Hi Gustaf, It just occurred to me that my comment about OpenSSL not being automatically configured by Naviserver was inappropriate. I was certainly not complaining and I completely understand that things change. My apologies. What that remark suggested was not my intention.
Thorpe > On Nov 8, 2022, at 00:37, Gustaf Neumann <neum...@wu.ac.at> wrote: > > From your original mail, i got the impression that you hand no "issues" with > NaviServer either, but you are wondering, why OpenSSL 3.* is not "picked up > automatically" and still linked against OpenSSL 1.*. Since there are many > differences between OpenSSL 1.* and 3.* [1], many distributors do not replace > the 1.* version upon installation of OpenSSL 3.* , but they install it side > by side, simply to avoid problems (there are many API changes, see e.g. > [2,3]). So, no all software compiled against the include files of OpenSSL 1.* > will work out of the box with OpenSSL 3.* > > Coming to my questions of the last mail: > - against which library is your nsd linked? > - have you reconfigured and recompiled naviserver? > > let me know, if i can be of any further help. > > -g > > [1] https://www.openssl.org/docs/man3.0/man7/migration_guide.html > [2] https://packages.debian.org/bullseye/amd64/libssl1.1/filelist > [3] https://packages.debian.org/bookworm/amd64/libssl3/filelist > > On 07.11.22 14:52, THORPE MAYES via naviserver-devel wrote: >> Hi Gustaf, >> >> Thank you for your response and the information. >> >> I did not have any issues with previous OpenSSL updates, although I had not >> installed 3.x versions. >> >> Best regards. >> >> Thorpe >> >> Thorpe Mayes >> (512) 394-8766 >> >>> On 6 Nov 2022, at 11:34, Gustaf Neumann <neum...@wu.ac.at> >>> <mailto:neum...@wu.ac.at> wrote: >>> Dear Thorpe, >>> it looks like you have now two versions of openssl installed on your >>> system, since the output "1.0.2k-fips" comes straight from the library. So, >>> if you see this string, the library is still there. >>> >>> One can check the version used during linkage via >>> >>> ldd /usr/local/ns/bin/nsd >>> >>> When upgrading to OpenSSL 3.*, it is recommended to recompile NaviServer >>> (make clean, configure ..., make, make install) such that NaviServer can >>> use >>> the newer library calls. When the path to the openssl libary is not >>> specified >>> explicitly, configure uses "pkg-config --libs openssl" to determine the >>> path the the library. >>> >>> all the best >>> >>> -g >>> >>> PS Btw, OpenACS.org runs with OpenSSL 3.2.0-dev >>> >>> On 06.11.22 13:47, THORPE MAYES via naviserver-devel wrote: >>>> Hi, >>>> >>>> I updated OpenSSL on my server to version 3.0.7. >>>> >>>> Prior to updating, openssl version -a showed: >>>> >>>> OpenSSL 1.0.2k-fips 26 Jan 2017 >>>> built on: reproducible build, date unspecified >>>> platform: linux-x86_64 >>>> options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) >>>> blowfish(idx) >>>> compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB >>>> -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 >>>> -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions >>>> -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches >>>> -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 >>>> -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >>>> -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM >>>> -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM >>>> OPENSSLDIR: "/etc/pki/tls" >>>> engines: rdrand dynamic >>>> >>>> After updating, openssl version -a showed: >>>> >>>> OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022) >>>> built on: Sat Nov 5 14:56:48 2022 UTC >>>> platform: linux-x86_64 >>>> options: bn(64,64) >>>> compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 >>>> -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL >>>> -DZLIB -DNDEBUG >>>> OPENSSLDIR: "/etc/ssl" >>>> ENGINESDIR: "/etc/ssl/lib64/engines-3" >>>> MODULESDIR: "/etc/ssl/lib64/ossl-modules" >>>> Seeding source: os-specific >>>> CPUINFO: OPENSSL_ia32cap=0xfffa3203478bffff:0x7a9 >>>> >>>> When I restart naviserver I see this in the log file: >>>> >>>> Notice: OpenSSL OpenSSL 1.0.2k-fips 26 Jan 2017 initialized >>>> >>>> That is the previous version of OpenSSL on the server. >>>> >>>> What do I need to change in order for naviserver to use the current >>>> version of OpenSSL? Or, does it matter? >>>> >>>> When I updated to naviserver version 4.99.24 my configuration was: >>>> ./configure --prefix=/usr/local/ns --with-tcl=/usr/local/ns/lib >>>> --enable-symbols >>>> >>>> >>>> Thorpe > > _______________________________________________ > naviserver-devel mailing list > naviserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/naviserver-devel
_______________________________________________ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel