

open("/usr/local/lib64/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\24\2\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=742664, ...}) = 0

mmap(NULL, 2748352, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3046354000

mprotect(0x7f30463e4000, 2097152, PROT_NONE) = 0

mmap(0x7f30465e4000, 61440, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x90000) = 0x7f30465e4000

close(3)                                = 0

open("/usr/local/lib64/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0p\7\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=3397280, ...}) = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3046809000

mmap(NULL, 5158840, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3045e68000

mprotect(0x7f3046122000, 2097152, PROT_NONE) = 0

mmap(0x7f3046322000, 188416, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2ba000) = 0x7f3046322000

mmap(0x7f3046350000, 14264, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3046350000

close(3)                                = 0

open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=19248, ...}) = 0

mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3045c64000

mprotect(0x7f3045c66000, 2097152, PROT_NONE) = 0

mmap(0x7f3045e66000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f3045e66000

close(3)                                = 0

open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200m\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=142144, ...}) = 0

mmap(NULL, 2208904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3045a48000

mprotect(0x7f3045a5f000, 2093056, PROT_NONE) = 0

mmap(0x7f3045c5e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f3045c5e000

mmap(0x7f3045c60000, 13448, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045c60000

close(3)                                = 0

open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=2156240, ...}) = 0

mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f304567a000

mprotect(0x7f304583d000, 2097152, PROT_NONE) = 0

mmap(0x7f3045a3d000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7f3045a3d000

mmap(0x7f3045a43000, 16896, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045a43000

close(3)                                = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3046808000

mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3046806000

arch_prctl(ARCH_SET_FS, 0x7f3046806740) = 0

mprotect(0x7f3045a3d000, 16384, PROT_READ) = 0

mprotect(0x7f3045c5e000, 4096, PROT_READ) = 0

mprotect(0x7f3045e66000, 4096, PROT_READ) = 0

mprotect(0x7f3046322000, 176128, PROT_READ) = 0

mprotect(0x7f30465e4000, 40960, PROT_READ) = 0

mprotect(0x692000, 4096, PROT_READ)     = 0

mprotect(0x7f3046814000, 4096, PROT_READ) = 0

munmap(0x7f304680a000, 35929)           = 0

set_tid_address(0x7f3046806a10)         = 47865

set_robust_list(0x7f3046806a20, 24)     = 0

rt_sigaction(SIGRTMIN, {sa_handler=0x7f3045a4e860, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f3045a57630}, NULL, 8) = 0

rt_sigaction(SIGRT_1, {sa_handler=0x7f3045a4e8f0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f3045a57630}, NULL, 8) = 0

rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0

getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0

--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---

+++ killed by SIGSEGV (core dumped) +++

Segmentation fault



Thanks

Satyam




On Mon, 26 Oct 2020 at 17:50, Dmitry Belyavsky <beldmit@xxxxxxxxx> wrote:
Dear Satyam,

First of all, I'll suggest checking whether the libcrypto/libssl are those you've built. It can be done, e.g., via running strace.

I also suggest building openssl with -ggdb (./config -ggdb should do the trick).

On Mon, Oct 26, 2020 at 11:34 AM Satyam Mehrotra <satyam226@xxxxxxxxx> wrote:
Hi Dmitry,

>>If you have just built the openssl, try to set the LD_LIBRARY_PATH environment variable pointing to freshly built libcrypto/libssl

I try setting the LD_LIBRARY_PATH but it is still crashing

      which openssl

      /usr/local/bin/openssl


      export LD_LIBRARY_PATH=/usr/local/lib64/


      ls -lhrt

      total 11M

      drwxr-xr-x. 2 root root   61 Oct 25 16:27 pkgconfig

      -rwxr-xr-x. 1 root root 3.3M Oct 26 12:58 libcrypto.so.1.1

      -rwxr-xr-x. 1 root root 726K Oct 26 12:58 libssl.so.1.1

      -rw-r--r--. 1 root root 5.4M Oct 26 12:58 libcrypto.a

      -rw-r--r--. 1 root root 1.1M Oct 26 12:58 libssl.a

       lrwxrwxrwx. 1 root root   16 Oct 26 12:58 libcrypto.so -> libcrypto.so.1.1

       lrwxrwxrwx. 1 root root   13 Oct 26 12:58 libssl.so -> libssl.so.1.1

       drwxr-xr-x. 2 root root   39 Oct 26 12:58 engines-1.1



       openssl ciphers -V

       Segmentation fault


gdb ./openssl core.3370 


GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7

Copyright (C) 2013 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "x86_64-redhat-linux-gnu".

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>...

Reading symbols from /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...(no debugging symbols found)...done.

[New LWP 3370]

[Thread debugging using libthread_db enabled]

Using host libthread_db library "/lib64/libthread_db.so.1".

Core was generated by `openssl ciphers -V'.

Program terminated with signal 11, Segmentation fault.

#0  0x000000000041c53d in do_body.isra.3 ()

(gdb) bt

#0  0x000000000041c53d in do_body.isra.3 ()

(gdb) 




Thanks

Satyam




On Mon, 26 Oct 2020 at 12:16, Dmitry Belyavsky <beldmit@xxxxxxxxx> wrote:
If you have just built the openssl, try to set the LD_LIBRARY_PATH environment variable pointing to freshly built libcrypto/libssl

On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra <satyam226@xxxxxxxxx> wrote:
Hello,

Any Suggestions on how this can be done ?
why openssl binary is crashing if i am compiling it with -enable-weak-ssl-ciphers , also what is the location of the crash file.

Thanks
Satyam

On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra <satyam226@xxxxxxxxx> wrote:
Hello Everyone,

I have just joined the openssl users community. 
My requirement is to have the SSLv3 and weak ciphers enable  with openssl installation .
I have a query regarding enabling SSLv3 protocol and weak ciphers with openssl-1.1.1h installation

I have followed the below steps

1)  ./config -enable-weak-ssl-ciphers


2) The Makefile looks as below

===============================


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


##

## Makefile for OpenSSL

##

## WARNING: do not edit!

## Generated by Configure from Configurations/common0.tmpl, Configurations/unix-Makefile.tmpl, Configurations/common.tmpl


PLATFORM=linux-x86_64

OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++ no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan no-unit-test no-zlib no-zlib-dynamic

CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers")

SRCDIR=.

BLDDIR=.


VERSION=1.1.1h

MAJOR=1

MINOR=1.1

SHLIB_VERSION_NUMBER=1.1

SHLIB_VERSION_HISTORY=

SHLIB_MAJOR=1

SHLIB_MINOR=1

SHLIB_TARGET=linux-shared

SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER)

SHLIB_EXT_SIMPLE=.so

SHLIB_EXT_IMPORT=


LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a

SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT)

SHLIB_INFO=";" "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)" "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";"

ENGINES=engines/afalg.so engines/capi.so engines/dasync.so engines/ossltest.so engines/padlock.so

@                                                                   


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


if i do any openssl operations it gives error ( core dumped )


      ./openssl ciphers -V

       Segmentation fault (core dumped)


Can someone help me in resolving this issue ?


If i don't use option "-enable-weak-ssl-ciphers "  then the above issue is not seen but SSLv3 and weak ciphers do not get enable.


Thanks

Satyam



--
SY, Dmitry Belyavsky


--
SY, Dmitry Belyavsky


--
SY, Dmitry Belyavsky


--
SY, Dmitry Belyavsky


--
SY, Dmitry Belyavsky

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux