Upgrading 12SP5 with openssl1.1.1

Hi, I have below requirement. I have 12SP5 that is having default Openssl1.0.2-fips. Now due to some CVS, we need to upgrade to Openssl1.1.1. In suse manager i can see the version 1.1.1d and in our config file, we mentioned only openssl1.1.1d versions. But after we get the image, I see both rpms of 1.0.2 and 1.1.1d are available and two packages with openssl and openssl-1_1 are avail under /usr/bin folder. To make it 1.1.1d version i have renamed openssl1.1.1d as openssl so thats taken care now. But I see both openssl versions are available. I want to know even if I forced to pull only 1.1.1d version, why is it pulling both the versions? I am quite new here. Could someone give an idea as what could be done to get only 1.1.1d rpms.?

Thanks,

Comments

  • malcolmlewismalcolmlewis Knowledge Partner

    @Ramakrishna Hi and welcome to the Forum :)
    Can you show the output from zypper se -si ssl AFAIK you should be able to remove the old version?

  • Thanks Lewis. But am not able to delete still.

    zypper se -si ssl
    Download (curl) error for 'https://localhost/srsupdates/repodata/repomd.xml?ssl_verify=no':
    Error code: Connection failed
    Error message: Failed to connect to localhost port 443: Connection refused

    Abort, retry, ignore? [a/r/i/...? shows all options] (a): a
    Error building the cache:
    [srs_ve_x86_64-Updates|https://localhost/srsupdates/?ssl_verify=no] Valid metadata not found at specified URL
    Warning: Skipping repository 'srs_ve_x86_64-Updates' because of the above error.
    Some of the repositories have not been refreshed because of an error.
    Loading repository data...
    Reading installed packages...

    S | Name | Type | Version | Arch | Repository
    ---+------------------------+---------+---------------+--------+------------------
    i | libopenssl-1_0_0-devel | package | 1.0.2p-3.30.1 | x86_64 | (System Packages)
    i+ | libopenssl-devel | package | 1.0.2p-1.13 | noarch | (System Packages)
    i | libopenssl1_0_0 | package | 1.0.2p-3.30.1 | x86_64 | (System Packages)
    i | libopenssl1_0_0-32bit | package | 1.0.2p-3.30.1 | x86_64 | (System Packages)
    i+ | libopenssl1_1 | package | 1.1.1d-2.27.1 | x86_64 | (System Packages)
    i+ | libopenssl1_1-32bit | package | 1.1.1d-2.27.1 | x86_64 | (System Packages)
    i | libxmlsec1-openssl1 | package | 1.2.28-2.12.1 | x86_64 | (System Packages)
    i | openssl | package | 1.0.2p-1.13 | noarch | (System Packages)
    i | openssl-1_0_0 | package | 1.0.2p-3.30.1 | x86_64 | (System Packages)
    i+ | openssl-1_1 | package | 1.1.1d-2.27.1 | x86_64 | (System Packages)

  • Sorry..Pls ignore the older post..When I search the packages with the command u mentioned above i see this
    S | Name | Type | Version | Arch | Repository
    ---+------------------------+---------+---------------+--------+------------------
    i | libopenssl-1_0_0-devel | package | 1.0.2p-3.30.1 | x86_64 | (System Packages)
    i+ | libopenssl-devel | package | 1.0.2p-1.13 | noarch | (System Packages)
    i | libopenssl1_0_0 | package | 1.0.2p-3.30.1 | x86_64 | (System Packages)
    i | libopenssl1_0_0-32bit | package | 1.0.2p-3.30.1 | x86_64 | (System Packages)
    i+ | libopenssl1_1 | package | 1.1.1d-2.27.1 | x86_64 | (System Packages)
    i+ | libopenssl1_1-32bit | package | 1.1.1d-2.27.1 | x86_64 | (System Packages)
    i | libxmlsec1-openssl1 | package | 1.2.28-2.12.1 | x86_64 | (System Packages)
    i | openssl | package | 1.0.2p-1.13 | noarch | (System Packages)
    i | openssl-1_0_0 | package | 1.0.2p-3.30.1 | x86_64 | (System Packages)
    i+ | openssl-1_1 | package | 1.1.1d-2.27.1 | x86_64 | (System Packages)

  • malcolmlewismalcolmlewis Knowledge Partner

    @Ramakrishna Hi, so if you try to remove the old libraries what happens?
    zypper rm libopenssl-1_0_0-devel libopenssl-devel libopenssl1_0_0 libopenssl1_0_0-32bit openssl openssl-1_0_0

  • @malcolmlewis If I am removing them manually, its removing all the other rpms in my image. There are about 260rpms that are dependent and are getting removed.
    zypper rm libopenssl-1_0_0-devel libopenssl-devel libopenssl1_0_0 libopenssl1_0_0-32bit openssl openssl-1_0_0
    Loading repository data...
    Warning: No repositories defined. Operating only with the installed resolvables. Nothing can be installed.
    Reading installed packages...
    Resolving package dependencies...

    The following 262 packages are going to be REMOVED:

  • malcolmlewismalcolmlewis Knowledge Partner

    @Ramakrishna Hi and ouch! I suspect since you have no online repositories enabled, the packages that would have rebuilt with the later version of openssl and installed at the same time are causing the issues.

  • edited January 13

    @malcolmlewis Not really Lewis. Actually we have a config xml file that pulls the rpms from suse manager, during our image creation. and this will be done by our devops team. It does have a repo. But the my precise question is as following:
    I have specifically mentioned in my config file to pull rpm related to 1.1.1 only ...
    But this in turn is pulling 1.0.2 as well. and then after deployment of my image i see the default version as 1.0.2. As mentioned earlier to make it 1.1.1 I need rename the package of openssl-1_1 to default.
    I was going through forum posts , i see similar issue but that was also not fully solved.
    https://forums.suse.com/discussion/comment/61207#Comment_61207

  • edited January 13

  • malcolmlewismalcolmlewis Knowledge Partner

    @Ramakrishna Hi, Ahh, ok, then you should be able to set a version string, or (I'm assuming an update repo?), then set the priority of the repo, org just get rid of the old version of the SuMA instance....

  • @malcolmlewis Not sure i understood what this mean from the above chat. (you should be able to set a version string,). Can you please elaborate on this.

  • malcolmlewismalcolmlewis Knowledge Partner
    edited January 22

    @Ramakrishna Hi, this is a autoyast config file? Normally should be able to add a <version>x.x.x</version> with the package.

  • malcolmlewis I dont know on that. Coz sometime back suse engineer gave this xml file to us and we are working on top of it. Please check the attachement.

  • edited January 22

    Please check the attachment.

  • @malcolmlewis Please check the xml file that was shared to us by SUSE engr sometime back and we use this for rpm generation. If you see this, under package type image and bootstrap we are giving openssl1-1_1 packages. So its pulling them, now in addition to that its pulling Openssl1_0_0 packages as well and making 1.0.0 as default openssl. I was trying to understand if by any chance we can get only openssl1.1.1 version and not 1.0.2. So that Openssl1.1.1 would be default in that case. Thats a big challenge am seeing, if you can help on it that would be a real time saver for me.

  • malcolmlewismalcolmlewis Knowledge Partner

    @Ramakrishna Hi add a remove packages section...

    <remove-packages config:type=”list”>
            <package>libopenssl1_0_0</package>
          </remove-packages>
    

    Or add in the delete section....

  • @malcolmlewis Exactly this kind of stuff i was looking for. Where can i place this section is it under or its a independent section that I can place at the end of the file. Secondly whats the xml file called, is this autoyast file?

  • @malcolmlewis is it under packages type="image" ...under that or at the end of the file as independent section?

  • malcolmlewismalcolmlewis Knowledge Partner

    @Ramakrishna Hi, at the very end of the xml file;

    </packages>    <packages type="delete">
                   <package name="libopenssl1_0_0"/>
    

    Or add after the section... Yes it's an 'autoyast' file.

  • @malcolmlewis No luck here as well. Looks like while image was created, it pulled openssl 1.0.0 version and then deleted that version. But somehow all our custom rpms are getting dependent on the openssl1.0.0 due to which after delete instructions were run, the image got corrupted.

  • malcolmlewismalcolmlewis Knowledge Partner

    @Ramakrishna Hi, then your custom rpms need to be rebuilt with the later version of openssl...

  • @malcolmlewis I have manually made openssl to 1.1.1d version and my current version is
    openssl version -a
    OpenSSL 1.1.1d 10 Sep 2019

    platform: linux-x86_64
    options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
    compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -fmessage-length=0 -grecord-gcc-switches -fstack-protector -O2 -Wall -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -std=gnu99 -Wa,--noexecstack -fno-common -Wall -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -D_FORTIFY_SOURCE=2 -DTERMIO -DPURIFY -D_GNU_SOURCE -DOPENSSL_NO_BUF_FREELISTS
    OPENSSLDIR: "/etc/ssl"
    ENGINESDIR: "/usr/lib64/engines-1.1"
    Seeding source: os-specific

    It still have 1.0.2 and 1.1.1 d as well. and removing 1.0.2 is removing all dependencies. So we decided to keep as it is. So I have one query here, how can you make sure that my machine is using only 1.1.1d not 1.0.2. I mean is there any way to test that?

  • malcolmlewismalcolmlewis Knowledge Partner

    @Ramakrishna Hi, I would check the output from openssl version -a and pop into /usr and run fgrep -r "ENGINESDIR" *

Sign In or Register to comment.