Bug 1301301 - Incorrect OPENSSL_VERSION_NUMBER (0x10000003) reported during runtime check, should be (0x1000205f)
Incorrect OPENSSL_VERSION_NUMBER (0x10000003) reported during runtime check, ...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: openssl (Show other bugs)
23
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-23 17:03 EST by Anthony Messina
Modified: 2016-06-26 13:20 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-26 13:20:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2016-01-23 17:03:11 EST
When using openssl-1.0.2e-3.fc23.x86_64, a program that attempts to check the OPENSSL_VERSION_NUMBER during runtime reports an incorrect, outdated version:

OpenSSL 1.0.0-fips 29 Mar 2010" (0x10000003)

rather than the correct version:

OpenSSL 1.0.2e-fips 3 Dec 2015" (0x1000205f)


~]# rpm -q openssl
openssl-1.0.2e-3.fc23.x86_64

~]# openssl version
OpenSSL 1.0.2e-fips 3 Dec 2015

I came across this issue when compiling and running Kamailio against openssl-1.0.2e-3.fc23.x86_64.  Kamailio has an internal check for the version to prevent runtime errors if the compiled/installed versions are "too different".

Can the OPENSSL_VERSION_NUMBER be fixed to report the correct version for downstream programs that verify against OPENSSL_VERSION_NUMBER?

For reference, the Kamailio code generating the warning is here:
https://github.com/kamailio/kamailio/blob/master/modules/tls/tls_init.c#L549
Comment 1 Tomas Mraz 2016-01-25 05:19:56 EST
Are you saying that the program was compiled against the current openssl on Fedora 23 and it still reports this old version? That seems weird. This is only compatibility hack that should be in effect only with applications compiled against much older openssl versions.
Comment 2 Anthony Messina 2016-01-25 06:10:42 EST
(In reply to Tomas Mraz from comment #1)
> Are you saying that the program was compiled against the current openssl on
> Fedora 23 and it still reports this old version? That seems weird. This is

That is exactly what I am seeing.  I compile Kamailio in a koji/mock chroot and run on a fresh F23 installation.
Comment 3 Tomas Mraz 2016-03-03 09:59:29 EST
I am unable to reproduce the problem.

This simple program:
#include <openssl/ssl.h>

int main()
{
	unsigned long ssl_version;

	ssl_version = SSLeay();

	printf("Compiled with: %lx (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT);
	printf("Running with:  %lx (%s)\n", ssl_version, SSLeay_version(SSLEAY_VERSION));

	return 0;
}

When compiled with "make ssltest CFLAGS='-Wall -g -O2' LDFLAGS='-lcrypto -lssl'"
on Fedora 23 prints:
./ssltest 
Compiled with: 1000206f (OpenSSL 1.0.2f-fips  28 Jan 2016)
Running with:  1000206f (OpenSSL 1.0.2f-fips  28 Jan 2016)

Maybe Kamailio does something strange during the build so it forces to link with the compat symbol? But I do not know of any method to actually force such thing.
Comment 4 Tomas Mraz 2016-03-03 10:00:49 EST
Also I believe if the versioning was really broken other software would return such error but I am not getting any similar bug reports.
Comment 5 Anthony Messina 2016-03-27 15:37:43 EDT
(In reply to Tomas Mraz from comment #4)
> Also I believe if the versioning was really broken other software would
> return such error but I am not getting any similar bug reports.

Well, thank you for checking into it.  I'll try to follow up with the Kamailio devs since they can't seem to figure it out either except for if I had a stray openssl install on my system.  I have installed a completely fresh F23 VM and get the same result.
Comment 6 Anthony Messina 2016-04-02 01:29:12 EDT
It turns out that the Makefile for Kamailio's TLS module was using:

LIBS += $(shell pkg-config libssl --libs)

which only returns '-lssl'

# pkg-config libssl --libs
-lssl

It seems that in order for the version detection to work properly, it also needs '-lcrypto'
Comment 7 Tomas Mraz 2016-04-04 03:25:37 EDT
I'll modify the libssl.pc to add -lcrypto. It's very strange that the symbol resolution went this way without the -lcrypto though.
Comment 8 Anthony Messina 2016-06-26 13:20:50 EDT
(In reply to Tomas Mraz from comment #7)
> I'll modify the libssl.pc to add -lcrypto. It's very strange that the symbol
> resolution went this way without the -lcrypto though.

Sorry for the delay.  This fixes the issue.

Note You need to log in before you can comment on or make changes to this bug.