Red Hat Bugzilla – Bug 1301301
Incorrect OPENSSL_VERSION_NUMBER (0x10000003) reported during runtime check, should be (0x1000205f)
Last modified: 2016-06-26 13:20:50 EDT
When using openssl-1.0.2e-3.fc23.x86_64, a program that attempts to check the OPENSSL_VERSION_NUMBER during runtime reports an incorrect, outdated version:
OpenSSL 1.0.0-fips 29 Mar 2010" (0x10000003)
rather than the correct version:
OpenSSL 1.0.2e-fips 3 Dec 2015" (0x1000205f)
~]# rpm -q openssl
~]# openssl version
OpenSSL 1.0.2e-fips 3 Dec 2015
I came across this issue when compiling and running Kamailio against openssl-1.0.2e-3.fc23.x86_64. Kamailio has an internal check for the version to prevent runtime errors if the compiled/installed versions are "too different".
Can the OPENSSL_VERSION_NUMBER be fixed to report the correct version for downstream programs that verify against OPENSSL_VERSION_NUMBER?
For reference, the Kamailio code generating the warning is here:
Are you saying that the program was compiled against the current openssl on Fedora 23 and it still reports this old version? That seems weird. This is only compatibility hack that should be in effect only with applications compiled against much older openssl versions.
(In reply to Tomas Mraz from comment #1)
> Are you saying that the program was compiled against the current openssl on
> Fedora 23 and it still reports this old version? That seems weird. This is
That is exactly what I am seeing. I compile Kamailio in a koji/mock chroot and run on a fresh F23 installation.
I am unable to reproduce the problem.
This simple program:
unsigned long ssl_version;
ssl_version = SSLeay();
printf("Compiled with: %lx (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT);
printf("Running with: %lx (%s)\n", ssl_version, SSLeay_version(SSLEAY_VERSION));
When compiled with "make ssltest CFLAGS='-Wall -g -O2' LDFLAGS='-lcrypto -lssl'"
on Fedora 23 prints:
Compiled with: 1000206f (OpenSSL 1.0.2f-fips 28 Jan 2016)
Running with: 1000206f (OpenSSL 1.0.2f-fips 28 Jan 2016)
Maybe Kamailio does something strange during the build so it forces to link with the compat symbol? But I do not know of any method to actually force such thing.
Also I believe if the versioning was really broken other software would return such error but I am not getting any similar bug reports.
(In reply to Tomas Mraz from comment #4)
> Also I believe if the versioning was really broken other software would
> return such error but I am not getting any similar bug reports.
Well, thank you for checking into it. I'll try to follow up with the Kamailio devs since they can't seem to figure it out either except for if I had a stray openssl install on my system. I have installed a completely fresh F23 VM and get the same result.
It turns out that the Makefile for Kamailio's TLS module was using:
LIBS += $(shell pkg-config libssl --libs)
which only returns '-lssl'
# pkg-config libssl --libs
It seems that in order for the version detection to work properly, it also needs '-lcrypto'
I'll modify the libssl.pc to add -lcrypto. It's very strange that the symbol resolution went this way without the -lcrypto though.
(In reply to Tomas Mraz from comment #7)
> I'll modify the libssl.pc to add -lcrypto. It's very strange that the symbol
> resolution went this way without the -lcrypto though.
Sorry for the delay. This fixes the issue.