Skip to content

ZBUG-3355 : Upgrade OpenSSL to 3.0.9#189

Merged
umagmrit merged 48 commits intodevelopfrom
ZBUG-3355
Jul 27, 2023
Merged

ZBUG-3355 : Upgrade OpenSSL to 3.0.9#189
umagmrit merged 48 commits intodevelopfrom
ZBUG-3355

Conversation

@umagmrit
Copy link
Contributor

@umagmrit umagmrit commented Jun 20, 2023

No description provided.

umagmrit added 30 commits June 20, 2023 09:40
@umagmrit
ZBUG-3355 : Upgraded OpenSSL to 3.0.9
fa62485
@umagmrit
ZBUG-3355 :Updated dependency openssl-3.0.9 for heimdal
620f454
@umagmrit
ZBUG-3355:Upgraded NET_SSLEAY for OpenSSL-3.0.9
8be2137
@umagmrit
Updated dependency openssl-3.0.9 for curl
c07b85d
@umagmrit
ZBUG-3355:Upgraded unbound for OpenSSL-3.0.9
41c6663
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for apr-util
938e244
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for perl-dbd-mysql
ca1f211
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for perl-crypt-openssl-random
bb0c175
@umagmrit
ZBUG-3355:Upgraded perl-crypt-openssl-rsa for OpenSSL-3.0.9
0f55c97
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for cyrus-sasl
0612f8b
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for openldap
6a8a3f4
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for postfix
868dbb1
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for opendkim
4e837d1
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for clamav
f7868ca
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for net-snmp
3b6bb90
@umagmrit
ZBUG-3355:Upgraded perl-io-socket-ssl for OpenSSL-3.0.9
aa9d9d2
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for perl-net-http
5f3d82c
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for perl-libwww
606aca1
@umagmrit
ZBUG-3355:Upgraded perl-lwp-protocol-https for OpenSSL-3.0.9
af13611
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for perl-xml-parser
a6cca80
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for perl-soap-lite
57f2077
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for perl-xml-sax-expat
1140c9e
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for perl-xml-simple
a64131d
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for perl-mail-dkim
d7e3f56
@umagmrit
ZBUG-3355:Updated dependency openssl-3.0.9 for perl-mail-spamassassin
060d62a
@umagmrit
ZBUG-3355:Updated spamassassin-rules
8cf76b4
@umagmrit
ZBUG-3355:Updated perl-innotop
07360bb
@umagmrit
ZBUG-3355:Updated httpd
e9a5b7f
@umagmrit
ZBUG-3355:Updated perl-net-ldapapi
c5ae171
@umagmrit
ZBUG-3355:updated perl to 1.0.8
5c677f7
@ghen2
Copy link
Contributor

ghen2 commented Jun 21, 2023

Hi

On a CentOS 7 system, I noticed that several Zimbra components, including openldap (slap* and ldap* tools) and postfix, link to both the Zimbra-provided openssl 3.0.9 libraries AND the OS's openssl 1.0.2 libraries at the same time:

$ ldd /opt/zimbra/common/bin/ldapsearch | grep -e libssl -e libcrypto
        libssl.so.3 => /opt/zimbra/common/lib/libssl.so.3 (0x00007ffa96786000)
        libcrypto.so.3 => /opt/zimbra/common/lib/libcrypto.so.3 (0x00007ffa96159000)
        libssl.so.10 => /lib64/libssl.so.10 (0x00007ffa954ac000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007ffa95049000)

This can be traced down to libcurl, as indeed curl links to the OS-provided libssh2 on one hand –which in turn links to the OS-provided openssl– and to the Zimbra-provided openssl on the other hand, as evinced by curl's config.log:

configure:27788: checking run-time libs availability
configure:27805: gcc -o conftest -O2 -Wno-system-headers  -I/opt/zimbra/common/include    -Wl,-rpath,/opt/zimbra/common/lib -L/opt/zimbra/common/lib    conftest.c -lssh2  -lssl -lcrypto -lssl -lcrypto   -lgssapi -lz  >&5
/usr/bin/ld: warning: libssl.so.10, needed by /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libssh2.so, may conflict with libssl.so.3
/usr/bin/ld: warning: libssl.so.10, needed by /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libssh2.so, may conflict with libssl.so.3
/usr/bin/ld: warning: libcrypto.so.10, needed by /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libssh2.so, may conflict with libcrypto.so.3
/usr/bin/ld: warning: libcrypto.so.10, needed by /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libssh2.so, may conflict with libcrypto.so.3

This is not due to this particular OpenSSL 3.0.9 upgrade, it was like this before as well.

I'm not sure this is actually a problem, but it may be worth looking into. The libcurl dependency is brought in via cyrus-sasl, and thus further leaks its link dependencies into openldap and postfix binaries. I'm not sure whether the libcurl dependency is actually needed for cyrus-sasl? (or whether libcurl actually needs the libssh2 dependency?)

@umagmrit umagmrit mentioned this pull request Jun 28, 2023
Merged
@umagmrit umagmrit merged commit 40c9063 into develop Jul 27, 2023
@umagmrit umagmrit deleted the ZBUG-3355 branch July 27, 2023 03:21
@silentsakky silentsakky mentioned this pull request Jul 27, 2023
Closed
@umagmrit
Copy link
Contributor Author

umagmrit commented Jan 22, 2024
edited
Loading

Hi

On a CentOS 7 system, I noticed that several Zimbra components, including openldap (slap* and ldap* tools) and postfix, link to both the Zimbra-provided openssl 3.0.9 libraries AND the OS's openssl 1.0.2 libraries at the same time:

$ ldd /opt/zimbra/common/bin/ldapsearch | grep -e libssl -e libcrypto
        libssl.so.3 => /opt/zimbra/common/lib/libssl.so.3 (0x00007ffa96786000)
        libcrypto.so.3 => /opt/zimbra/common/lib/libcrypto.so.3 (0x00007ffa96159000)
        libssl.so.10 => /lib64/libssl.so.10 (0x00007ffa954ac000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007ffa95049000)

This can be traced down to libcurl, as indeed curl links to the OS-provided libssh2 on one hand –which in turn links to the OS-provided openssl– and to the Zimbra-provided openssl on the other hand, as evinced by curl's config.log:

configure:27788: checking run-time libs availability
configure:27805: gcc -o conftest -O2 -Wno-system-headers  -I/opt/zimbra/common/include    -Wl,-rpath,/opt/zimbra/common/lib -L/opt/zimbra/common/lib    conftest.c -lssh2  -lssl -lcrypto -lssl -lcrypto   -lgssapi -lz  >&5
/usr/bin/ld: warning: libssl.so.10, needed by /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libssh2.so, may conflict with libssl.so.3
/usr/bin/ld: warning: libssl.so.10, needed by /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libssh2.so, may conflict with libssl.so.3
/usr/bin/ld: warning: libcrypto.so.10, needed by /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libssh2.so, may conflict with libcrypto.so.3
/usr/bin/ld: warning: libcrypto.so.10, needed by /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libssh2.so, may conflict with libcrypto.so.3

This is not due to this particular OpenSSL 3.0.9 upgrade, it was like this before as well.

I'm not sure this is actually a problem, but it may be worth looking into. The libcurl dependency is brought in via cyrus-sasl, and thus further leaks its link dependencies into openldap and postfix binaries. I'm not sure whether the libcurl dependency is actually needed for cyrus-sasl? (or whether libcurl actually needs the libssh2 dependency?)

@ghen2 I think libcurl-devel, libssh2-devel are required for cyrus-sasl.

without libcurl-devel:
depbase=echo zmpost.o | sed 's|[^/]*$|.deps/&|;s|\.o$||';\

gcc -DHAVE_CONFIG_H -DSASLAUTHD_CONF_FILE_DEFAULT="/opt/zimbra/conf/saslauthd.conf" -I. -I. -I.. -I. -I.. -I../include -I../include -I../common -I../common -DOBSOLETE_CRAM_ATTR=1 -I/opt/zimbra/common/include -DOBSOLETE_DIGEST_ATTR=1 -I/opt/zimbra/common/include -I/opt/zimbra/common/include/libxml2 -Wall -W -O2 -g -D_REENTRANT -MT zmpost.o -MD -MP -MF $depbase.Tpo -c -o zmpost.o zmpost.c &&\

mv -f $depbase.Tpo $depbase.Po

zmpost.c:1:23: fatal error: curl/curl.h: No such file or directory

#include <curl/curl.h>

                   ^

compilation terminated.

without libssh2-devel:

/bin/sh ../libtool --tag=CC --mode=link gcc -Wall -W -O2 -g -D_REENTRANT -version-info 3:0:0 -no-undefined -L/opt/zimbra/common/lib -Wl,-rpath,/opt/zimbra/common/lib -L/opt/zimbra/common/lib -Wl,-rpath,/opt/zimbra/common/lib -Wl,-rpath,/opt/zimbra/common/lib -L/opt/zimbra/common/lib -o libsasl2.la -rpath /opt/zimbra/common/lib auxprop.lo canonusr.lo checkpw.lo client.lo common.lo config.lo external.lo md5.lo saslutil.lo server.lo seterror.lo dlopen.lo -ldl ../common/libplugin_common.la -lresolv -lcurl -L/opt/zimbra/common/lib -lxml2 -lz -lm -ldl
libtool: link: gcc -shared -fPIC -DPIC .libs/auxprop.o .libs/canonusr.o .libs/checkpw.o .libs/client.o .libs/common.o .libs/config.o .libs/external.o .libs/md5.o .libs/saslutil.o .libs/server.o .libs/seterror.o .libs/dlopen.o -Wl,--whole-archive ../common/.libs/libplugin_common.a -Wl,--no-whole-archive -Wl,-rpath -Wl,/opt/zimbra/common/lib -Wl,-rpath -Wl,/opt/zimbra/common/lib -L/opt/zimbra/common/lib /opt/zimbra/common/lib/libcurl.so -lssh2 -lssl -lcrypto /opt/zimbra/common/lib/libgssapi.so /opt/zimbra/common/lib/libheimntlm.so /opt/zimbra/common/lib/libkrb5.so /opt/zimbra/common/lib/libheimbase.so /opt/zimbra/common/lib/libhx509.so /opt/zimbra/common/lib/libwind.so /opt/zimbra/common/lib/libheimsqlite.so /opt/zimbra/common/lib/libhcrypto.so /opt/zimbra/common/lib/libasn1.so /opt/zimbra/common/lib/libcom_err.so /opt/zimbra/common/lib/libroken.so -lcrypt -lresolv /opt/zimbra/common/lib/libxml2.so -lz -lm -ldl -O2 -Wl,-rpath -Wl,/opt/zimbra/common/lib -Wl,-rpath -Wl,/opt/zimbra/common/lib -Wl,-rpath -Wl,/opt/zimbra/common/lib -pthread -Wl,-soname -Wl,libsasl2.so.3 -o .libs/libsasl2.so.3.0.0
/bin/ld: cannot find -lssh2
collect2: error: ld returned 1 exit status

[root@centos-7 cyrus-sasl]# ldd /usr/lib64/libcurl.so |grep -i  libssh2
	libssh2.so.1 => /lib64/libssh2.so.1 (0x00007fd85e729000)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@silentsakky silentsakky silentsakky approved these changes

@dasiyogesh dasiyogesh dasiyogesh approved these changes

@uttamtakalkar uttamtakalkar Awaiting requested review from uttamtakalkar

@vishnukantjangid vishnukantjangid Awaiting requested review from vishnukantjangid

@preshitaagrawal preshitaagrawal Awaiting requested review from preshitaagrawal

@shrutig0510 shrutig0510 Awaiting requested review from shrutig0510

@GaneshAnarse GaneshAnarse Awaiting requested review from GaneshAnarse

@ronstra-synacor ronstra-synacor Awaiting requested review from ronstra-synacor

@rcyarrapothu rcyarrapothu Awaiting requested review from rcyarrapothu

+2 more reviewers

@gautamdg gautamdg gautamdg approved these changes

@zimsuchitgupta zimsuchitgupta zimsuchitgupta approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@umagmrit @ghen2 @silentsakky @gautamdg @zimsuchitgupta @dasiyogesh