0.openssl1.1.1 eol
1.RHEL8.xで調査
- aws/ec2/ap-northeast-1
- ami-id ami-0f903fb156f24adbf
- Red Hat Enterprise Linux release 8.6
- OpenSSL 1.1.1k
- 使っていそうな
dnf install httpd mod_ssl実行後モジュールの状況確認
[root@ip-10-0-0-6 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.6 (Ootpa)
[root@ip-10-0-0-6 ~]#
[root@ip-10-0-0-6 ~]# openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
[root@ip-10-0-0-6 ~]#
[root@ip-10-0-0-6 ~]# rpm -qa | grep httpd
redhat-logos-httpd-84.5-1.el8.noarch
httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.x86_64
httpd-tools-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.x86_64
httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.noarch
[root@ip-10-0-0-6 ~]#
[root@ip-10-0-0-6 ~]# rpm -qa mod_ssl
mod_ssl-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.x86_64
[root@ip-10-0-0-6 ~]#
[root@ip-10-0-0-6 ~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf
/usr/lib/.build-id
/usr/lib/.build-id/a7/b24b48947eed1865b2091545f9a3e001b41f1d
/usr/lib/systemd/system/httpd-init.service
/usr/lib/systemd/system/httpd.socket.d/10-listen443.conf
/usr/lib64/httpd/modules/mod_ssl.so
/usr/libexec/httpd-ssl-gencerts
/usr/libexec/httpd-ssl-pass-dialog
/usr/share/man/man8/httpd-init.service.8.gz
/var/cache/httpd/ssl
[root@ip-10-0-0-6 ~]#
mod_ssl
- mod_sslはopenssl-libsの
/lib64/libssl.so.1.1と/lib64/libcrypto.so.1.1を参照 - openssl1.1.1に依存してしまうのでmod_sslを使う場合、openssl3.x.xを持ってきてmod_ssl(httpd)をビルドする必要がありそう
- そもそもSSLの終端持っているWebサーバはAWS上では少なそう(ALB->https->EC2みたいな内部も全部暗号化通信にしようとか、そういう場合じゃない限り)
[root@ip-10-0-0-6 ~]# ldd /usr/lib64/httpd/modules/mod_ssl.so
linux-vdso.so.1 (0x00007ffdb4733000)
* libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fd1182cc000)
* libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007fd117de3000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fd117bc3000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fd1179bf000)
libc.so.6 => /lib64/libc.so.6 (0x00007fd1175fa000)
libz.so.1 => /lib64/libz.so.1 (0x00007fd1173e2000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd1187a1000)
[root@ip-10-0-0-6 ~]#
[root@ip-10-0-0-6 ~]# rpm -qf /lib64/libssl.so.1.1
openssl-libs-1.1.1k-6.el8_5.x86_64
[root@ip-10-0-0-6 ~]#
[root@ip-10-0-0-6 ~]# rpm -qf /lib64/libcrypto.so.1.1
openssl-libs-1.1.1k-6.el8_5.x86_64
[root@ip-10-0-0-6 ~]#
openssh-server
- 同じようにopenssh-serverも
openssl-libs-1.1.1k-6.el8_5.x86_64の/lib64/libcrypto.so.1.1を参照 - libcryptoって?
- 他にも暗号化アルゴリズムの参照用と思われるパッケージあり(
libgcrypt-1.8.5-6.el8.x86_64とかlibxcrypt-4.1.1-6.el8.x86_64とか)これ、opensslとどっちも要る?寄せない?
[root@ip-10-0-0-6 ~]# ldd /usr/sbin/sshd
linux-vdso.so.1 (0x00007ffdf8993000)
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f14b60fc000)
libpam.so.0 => /lib64/libpam.so.0 (0x00007f14b5eec000)
libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007f14b5ba2000)
* libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f14b56b9000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f14b54b5000)
libutil.so.1 => /lib64/libutil.so.1 (0x00007f14b52b1000)
libz.so.1 => /lib64/libz.so.1 (0x00007f14b5099000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f14b4e70000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f14b4c59000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f14b4a2f000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f14b47da000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f14b44f0000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f14b42d9000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f14b40d5000)
libc.so.6 => /lib64/libc.so.6 (0x00007f14b3d10000)
libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007f14b3b0a000)
librt.so.1 => /lib64/librt.so.1 (0x00007f14b3902000)
liblzma.so.5 => /lib64/liblzma.so.5 (0x00007f14b36db000)
liblz4.so.1 => /lib64/liblz4.so.1 (0x00007f14b34be000)
libcap.so.2 => /lib64/libcap.so.2 (0x00007f14b32b6000)
libmount.so.1 => /lib64/libmount.so.1 (0x00007f14b305c000)
libgcrypt.so.20 => /lib64/libgcrypt.so.20 (0x00007f14b2d3e000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f14b2b26000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f14b2906000)
/lib64/ld-linux-x86-64.so.2 (0x00007f14b6606000)
libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f14b2682000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f14b2471000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f14b226d000)
libblkid.so.1 => /lib64/libblkid.so.1 (0x00007f14b201a000)
libuuid.so.1 => /lib64/libuuid.so.1 (0x00007f14b1e12000)
libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007f14b1bf1000)
[root@ip-10-0-0-6 ~]#
openssl 3のビルド
- openssl3をソースからビルド
- openssl-3.0.7-16.el9_2.src.rpmのSPECファイル(openssl.spec)でConfigureのオプション確認
- 変数の補完地味に難儀
- 省略しよう
./Configure \
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\
no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
-Wl,--allow-multiple-definition
- この辺りを参考にさせていただく
dnf -y install zlib-devel perl-core gcc
cd /usr/local/src
curl -O https://www.openssl.org/source/openssl-3.0.9.tar.gz
tar xzvf ./openssl-3.0.9.tar.gz
cd openssl-3.0.9
./Configure --prefix=/usr/local/ssl
make
make install
・この辺り1.1とかの別名でリンクしてライブラリに追加したらなんとかなったらいいなと思うけど無理
・影響出そうなコンポーネントは個別でopenssl3でビルドして、openssl1.1.1は共存しか無し?(そもそも参照元絞り切れる自信なし)
root@ip-10-0-0-6 lib64]# pwd
/usr/local/ssl/lib64
[root@ip-10-0-0-6 lib64]# ll
total 16400
drwxr-xr-x. 2 root root 78 Jul 2 07:47 engines-3
-rw-r--r--. 1 root root 9444904 Jul 2 07:47 libcrypto.a
lrwxrwxrwx. 1 root root 14 Jul 2 07:47 libcrypto.so -> libcrypto.so.3
-rwxr-xr-x. 1 root root 5288896 Jul 2 07:47 libcrypto.so.3
-rw-r--r--. 1 root root 1255612 Jul 2 07:47 libssl.a
lrwxrwxrwx. 1 root root 11 Jul 2 07:47 libssl.so -> libssl.so.3
-rwxr-xr-x. 1 root root 795960 Jul 2 07:47 libssl.so.3
drwxr-xr-x. 2 root root 23 Jul 2 07:47 ossl-modules
drwxr-xr-x. 2 root root 61 Jul 2 07:47 pkgconfig
[root@ip-10-0-0-6 lib64]#
2.RHEL9
- OpenSSL 3.0.7
[root@ip-10-0-0-33 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 9.2 (Plow)
[root@ip-10-0-0-33 ~]#
[root@ip-10-0-0-33 ~]# openssl version
OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
[root@ip-10-0-0-33 ~]# httpd -v
Server version: Apache/2.4.53 (Red Hat Enterprise Linux)
Server built: Apr 28 2023 00:00:00
[root@ip-10-0-0-33 ~]#
[root@ip-10-0-0-33 ~]# rpm -qa | grep mod_ssl
mod_ssl-2.4.53-11.el9_2.5.x86_64
[root@ip-10-0-0-33 ~]#
[root@ip-10-0-0-33 ~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf
/usr/lib/.build-id
/usr/lib/.build-id/e7/70ca8734c6df24e54e938359c9a590387a828f
/usr/lib/systemd/system/httpd-init.service
/usr/lib/systemd/system/httpd.socket.d/10-listen443.conf
/usr/lib64/httpd/modules/mod_ssl.so
/usr/libexec/httpd-ssl-gencerts
/usr/libexec/httpd-ssl-pass-dialog
/usr/share/man/man8/httpd-init.service.8.gz
/var/cache/httpd/ssl
[root@ip-10-0-0-33 ~]#
[root@ip-10-0-0-33 ~]# ldd /usr/lib64/httpd/modules/mod_ssl.so
linux-vdso.so.1 (0x00007ffc9612a000)
libssl.so.3 => /lib64/libssl.so.3 (0x00007f104a74f000)
libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f104a200000)
libc.so.6 => /lib64/libc.so.6 (0x00007f1049e00000)
libz.so.1 => /lib64/libz.so.1 (0x00007f104a735000)
/lib64/ld-linux-x86-64.so.2 (0x00007f104a83c000)
[root@ip-10-0-0-33 ~]#
[root@ip-10-0-0-33 ~]# rpm -qf /lib64/libssl.so.3
openssl-libs-3.0.7-6.el9_2.x86_64
[root@ip-10-0-0-33 ~]#
[root@ip-10-0-0-33 ~]# rpm -qf /lib64/libcrypto.so.3
openssl-libs-3.0.7-6.el9_2.x86_64
[root@ip-10-0-0-33 ~]#
[root@ip-10-0-0-33 ~]# strings /usr/lib64/httpd/modules/mod_ssl.so | grep OpenSSL
OpenSSL_version
OpenSSL_version_num
OpenSSL 3.0.7 1 Nov 2022
OpenSSL
SSLOpenSSLConfCmd
OpenSSL configuration command
': This version of OpenSSL does not support the Entropy Gathering Daemon (EGD).
This version of OpenSSL does not have any compression methods available, cannot enable SSLCompression.
SSLv3 not supported by this version of OpenSSL
'%s': invalid OpenSSL configuration command
AH02407: "SSLOpenSSLConfCmd %s %s" failed for %s
AH02556: "SSLOpenSSLConfCmd %s %s" applied to %s
AH01913: Unable to initialize TLS session ticket key callback (incompatible OpenSSL version?)
Using OpenSSL/system default SSL/TLS protocols
AH02904: Allowing SSLProtocol %s even though it is disabled by OpenSSL by default on this system
AH01894: Unable to initialize TLS servername extension callback (incompatible OpenSSL version?)
OpenSSL 3.0.7 1 Nov 2022
[root@ip-10-0-0-33 ~]#