On Monday, 7 June 2021 20:26:28 CEST, Lothar Belle wrote:
Hi, recently I compiled openssl-1.1.1k on CentOS-8 but when I am using libcrypto.so.1.1 I get errors like: libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b Obviously RedHat added additional features into there own libraries, but using the same version/naming. See https://bugzilla.redhat.com/show_bug.cgi?id=1829790 I tried also to apply the patches, but they don‘t work with the latest source code https://git.centos.org/rpms/openssl/blob/c8/f/SOURCES/openssl-1.1.1-evp-kdf.patch The suggested solution renaming the libraries didn‘t work neither for me. But we want to use the latest version, including all security fixes, therefore I can‘t use the build-in version.
Please note that packages in RHEL, and thus, later, in CentOS, include security fixes: https://access.redhat.com/security/updates/backporting even if their package version is older than the newest upstream release. But that's not the only reason why those packages have additional patches, they also have them to better integrate with the rest of the system: https://access.redhat.com/articles/3655361 or integrate with features like system-wide crypto policies: https://access.redhat.com/articles/3666211 or, as in the case of the openssl-1.1.1-evp-kdf.patch, to provide features from newer releases (like 3.0.0) in an older ABI release. So I'd strongly suggest against replacting the .so files of any low-level library, in any distribution, not just RHEL or CentOS. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
