[Pkg-openssl-devel] Bug#918727: openssl.cnf incompatible with libssl1.0.2, libssl1.0.0

Tue Jan 8 20:17:42 GMT 2019

Package: openssl
Version: 1.1.1a-1
Severity: important
Control: found -1 1.1.1~~pre3-1
Control: affects -1 steam

The openssl.cnf in the openssl package since 1.1.1~~pre3-1 is incompatible
with libssl < 1.1.0 (I think that's the right cutoff point), either from
a partial upgrade or bundled with third-party software.

It should probably at least have a Breaks on libssl1.0.2, to protect
partial upgrades from stretch. Some release notes for users of
third-party software might also be useful. I realise it probably isn't
feasible to keep openssl.cnf compatible with all past and future versions.

It would perhaps be a good idea for future OpenSSL branches to
use a configuration file that's tied to the major version in their SONAME,
or otherwise parallel-installable? (openssl1.1.0.cnf, etc.)

Minimal reproducer:

* start from Debian testing (buster)
* unpack libssl1.0.2 1.0.2q-2, from unstable, and openssl 1.0.2j-1
  from snapshots.debian.org (the newest openssl.deb that still depended
  on libssl1.0.2) into ~/102
* then run:
  LD_LIBRARY_PATH=$HOME/102/usr/lib/x86_64-linux-gnu $HOME/102/usr/bin/openssl s_client example.com:443

Expected result: successful connection

Actual result:

Error configuring OpenSSL
140099788864256:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory
140099788864256:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
140099788864256:error:0E07506E:configuration file routines:MODULE_LOAD_DSO:error loading dso:conf_mod.c:271:module=ssl_conf, path=ssl_conf
140099788864256:error:0E076071:configuration file routines:MODULE_RUN:unknown module name:conf_mod.c:212:module=ssl_conf

The same thing can be reproduced with libssl1.0.0 and openssl from jessie.

Workaround: use OPENSSL_CONF=/dev/null when running software that depends
on an older libssl.

For context, libssl_conf.so never actually existed on disk, and
isn't really meant to. In OpenSSL's approach to configuration,
/etc/ssl/openssl.cnf configuration parameters cause loading of
native-code modules, which can either be built-in to libcrypto or
libssl, or real files on disk to be dlopen()ed (like the way Python's
sys module is built-in to the interpreter, but its readline module is
external). libssl_conf.so in the default library search path (!) is one
of several names OpenSSL would try for the ssl_conf module - I think
the reason it appears in the error message is that it's the last one to
be tried.

Since 1.1.0 (commit 59b1696c), there is a ssl_conf module built-in to
libssl. It moved into libcrypto in 1.1.1 (commit d8f031e8).

In Debian, since 1.1.1 (August 2018, if we don't count experimental),
/etc/ssl/openssl.cnf has made use of the ssl_conf mechanism to enforce
TLS1.2 as the minimum protocol, and 112-bit security (level 2) as
the minimum security level. This file is only installed if the openssl
package (containing the openssl command-line tool) is installed. However,
ca-certificates depends on openssl, so in practice basically all users
will have it.

This affects libssl1.0.0 in the Steam Runtime installed by the non-free
steam package, and possibly other third-party software bundles.
(<https://github.com/ValveSoftware/steam-for-linux/issues/6014>)

    smcv