2

I am trying to update my web server to the latest openssl with the heartbleed patch ( 1.0.1g ). I grabbed the tarball from openssl.org. Said the usual ./configure; make; make install. Had to say config shared to get it to make the .so file ( by default it only generates the .a ). Updated the link in /usr/lib64 to point to the new .so -

Now httpd fails to run with the following complaint:

/usr/sbin/httpd: symbol lookup error: /usr/lib64/libssl.so.1: undefined symbol: EVP_idea_cbc

nm -g | grep idea says: U EVP_idea_cbc

... so it knows about the symbol, but the symbol is undefined.

Openssl documentation says that they disable IDEA by default, because of a patent ( which apparently expired in 2012 ). They go into great detail on how to disable it, but not on how to enable it. Furthermore, they say it's disabled by default.

Apache httpd demands the symbol, and will not start without it.

I have tried saying "config shared enable-idea" and the config script is happy, but the symbol is still undefined after the build. I piped the build output into a file, and the crypto/idea files ARE being compiled.

EVERY symbol starting in EVP_* is undefined... They are also undefined in libssl.a... So maybe I'm barking up the wrong IDEA tree?

So my question becomes - how do I enable these EVP_* symbols?

jww
  • 97,681
  • 90
  • 411
  • 885
  • Have you looked at [the FAQ](http://security.stackexchange.com/help/on-topic) for this site? Your question is off-topic here, it seems... – Deer Hunter Apr 11 '14 at 13:49
  • 1
    I would say it's on topic. It's about network security, webapp security and crypto. –  Apr 11 '14 at 14:04

1 Answers1

5

I resolved it. The problem was simple. These symbols are indeed undefined in libssl.so (or .a). They are actually defined in libcrypto.so. I wasn't getting the new libcrypto.so because....

...The new openssl tarball installs its outputs by default in /usr/local/ssl. This is configurable, but it really wants to install ALL the ssl stuff (including the libs) in /something/something/ssl. So you have /something/something/ssl/lib, /something/something/ssl/bin etc.

So when I said make install, it created /usr/local/ssl with all the good stuff in it. I made a symbolic link in /usr/lib64 from openssl.so.1.0.0 -> /usr/local/etc/ssl/lib/openssl.so.1.0.0. But I did not realize that I needed to do the same for libcrypto.so, so that still had the old stuff.

So I was using the new libssl.so, and an old libcrypto.so. Bad mojo.

jww
  • 97,681
  • 90
  • 411
  • 885
Jerry Kaidor
  • 81
  • 4
  • You have to be careful of installing your version of OpenSSL over top of your distribution's version of OpenSSL. Usually, you create your own package that supersedes your distro's version of the package. Here's how you do it in Ubuntu: [Override Distro Package with Custom Package?](http://askubuntu.com/questions/395280/override-distro-package-with-custom-package). Sorry, but I don't know how to do it in Slackware. – jww Apr 12 '14 at 12:47