Red Hat Bugzilla – Bug 71544
OpenSSL RPM version numbering confusing
Last modified: 2007-04-18 12:45:31 EDT
Can you please explain definitively what the current status regarding OpenSSL rpm versions? The version numbering used in your rpm appears to be intentionally out of date with the what OpenSSL provides.
It is not clear for example if your rpms are actually up to date.
The OpenSSL FAQ affirms that your version numbering is wrong but doesn't explain the rationale..
Red Hat Linux (release 7.0 and later) include a preinstalled limited
version of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2
is disabled in this version. The same may apply to other Linux distributions.
Users may therefore wish to install more or all of the features left out.
To do this you MUST ensure that you do not overwrite the openssl that is in
/usr/bin on your Red Hat machine. Several packages depend on this file,
including sendmail and ssh. /usr/local/bin is a good alternative choice. The
libraries that come with Red Hat 7.0 onwards have different names and so are
not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and
/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and
Please note that we have been advised by Red Hat attempting to recompile the
openssl rpm with all the cryptography enabled will not work. All other
packages depend on the original Red Hat supplied openssl package. It is also
worth noting that due to the way Red Hat supplies its packages, updates to
openssl on each distribution never change the package version, only the
build number. For example, on Red Hat 7.1, the latest openssl package has
version number 0.9.6 and build number 9 even though it contains all the
relevant updates in packages up to and including 0.9.6b.
What are you confused about? The FAQ is not quite right in the last paragraph,
the package version does always reflect the version of OpenSSL used, though we
do backport security fixes from newer versions.