Oct 11 12:37:49 2005 openssl-0.9.8a.tar.gz (MD5) (SHA1) (PGP sign) [LATEST]

For Red Hat (CentOS, RH. RHE. Fedora)


cd /usr/src
wget http://www.openssl.org/source/openssl-0.9.8a.tar.gz
tar xvzf openssl-0.9.8a.tar.gz
cd openssl-0.9.8a/

rm -rf /usr/lib/libssl.so.0
rm -rf /usr/lib/libssl.so
rm -rf /lib/libssl.so.2
rm -rf /usr/lib/libcrypto.so.0

./config --prefix=/usr no-threads shared
make
make test
make install
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig -v

rm -f /lib/libssl.so.4
rm -f /usr/lib/libcrypto.so.0
ln -s /usr/lib/libssl.so.0.9.8 /lib/libssl.so.4
ln -s /usr/lib/libcrypto.so.0.9.8 /usr/lib/libcrypto.so.0

cd /usr/local/directadmin/customapache
rm -f configure.*
./build clean
./build update
./build all

0.9.7i is released as well for those sticking with the 0.9.7x branch.

hackerpitbull have you been using 0.9.8 without problems on all your apps apache etc.?

Originally posted by Chrysalis
0.9.7i is released as well for those sticking with the 0.9.7x branch.

hackerpitbull have you been using 0.9.8 without problems on all your apps apache etc.?
I'm using Openssl 0.9.8 2 or 3 month,
the only problem I had was installing 0.9.8 (becuase mod_ssl 2.8.22 didnt support 0.9.8) :)

You need to redo Exim as well:



wget http://files.directadmin.com/services/da_exim-4.54-1.src.rpm
rpm -ivh da_exim-4.54-1.src.rpm
cd /usr/src/redhat/SPECS
rpmbuild -bb exim.spec
cd /usr/src/redhat/RPMS/i386
rpm -Uvh --force --nodeps da_exim-4.54-1.i386.rpm

Originally posted by hackerpitbull
I'm using Openssl 0.9.8 2 or 3 month,
the only problem I had was installing 0.9.8 (becuase mod_ssl 2.8.22 didnt support 0.9.8) :)

the new mod_ssl has no problem then?

Originally posted by Chrysalis
the new mod_ssl has no problem then?
"06-Jul-2005: Released 2.8.23-1.3.33: For OpenSSL 0.9.8!"
If u have apache 1.3.33 use mod ssl 2.8.24-1.3.33.
If u have apache 1.3.34 use mod ssl 2.8.25-1.3.34.

only mod_ssl 2.8.22 (and below) wouldnt support openssl 0.9.8.

I use apache 1.3.34 mod ssl 2.8.25 openssl 0.9.8a.

Would someone be kind enough to add a FreeBSD guide to this thread also plz

FreeBSD havent implemented openssl 0.9.8 in the os yet so you need to install the port.

substitute nano with your favourite editor.

nano /etc/make.conf
add following lines

WITH_OPENSSL_PORT=yes
WITH_OPENSSL_BETA=yes

cd /usr/ports/security/openssl
make install clean
reinstall all ports that depend on openssl
reinstall standalone apps including customapache that depend on ssl making sure they use the one in /usr/local not the base version.

If you havent got the /usr/ports dir you need to install the ports repository which is beyond the scope of this guide.

reinstall all ports that depend on openssl

How can we know which port depends on it? Or just reinstall all?

is this same install for debian as well?

using portupgrade with the following switch

-r --recursive Act on all those packages depending on the given packages as well.

add -f as well wince its not an upgrade but reinstall.

and in customapache mod_ssl, php and curl will need doing.

Just did "portupgrade -rf openssl-beta" to reinstall other ports which depends on openssl. Hofefully, I did correctly!

Then reinstalled mod_ssl, curl, php via DA.

Thank you, Chrysalis!

no problem :)

Hello,

Since the upgrade to the version 0.9.8a i've got a problem. https don't run and in my httpd's error_log I've got that :

[Thu Nov 17 05:28:09 2005] [error] mod_ssl: SSL handshake failed (server localhost:443, client 1.2.3.4) (OpenSSL library error follows)
[Thu Nov 17 05:28:09 2005] [error] OpenSSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol [Hint: speaking not SSL to HTTPS port!?]

What is the problem ? I think the problem i have got two versions of openssl (0.9.7 et 0.9.8) but i don't know how to delete one version. Please help me. Thanks. Bye.

Originally posted by Avenueduweb
Hello,

Since the upgrade to the version 0.9.8a i've got a problem. https don't run and in my httpd's error_log I've got that :

[Thu Nov 17 05:28:09 2005] [error] mod_ssl: SSL handshake failed (server localhost:443, client 1.2.3.4) (OpenSSL library error follows)
[Thu Nov 17 05:28:09 2005] [error] OpenSSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol [Hint: speaking not SSL to HTTPS port!?]

What is the problem ? I think the problem i have got two versions of openssl (0.9.7 et 0.9.8) but i don't know how to delete one version. Please help me. Thanks. Bye.
maybe u didnt update mod_ssl..


cd /usr/local/directadmin/customapache
rm -f configure.*
./build clean
./build update
./build all

Originally posted by hackerpitbull
maybe u didnt update mod_ssl..


cd /usr/local/directadmin/customapache
rm -f configure.*
./build clean
./build update
./build all


Thanks,

But I have updated with ./build all and don't run so i have tested with ./build apache_mod_ssl and don't run too. I don't know what is the problem. In my phpinfo i've the two versions of openssl, but "openssl version" tell me the version installed is "0.9.8a". Bye.

Originally posted by Avenueduweb
Thanks,

But I have updated with ./build all and don't run so i have tested with ./build apache_mod_ssl and don't run too. I don't know what is the problem. In my phpinfo i've the two versions of openssl, but "openssl version" tell me the version installed is "0.9.8a". Bye.
u need to update mod_ssl ( the version not to recompile it) ..
Run "./build clean && ./build update && ./build all"

u see 0.9.7a in phpinfo bcz u didnt recompile php after u updated openssl.

To be honest its not necessarily a good idea to ruish to using 0.9.8 the 0.9.7 is still been developed.

I've re-installed openssl in version 0.9.7i, re-installed openssh, rebuild all and now it's run with the version 0.9.7i. Thank you very much. Bye.

Hello,
I've compiled it but apache crashes too, i've decided to install 0.9.7i and its up and stable but:
[root@xk ~]# openssl
OpenSSL> version
OpenSSL 0.9.7i 14 Oct 2005

and

Apache/2.0.55 (Unix) mod_perl/1.99_17-dev Perl/v5.8.5 mod_ssl/2.0.55 OpenSSL/0.9.7a PHP/4.4.0 Server at xk Port 80

I've recompiled modssl and apache, so, why it still appears as 0.9.7a?

Kind Regards,

Originally posted by sspt
Hello,
I've compiled it but apache crashes too, i've decided to install 0.9.7i and its up and stable but:
[root@xk ~]# openssl
OpenSSL> version
OpenSSL 0.9.7i 14 Oct 2005

and

Apache/2.0.55 (Unix) mod_perl/1.99_17-dev Perl/v5.8.5 mod_ssl/2.0.55 OpenSSL/0.9.7a PHP/4.4.0 Server at xk Port 80

I've recompiled modssl and apache, so, why it still appears as 0.9.7a?

Kind Regards,
update openssl again..
go to /usr/local/directadmin/customeapache/
edit "build" change modssl version to 2.8.25,
wget http://www.modssl.org/source/mod_ssl-2.8.25-1.3.34.tar.gz
run "./build apache_mod_ssl"
after that build php again.

I found the problem,
/lib/libssl.so is /lib64/libssl.so in my case (64bit OS)

Now i have another problem:


make[2]: Entering directory `/usr/local/directadmin/customapache/curl-7.15.0/lib'
/bin/sh ../libtool --tag=CC --mode=link gcc -g -O2 -L/usr/kerberos/lib -L/usr/kerberos/lib64 -o libcurl.la -rpath /usr/local/lib -version-info 3:0:0 file.lo timeval.lo base64.lo hostip.lo progress.lo formdata.lo cookie.lo http.lo sendf.lo ftp.lo url.lo dict.lo if2ip.lo speedcheck.lo ldap.lo ssluse.lo version.lo getenv.lo escape.lo mprintf.lo telnet.lo netrc.lo getinfo.lo transfer.lo strequal.lo easy.lo security.lo krb4.lo memdebug.lo http_chunks.lo strtok.lo connect.lo llist.lo hash.lo multi.lo content_encoding.lo share.lo http_digest.lo md5.lo http_negotiate.lo http_ntlm.lo inet_pton.lo strtoofft.lo strerror.lo hostares.lo hostasyn.lo hostip4.lo hostip6.lo hostsyn.lo hostthre.lo inet_ntop.lo parsedate.lo select.lo gtls.lo sslgen.lo tftp.lo -lidn -lssl -lcrypto -ldl -lssl -lcrypto -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto -lresolv -ldl -lz -lz
gcc -shared .libs/file.o .libs/timeval.o .libs/base64.o .libs/hostip.o .libs/progress.o .libs/formdata.o .libs/cookie.o .libs/http.o .libs/sendf.o .libs/ftp.o .libs/url.o .libs/dict.o .libs/if2ip.o .libs/speedcheck.o .libs/ldap.o .libs/ssluse.o .libs/version.o .libs/getenv.o .libs/escape.o .libs/mprintf.o .libs/telnet.o .libs/netrc.o .libs/getinfo.o .libs/transfer.o .libs/strequal.o .libs/easy.o .libs/security.o .libs/krb4.o .libs/memdebug.o .libs/http_chunks.o .libs/strtok.o .libs/connect.o .libs/llist.o .libs/hash.o .libs/multi.o .libs/content_encoding.o .libs/share.o .libs/http_digest.o .libs/md5.o .libs/http_negotiate.o .libs/http_ntlm.o .libs/inet_pton.o .libs/strtoofft.o .libs/strerror.o .libs/hostares.o .libs/hostasyn.o .libs/hostip4.o .libs/hostip6.o .libs/hostsyn.o .libs/hostthre.o .libs/inet_ntop.o .libs/parsedate.o .libs/select.o .libs/gtls.o .libs/sslgen.o .libs/tftp.o -L/usr/kerberos/lib -L/usr/kerberos/lib64 -lidn -lssl -lcrypto -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto -lresolv -ldl -lz -Wl,-soname -Wl,libcurl.so.3 -o .libs/libcurl.so.3.0.0
/usr/bin/ld: /usr/lib/gcc/x86_64-redhat-linux/3.4.4/../../../../lib64/libcrypto.a(x86_64cpuid.o): relocation R_X86_64_PC32 against `OPENSSL_cpuid_setup' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Bad value
collect2: ld returned 1 exit status
make[2]: *** [libcurl.la] Error 1
make[2]: Leaving directory `/usr/local/directadmin/customapache/curl-7.15.0/lib'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/usr/local/directadmin/customapache/curl-7.15.0/lib'
make: *** [all-recursive] Error 1



Using mod_ssl-2.8.25-1.3.34 and already compiled openssl with -fPIC

...

Installed 0.9.7i and its working now

nevermind

Nevermind.

can use either.

followed the instructions and get lots of errors in log

[26/Dec/2005 22:51:52 01347] [error] SSL handshake failed (server localhost:443, client xx.xxx.xx.xxx) (OpenSSL library error follows)
[26/Dec/2005 22:51:52 01347] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

this happen s randomly. sometimes it happens when i login to squirrelmail or click on navigation link within squirrelmail and/or logout from squirrelmail. it happens to cerberus too.

any idea?

After Upgrading SSL to 0.9.8a got Exim Errors while mailing to SSL enabled servers.

had to downgrade to 0.9.7i.


Error i found in exim log:
2006-01-10 23:01:14 1EwRYI-0007q0-6y == tbackus@*******.nl R=lookuphost T=remote_smtp defer (-1): smtp transport process returned non-zero status 0x000b: terminated by signal 11

I have same problems. How to downgrade to 0.9.7i?

I have the same problem. Anyone else?

I had to roll back exim to 4.60.

Hello,

I had done a quick google on this error and it looks like it might be a new exim bug with regards to ssl/tls.

The workaround is to edit yoru exim.conf, and change:
remote_smtp:
driver = smtpto
remote_smtp:
driver = smtp
hosts_avoid_tls=*save,exit, then restart exim.

John

John,

Did you notify Dr Hazel of the bug? He's very proactive on fixing bugs; often he issues new releases the same day.

Jeff

I had found the fix on the exim mailing list (can't recall the thread)

John

Dr Hazel is an active reader of, and contributor to, the list.

The fix will certainly be in the next release.

Should I change the masters? Are you changing the masters?

Or should we wait to see if the bugfix resolves the problem without a change to exim.conf ???

What do you feel we should do?

Thanks.

Jeff

I'm going to hold off to see if the next release fixes it.
I've added a knowledgebase entry regarding the issue for now.

John

Please let me know if you decide to change the masters.

Thanks.

Jeff

openssl-0.9.8b is out
http://www.openssl.org/source/

I was trying to upgrade to openssl-0.9.8a just a bit ago. when running this command:
ldconfig -v I got this error:
bash: ldconfig: command not found What do I need to do to install / setup ldconfig? OS is CentOS 4.3


Never mind, I figured it out. I had to su in a su - instead of just su

need upgrade for freeBSD5.4

Upgrading openssl on FreeBSd 6.1 seems to work like so:



vi /usr/local/etc/pkgtools.conf
MAKE_ARGS = {
'security/openssl' => '-DOPENSSL_OVERWRITE_BASE'
}

portinstall openssl

Then recompile apache and php.

However, this doesn't fix the remote smtp error. It doesn't break exim either when the problem wasn't there to begin with.

I suspect this is because at least on freebsd exim ships in binary form and there's no clear way to recompile exim so that it makes use of the new openssl.

Any ideas?

You can compile exim by downloading the source from exim.org, follow their instructions, but use our http://www.directadmin.com/Makefile for the file you need to copy to ./Local/Makefile. Then use the usual make, make install.

John

Thanks. This looks promising. I went ahead like so:


fetch ftp://ftp.eu.uu.net/pub/unix/mail/exim/exim/exim4/exim-4.63.tar.gz
tar xvzf exim-4.63.tar.gz
cd exim-4.63/Local
fetch http://www.directadmin.com/Makefile
cd ..
make

After a while an error pops up:


awk '{ print ($1+1) }' cnumber.h > cnumber.temp
rm -f cnumber.h; mv cnumber.temp cnumber.h
gcc version.c
rm -f exim
gcc -o exim
/usr/bin/ld: cannot find -lperl
*** Error code 1

Stop in /root/exim-4.63/build-FreeBSD-i386.
*** Error code 1

Stop in /root/exim-4.63.

After some googling i found out that this may happen because libperl wasn't installed. So i did:


cd /usr/ports/devel/libpperl
make install clean

And tried again. However, the same error comes up.

I suspect that the Makefile expects libperl at a different location than the default one, but i'm not sure.

By the way, i also noticed that the paths to openssl in your Makefile are not correct (in my case). I used 'overwrite_base' to replace the base openssl with the one in ports.

A complete new os build doesn't solve the openssl problem either. I really could use some input here.

I've found the issue to be with exim being compiled statically.
If you edit the ./Local/Makefile, remove the line:

EXTRALIBS=-static

Then make clean, make, make install.

If you have FreeBSD 6.0 or 6.1, try this newly compiled binary.
http://files.directadmin.com/services/freebsd6.0/da_exim-4.63-2.tgz
Let me know if it doesn't work. Note that it's not a static binary, it's dynamic, compiled against FreeBSD 6.0... so 6.1 may have issue, (it may not, can't say for sure until someone tries it)

John

Manually compiling works! Had to make some additional adjustments to Local/Makefile:


vi ./Local/Makefile
#TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
#TLS_INCLUDE=-I/usr/local/openssl/include/ -I/usr/kerberos/include

After compilation you end up with a /usr/sbin/exim-4.63-1. You'll have to remove the old exim and rename exim-4.63-1 (or symlink if you want). Then restart exim:


/usr/local/etc/rc.d/exim restart

Big thumbs up for John.

Originally posted by DirectAdmin Support
I've found the issue to be with exim being compiled statically.
If you edit the ./Local/Makefile, remove the line:

EXTRALIBS=-static

Then make clean, make, make install.

If you have FreeBSD 6.0 or 6.1, try this newly compiled binary.
http://files.directadmin.com/services/freebsd6.0/da_exim-4.63-2.tgz
Let me know if it doesn't work. Note that it's not a static binary, it's dynamic, compiled against FreeBSD 6.0... so 6.1 may have issue, (it may not, can't say for sure until someone tries it)

John

John I will test this later, although the original binary you did worked fine.