source: chapter08/openssl.xml@ 0b0fa07

11.2 11.2-rc1 11.3 11.3-rc1 12.0 12.0-rc1 12.1 12.1-rc1 bdubbs/gcc13 multilib renodr/libudev-from-systemd s6-init trunk xry111/arm64 xry111/arm64-12.0 xry111/clfs-ng xry111/loongarch xry111/loongarch-12.0 xry111/loongarch-12.1 xry111/mips64el xry111/pip3 xry111/rust-wip-20221008 xry111/update-glibc
Last change on this file since 0b0fa07 was 0b0fa07, checked in by Xi Ruoyao <xry111@…>, 22 months ago

openssl: mark c_rehash obsolete

The c_rehash script, shipped by OpenSSL versions in current LFS trunk
and all previous LFS releases, is vulnerable to CVE-2022-2068. It's
fixed in 3.0.4, but OpenSSL 3.0.4 is completely broken on CPU models with
AVX-512 extension [1]. So we'd like to defer OpenSSL update and wait for
upstream consensus about "would 3.0.5 be released in urgency".

But, the upstream has announced that use of c_rehash is obsolete now [2].
So we can tell people not to use it.

[1]: https://github.com/openssl/openssl/issues/18625
[2]: https://www.openssl.org/news/secadv/20220621.txt
  • Property mode set to 100644
File size: 6.7 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="ch-system-openssl" role="wrap">
9 <?dbhtml filename="openssl.html"?>
10
11 <sect1info condition="script">
12 <productname>openssl</productname>
13 <productnumber>&openssl-version;</productnumber>
14 <address>&openssl-url;</address>
15 </sect1info>
16
17 <title>OpenSSL-&openssl-version;</title>
18
19 <indexterm zone="ch-system-openssl">
20 <primary sortas="a-OpenSSL">OpenSSL</primary>
21 </indexterm>
22
23 <sect2 role="package">
24 <title/>
25
26 <para>The OpenSSL package contains management tools and libraries relating
27 to cryptography. These are useful for providing cryptographic functions
28 to other packages, such as OpenSSH, email applications, and web browsers
29 (for accessing HTTPS sites). </para>
30
31 <segmentedlist>
32 <segtitle>&buildtime;</segtitle>
33 <segtitle>&diskspace;</segtitle>
34
35 <seglistitem>
36 <seg>&openssl-fin-sbu;</seg>
37 <seg>&openssl-fin-du;</seg>
38 </seglistitem>
39 </segmentedlist>
40
41 </sect2>
42
43 <sect2 role="installation">
44 <title>Installation of OpenSSL</title>
45
46 <para>Prepare OpenSSL for compilation:</para>
47
48<screen><userinput remap="configure">./config --prefix=/usr \
49 --openssldir=/etc/ssl \
50 --libdir=lib \
51 shared \
52 zlib-dynamic</userinput></screen>
53
54 <para>Compile the package:</para>
55
56<screen><userinput remap="make">make</userinput></screen>
57
58 <para>To test the results, issue:</para>
59
60<screen><userinput remap="test">make test</userinput></screen>
61
62 <para>One test, 30-test_afalg.t, is known to fail on some kernel
63 configurations (depending on inconsistent values of
64 CONFIG_CRYPTO_USER_API* settings.) If it fails, it can safely be
65 ignored.</para>
66
67 <para>Install the package:</para>
68
69<screen><userinput remap="install">sed -i '/INSTALL_LIBS/s/libcrypto.a libssl.a//' Makefile
70make MANSUFFIX=ssl install</userinput></screen>
71
72 <para>Add the version to the documentation directory name, to be
73 consistent with other packages:</para>
74
75<screen><userinput remap="install">mv -v /usr/share/doc/openssl /usr/share/doc/openssl-&openssl-version;</userinput></screen>
76
77 <para>If desired, install some additional documentation:</para>
78
79<screen><userinput remap="install">cp -vfr doc/* /usr/share/doc/openssl-&openssl-version;</userinput></screen>
80
81 <note>
82 <para>
83 You should update OpenSSL when a new version which fixes vulnerabilities
84 is announced. Since OpenSSL 3.0.0, the OpenSSL versioning scheme
85 follows the MAJOR.MINOR.PATCH format. API/ABI compatibility
86 are guaranteed for the same MAJOR version number. Because LFS
87 installs only the shared libraries, there is no need to recompile
88 packages which link to
89 <filename class="libraryfile">libcrypto.so</filename> or
90 <filename class="libraryfile">libssl.so</filename>
91 <emphasis>when upgrading to a version with MAJOR version number
92 unchanged</emphasis>.
93 </para>
94
95 <para>
96 However, any running programs linked to those libraries need to be stopped
97 and restarted. Read the related entries in
98 <xref linkend='pkgmgmt-upgrade-issues'/> for details.
99 </para>
100
101 </note>
102
103 </sect2>
104
105 <sect2 id="contents-openssl" role="content">
106 <title>Contents of OpenSSL</title>
107
108 <segmentedlist>
109 <segtitle>Installed programs</segtitle>
110 <segtitle>Installed libraries</segtitle>
111 <segtitle>Installed directories</segtitle>
112
113 <seglistitem>
114 <seg>
115 c_rehash and openssl
116 </seg>
117 <seg>
118 libcrypto.so and libssl.so
119 </seg>
120 <seg>
121 /etc/ssl,
122 /usr/include/openssl,
123 /usr/lib/engines and
124 /usr/share/doc/openssl-&openssl-version;
125 </seg>
126 </seglistitem>
127 </segmentedlist>
128
129 <variablelist>
130 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
131 <?dbfo list-presentation="list"?>
132 <?dbhtml list-presentation="table"?>
133
134 <varlistentry id="c_rehash">
135 <term><command>c_rehash</command></term>
136 <listitem>
137 <para>
138 is a <application>Perl</application> script that
139 scans all files in a directory and adds symbolic links to their
140 hash values. Use of <command>c_rehash</command> is considered
141 obsolete and should be replaced by
142 <command>openssl rehash</command> command
143 </para>
144 <indexterm zone="ch-system-openssl c_rehash">
145 <primary sortas="b-c_rehash">c_rehash</primary>
146 </indexterm>
147 </listitem>
148 </varlistentry>
149
150 <varlistentry id="openssl-prog">
151 <term><command>openssl</command></term>
152 <listitem>
153 <para>
154 is a command-line tool for using the various cryptography functions
155 of <application>OpenSSL</application>'s crypto library from the
156 shell. It can be used for various functions which are documented in
157 <command>man 1 openssl</command>
158 </para>
159 <indexterm zone="ch-system-openssl openssl-prog">
160 <primary sortas="b-openssl">openssl</primary>
161 </indexterm>
162 </listitem>
163 </varlistentry>
164
165 <varlistentry id="libcrypto">
166 <term><filename class="libraryfile">libcrypto.so</filename></term>
167 <listitem>
168 <para>
169 implements a wide range of cryptographic algorithms used in various
170 Internet standards. The services provided by this library are used
171 by the <application>OpenSSL</application> implementations of SSL,
172 TLS and S/MIME, and they have also been used to implement
173 <application>OpenSSH</application>,
174 <application>OpenPGP</application>, and other cryptographic
175 standards
176 </para>
177 <indexterm zone="ch-system-openssl libcrypto">
178 <primary sortas="c-libcrypto">libcrypto.so</primary>
179 </indexterm>
180 </listitem>
181 </varlistentry>
182
183 <varlistentry id="libssl">
184 <term><filename class="libraryfile">libssl.so</filename></term>
185 <listitem>
186 <para>
187 implements the Transport Layer Security (TLS v1) protocol.
188 It provides a rich API, documentation
189 on which can be found by running <command>man 3 ssl</command>
190 </para>
191 <indexterm zone="ch-system-openssl libssl">
192 <primary sortas="c-libssl">libssl.so</primary>
193 </indexterm>
194 </listitem>
195 </varlistentry>
196
197 </variablelist>
198
199 </sect2>
200
201</sect1>
Note: See TracBrowser for help on using the repository browser.