Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-105910

opencryptoki should require openssl >= 3.5.1

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • rhel-10.1
    • rhel-10.1
    • opencryptoki
    • None
    • opencryptoki-3.25.0-4.el10
    • No
    • Important
    • rhel-base-utils-antfarm
    • 23
    • 23
    • 1
    • QE ack, Dev ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Release Note Not Required
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      What were you trying to do that didn't work?

      I was updating opencryptoki on RHEL-10.0 with its version from RHEL-10.1 but the service failed to start.

      /usr/sbin/pkcsslotd: symbol lookup error: /usr/sbin/pkcsslotd: undefined symbol: EVP_MD_CTX_get_size_ex, version OPENSSL_3.4.0

      Further investigation revealed that:

      1. rpm -q openssl openssl-libs
        openssl-3.2.2-16.el10.x86_64
        openssl-libs-3.2.2-16.el10.x86_64
      2. rpm -q --provides openssl-libs
        config(openssl-libs) = 1:3.2.2-16.el10
        libcrypto.so.3()(64bit)
        libcrypto.so.3(OPENSSL_3.0.0)(64bit)
        libcrypto.so.3(OPENSSL_3.0.1)(64bit)
        libcrypto.so.3(OPENSSL_3.0.3)(64bit)
        libcrypto.so.3(OPENSSL_3.0.8)(64bit)
        libcrypto.so.3(OPENSSL_3.0.9)(64bit)
        libcrypto.so.3(OPENSSL_3.1.0)(64bit)
        libcrypto.so.3(OPENSSL_3.2.0)(64bit)
        libcrypto.so.3(OPENSSL_3.4.0)(64bit)
        libssl.so.3()(64bit)
        libssl.so.3(OPENSSL_3.0.0)(64bit)
        libssl.so.3(OPENSSL_3.2.0)(64bit)
        openssl-libs = 1:3.2.2-16.el10
        openssl-libs(x86-64) = 1:3.2.2-16.el10

      Notice that there is libcrypto.so.3(OPENSSL_3.4.0)(64bit) .

       

      per cllang@redhat.com :
      Root cause is https://gitlab.com/redhat/centos-stream/rpms/openssl/-/commit/ce2e7dc60e1f3dac02c5b652e14599cf86223498#8e8ad7a4ef98d596c73e7[…]0519121e131584_0_1002

       
      That backport should not have added the 3_4_0 version in the symbol table (at least not without also importing all other 3_4_0 symbols), but it did.
       
       

      The issue is tracked on openssl side as      RHEL-105518     but there isn't really a solution that would fix it for opencryptoki right now. So the best way forward is to require new openssl in opencryptoki for RHEL-10.1

      What is the impact of this issue to you?

      manual intervention during system update is needed (extra addition of openssl into a transaction)

      Please provide the package NVR for which the bug is seen:

      opencryptoki-3.25.0-3.el10

      How reproducible is this bug?:

      always

      Steps to reproduce

      1. install RHEL-10.0
      2. update opencryptoki to version from RHEL-10.1
      3. start pkcsslotd, observe error

      Expected results

      old openssl remains installed, pkcsslotd fails to start

      Actual results

      openssl 3.5.1 is installed, pkcsslotd runs properly

              than@redhat.com Than Ngo
              ksrot@redhat.com Karel Srot
              Than Ngo Than Ngo
              Karel Srot Karel Srot
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: