Bug #118343 for Crypt-SSLeay: Tests fail with OpenSSL 1.1.0

Wed Oct 12 04:36:31 2016 ppisar [...] redhat.com - Ticket created

Subject:

Tests fail with OpenSSL 1.1.0

After upgrading OpenSSL to 1.1.0b, tests fail like this: # Failed test 'use Crypt::SSLeay;' # at t/00-basic.t line 6. # Tried to use 'Crypt::SSLeay'. # Error: Can't load '/home/test/fedora/perl-Crypt-SSLeay/Crypt-SSLeay-0.72/blib/arch/auto/Crypt/SSLeay/SSLeay.so' for module Crypt::SSLeay: /home/test/fedora/perl-Crypt-SSLeay/Crypt-SSLeay-0.72/blib/arch/auto/Crypt/SSLeay/SSLeay.so: undefined symbol: SSLv2_client_method at /usr/lib64/perl5/DynaLoader.pm line 193. # at t/00-basic.t line 6. This is because OpenSSL 1.1.0 removed support for SSLv2 <https://www.openssl.org/news/cl110.txt>.

Wed Oct 12 04:55:51 2016 ppisar [...] redhat.com - Correspondence added

From:

ppisar [...] redhat.com

Dne St 12.říj.2016 04:36:31, ppisar napsal(a): Show quoted text

> This is because OpenSSL 1.1.0 removed support for SSLv2 > <https://www.openssl.org/news/cl110.txt>.

Attached patch stoppes using SSLv2_client_method() with OpenSSL 1.1.0 and newer. Please note OpenSSL 1.1.0 also deprecated SSLv3 and recommends using TLS methods. I did not touch that part.

Subject:

0001-Do-not-use-SSLv2_client_method-with-OpenSSL-1.1.0.patch

From 1c725e333e9d20b87346fb394a1d01fa5be4fbaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Wed, 12 Oct 2016 10:46:22 +0200 Subject: [PATCH] Do not use SSLv2_client_method() with OpenSSL >= 1.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SSLv2 support was removed from OpenSSL 1.1.0. CPAN RT#118343 Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com> --- SSLeay.xs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SSLeay.xs b/SSLeay.xs index 1560604..ba0dd24 100644 --- a/SSLeay.xs +++ b/SSLeay.xs @@ -152,7 +152,7 @@ SSL_CTX_new(packname, ssl_version) ctx = SSL_CTX_new(SSLv3_client_method()); } else { -#ifndef OPENSSL_NO_SSL2 +#if !defined OPENSSL_NO_SSL2 && OPENSSL_VERSION_NUMBER < 0x10100000L /* v2 is the default */ ctx = SSL_CTX_new(SSLv2_client_method()); #else -- 2.7.4

Thu Apr 30 10:56:19 2020 abarag4 [...] uic.edu - Correspondence added

On Wed Oct 12 04:36:31 2016, ppisar wrote: Show quoted text

> After upgrading OpenSSL to 1.1.0b, tests fail like this: > > # Failed test 'use Crypt::SSLeay;' > # at t/00-basic.t line 6. > # Tried to use 'Crypt::SSLeay'. > # Error: Can't load '/home/test/fedora/perl-Crypt-SSLeay/Crypt- > SSLeay-0.72/blib/arch/auto/Crypt/SSLeay/SSLeay.so' for module > Crypt::SSLeay: /home/test/fedora/perl-Crypt-SSLeay/Crypt-SSLeay- > 0.72/blib/arch/auto/Crypt/SSLeay/SSLeay.so: undefined symbol: > SSLv2_client_method at /usr/lib64/perl5/DynaLoader.pm line 193. > # at t/00-basic.t line 6. > > This is because OpenSSL 1.1.0 removed support for SSLv2 > <https://www.openssl.org/news/cl110.txt>.

Attached patch stops using SSLv3_client_method() with OpenSSL 1.1.1. TheTLS_client_method method is used instead.

Subject:

Use_TLS_client_method-with-OpenSSL-1.1.1.patch

--- SSLeay.xs.bak 2020-04-30 14:48:03.897259294 +0000 +++ SSLeay.xs 2020-04-30 14:51:14.193744640 +0000 @@ -149,15 +149,15 @@ ctx = SSL_CTX_new(SSLv23_client_method()); } else if(ssl_version == 3) { - ctx = SSL_CTX_new(SSLv3_client_method()); + ctx = SSL_CTX_new(TLS_client_method()); } else { -#ifndef OPENSSL_NO_SSL2 +#if !defined OPENSSL_NO_SSL2 && OPENSSL_VERSION_NUMBER < 0x10100000L /* v2 is the default */ ctx = SSL_CTX_new(SSLv2_client_method()); #else /* v3 is the default */ - ctx = SSL_CTX_new(SSLv3_client_method()); + ctx = SSL_CTX_new(TLS_client_method()); #endif }

Thu Apr 30 10:56:20 2020 The RT System itself - Status changed from 'new' to 'open'

Wed Oct 21 19:24:23 2020 TODDR [...] cpan.org - Correspondence added

This is required to build on CentOS 8

Wed Oct 21 19:47:31 2020 TODDR [...] cpan.org - Correspondence added

On Wed Oct 21 19:24:23 2020, TODDR wrote: Show quoted text

> This is required to build on CentOS 8

Specifically, ppisar's patch worked but the bigger patch does not work on older systems.