LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-13-2021, 02:32 AM   #1
andrixnet
Member
 
Registered: Oct 2012
Location: Romania
Distribution: Slackware
Posts: 153

Rep: Reputation: Disabled
Question Slack14.2 support, OpenSSL 1.0.2 and LetEncrypt ROOT expiration in september


I've just received a notice from Let's Encrypt that their DST Root CA X3 expires in september 2021 and it's consequences.

One part of the notice refers to special measures to support older Android devices and warnings about older devices running OpenSSL<1.1 and Let's Encrypt API and ACME client, in the sense that they will stop working.

Slackware-14.2 with up to date patches runs OpenSSL-1.0.2u.

Is ISRG Root X1 included in ca-certificates on Slackware-14.2?
Will openssl be upgraded to 1.1?

And overall, will Let's Encrypt certificates continue to work on Slackware-14.2, both from client and server point of view, after september?


References:
https://letsencrypt.org/docs/dst-roo...eptember-2021/
https://community.letsencrypt.org/t/...ficates/143816
 
Old 05-13-2021, 05:27 AM   #2
ponce
LQ Guru
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 6,152

Rep: Reputation: Disabled
https://letsencrypt.org/docs/certificate-compatibility/

Code:
# cat /etc/slackware-version 
Slackware 14.2
# grep ISRG /var/log/packages/ca-certificates-20210308-noarch-1_slack14.2 
usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt

Last edited by ponce; 05-13-2021 at 05:32 AM.
 
1 members found this post helpful.
Old 05-13-2021, 09:05 AM   #3
andrixnet
Member
 
Registered: Oct 2012
Location: Romania
Distribution: Slackware
Posts: 153

Original Poster
Rep: Reputation: Disabled
Thanks @ponce
(I was looking for letsencrypt string ...) ;-)
At least this gives the chance for using the workaround, if OpenSSL doesn't get bumped to 1.1 in time.

If distro patches doesn't upgrade OpenSSL, does anyone know what might break if I upgrade to 1.1 by hand?
 
Old 05-13-2021, 09:16 AM   #4
LuckyCyborg
Senior Member
 
Registered: Mar 2010
Posts: 1,374

Rep: Reputation: 1149Reputation: 1149Reputation: 1149Reputation: 1149Reputation: 1149Reputation: 1149Reputation: 1149Reputation: 1149Reputation: 1149
Quote:
Originally Posted by andrixnet View Post
If distro patches doesn't upgrade OpenSSL, does anyone know what might break if I upgrade to 1.1 by hand?
Permit me to doubt that Slackware 14.2 will get an upgrade of OpenSSL, as many things will probably break, and many things would need to be patched and rebuilt.

That's it. Slackware 14.2 is so old that things like this happens.
 
2 members found this post helpful.
Old 05-13-2021, 09:47 AM   #5
andrixnet
Member
 
Registered: Oct 2012
Location: Romania
Distribution: Slackware
Posts: 153

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by LuckyCyborg View Post
Permit me to doubt that Slackware 14.2 will get an upgrade of OpenSSL, as many things will probably break, and many things would need to be patched and rebuilt.

That's it. Slackware 14.2 is so old that things like this happens.
I know... with -15 is still in the making though ...

However I too doubt it will get an upgrade of OpenSSL. Same as with PHP probably. Shipped version of PHP has long since gone out of support. IIRC it was updated once, (higer version, not just patches).
 
Old 05-19-2021, 04:26 PM   #6
CTM
Member
 
Registered: Apr 2004
Distribution: Slackware
Posts: 308

Rep: Reputation: 287Reputation: 287Reputation: 287
Quote:
Originally Posted by andrixnet View Post
Thanks @ponce
(I was looking for letsencrypt string ...) ;-)
At least this gives the chance for using the workaround, if OpenSSL doesn't get bumped to 1.1 in time.
The larger problem is that OpenSSL 1.0.2 isn't receiving security updates any more, which I raised in the vulnerabilities thread in November 2019. Pat replied to say that a version bump to 1.1.1 wasn't on the cards because of how complex it would be. I'm certain that a certificate authority dropping support for OpenSSL 1.0.2 wouldn't be enough to change his mind in that regard.

Quote:
Originally Posted by andrixnet View Post
If distro patches doesn't upgrade OpenSSL, does anyone know what might break if I upgrade to 1.1 by hand?
A lot of stuff: see the "Thu May 10 03:25:47 UTC 2018" entry in -current's ChangeLog.txt for an idea of what needs to be rebuilt. In reality, the differences between OpenSSL's 1.0.2 and 1.1.x APIs mean that 1.1.1 wouldn't be a drop-in replacement, so you'd need to backport upstream patches targeting the 1.1.x API to versions onto which they probably don't apply cleanly. This would be a huge, frustrating undertaking, and if Pat's not prepared to try it, I'd recommend that you don't either. If you do, don't rebase on OpenSSL 1.1.0, because that's not supported either now - go with 1.1.1 (although they are ABI-compatible, so 1.1.1 should just be a drop-in replacement for 1.1.0).

Last edited by CTM; 05-19-2021 at 04:39 PM.
 
Old 05-19-2021, 10:24 PM   #7
notzed
Member
 
Registered: Dec 2020
Location: South Australia
Distribution: slackware64-current
Posts: 34

Rep: Reputation: Disabled
With the lack of maintenance for 1.0 for something as sensitive it doesn't seem that 1.1 can be delayed indefinitely no matter how difficult it might be.

Updating code to another api is well out of scope of a packager though (and even moreso for security sensitive software?) so I presume one would have to either drop packages that still aren't updated to support 1.1.x yet, or install both 1.0 and 1.1 in parallel (at least ubuntu appears to allow this) ... and then make sure all the packages are using the same versions across all libraries they use. Yuck, not trivial.

On a side-note it's pretty odd that www.slackware.com doesn't support https.
 
Old 05-20-2021, 03:41 AM   #8
andrixnet
Member
 
Registered: Oct 2012
Location: Romania
Distribution: Slackware
Posts: 153

Original Poster
Rep: Reputation: Disabled
Tough question and situation.

Considering also factors such as 14.2 release as being "in support" which by now is only partial and the long overdue next release (5 years?). I know there are reasons but still, it's been a loooong time.
 
Old 05-20-2021, 05:53 AM   #9
slalik
Member
 
Registered: Nov 2014
Location: Moscow
Distribution: Slackware
Posts: 202

Rep: Reputation: 147Reputation: 147
Nobody in this thread hopes to be 15.0 on 30 September?
 
1 members found this post helpful.
Old 05-21-2021, 05:31 AM   #10
elcore
Member
 
Registered: Sep 2014
Distribution: Slackware
Posts: 863

Rep: Reputation: Disabled
Well, I don't think it'll be patched. FWIW I've compiled it locally, had it since january 26.
Code:
-rw-r--r-- 1 root root 51935 Mar 26 09:07 /var/log/packages/openssl-1.1.1k-x86_64-1
-rw-r--r-- 1 root root  1710 Mar 26 09:07 /var/log/packages/openssl-solibs-1.1.1k-x86_64-1
-rw-r--r-- 1 root root  5055 Jan 26 14:05 /var/log/packages/openssl10-1.0.2u-x86_64-1
-rw-r--r-- 1 root root  1393 Jan 26 14:05 /var/log/packages/openssl10-solibs-1.0.2u-x86_64-1
 
Old 05-21-2021, 11:35 AM   #11
dgrames
Member
 
Registered: Jul 2007
Distribution: Slackware
Posts: 108

Rep: Reputation: 27
Quote:
Well, I don't think it'll be patched. FWIW I've compiled it locally, had it since january 26
Did you have to recompile anything else? apache, stunnel. I know the sendmail in 14.2 won't work with openssl 1.1.x.

Don
 
Old 05-21-2021, 12:49 PM   #12
andrixnet
Member
 
Registered: Oct 2012
Location: Romania
Distribution: Slackware
Posts: 153

Original Poster
Rep: Reputation: Disabled
Question

Quote:
Originally Posted by elcore View Post
Well, I don't think it'll be patched. FWIW I've compiled it locally, had it since january 26.
Code:
-rw-r--r-- 1 root root 51935 Mar 26 09:07 /var/log/packages/openssl-1.1.1k-x86_64-1
-rw-r--r-- 1 root root  1710 Mar 26 09:07 /var/log/packages/openssl-solibs-1.1.1k-x86_64-1
-rw-r--r-- 1 root root  5055 Jan 26 14:05 /var/log/packages/openssl10-1.0.2u-x86_64-1
-rw-r--r-- 1 root root  1393 Jan 26 14:05 /var/log/packages/openssl10-solibs-1.0.2u-x86_64-1
Does this mean you are running dual version?
How did you build them?
What other packages did you rebuild?

What packages use 1.1.1 and what packages use 1.0.2 and how did you make them decide which is which for them?
 
Old 05-22-2021, 03:20 AM   #13
elcore
Member
 
Registered: Sep 2014
Distribution: Slackware
Posts: 863

Rep: Reputation: Disabled
Quote:
Originally Posted by dgrames View Post
Did you have to recompile anything else?
Just a few of them; curl, wget, squid, ffmpeg, mplayer, and qt5 (the move from qt5-5.9.9 to qt5-5.12.10 required a new openssl).
Other things that could possibly make use of this; I don't use or have them installed, so I don't know if they'd work.

Quote:
Originally Posted by andrixnet View Post
Does this mean you are running dual version?
Well I have 1.0.2 in case I may need it, but I don't use it for anything since january.

Quote:
Originally Posted by andrixnet View Post
How did you build them?
Removed the stock 1.0.2, and then compiled from -current since the SlackBuild script was available in january.
Edit: Attached copies of the scripts as the license is permissive and they are no longer in -current
Attached Files
File Type: txt openssl.SlackBuild.txt (8.9 KB, 10 views)
File Type: txt openssl10.SlackBuild.txt (9.9 KB, 5 views)

Last edited by elcore; 05-22-2021 at 03:53 AM.
 
Old 05-24-2021, 04:25 AM   #14
andrixnet
Member
 
Registered: Oct 2012
Location: Romania
Distribution: Slackware
Posts: 153

Original Poster
Rep: Reputation: Disabled
And deciding upon which version to be used is based on the version the package was compiled against or is there some runtime config to be done as well?
 
Old 05-24-2021, 04:48 AM   #15
elcore
Member
 
Registered: Sep 2014
Distribution: Slackware
Posts: 863

Rep: Reputation: Disabled
Quote:
Originally Posted by andrixnet View Post
And deciding upon which version to be used is based on the version the package was compiled against or is there some runtime config to be done as well?
Thought I already answered this, on my local install nothing is linked to openssl10-1.0.2u anymore, it's there just in case I need to link something to 1.0.2 in the future.
These other packages I've mentioned were first linked to openssl-1.1 on jan 26, and then recompiled again after the openssl-1.1.1k patch which was also built from source on march 26.
In those specific cases, it's auto-detected at compile-time, so there is no additional config to be done.
 
  


Reply

Tags
openssl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenSSL support: disabled (install ext/openssl) [PHP 8.0.3 from source] adkPrasanna Linux - Software 1 03-17-2021 03:20 PM
[SOLVED] Delay after running "startx" and problems with udev and rtl8192se in Slack14-x64 gmjs Slackware 10 10-14-2012 11:36 AM
[SOLVED] Slack14-current and VSFTPD... cooholio Slackware 5 10-03-2012 10:25 AM
Root password expiration date? abylin1 Linux - Security 1 01-28-2009 02:44 PM
cronjobs stop working after expiration of root password nichu Linux - General 1 09-28-2007 03:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 10:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration