[ale] openssl related software question

jenn at colormaria.com jenn at colormaria.com
Tue Jul 30 23:00:55 EDT 2002


I forget that RH tries to be helpful -- as a rule, I use very little out
of the boxand rarely, if ever, use rpm.   But this approach is modeled after sys admins
that actually know what they're doing, as you can see sometimes this
backfires rather publicly. :\

So if anyone is reading this thread and is remotely interested, here's what I
did

./config shared
make
make test
make install (which installs libraries into /usr/local/ssl/lib/)
ln -s /usr/local/ssl/lib/libcrypto.so.0.9.6 /usr/lib/libcrypto.so.1
close eyes, cross fingers, stop/start sshd

As you said, mucking about with libraries is very dangerous stuff and I've
had more than my share of problems with them (ever try to compile cyrus
from source on a RH7 box???).  CAVEAT: I do know what uses these
libraries on my machines so I know what it's going to affect when I do
this.  IfI didn't, I would never in a million years try this stunt and would go
with therpms like a normal person.

Thanks to all for the wisdom impartation. :)
jenn




> Hey Jenn (et al.),
>
> Be aware that I just did an ldd on MY redhat 7.3 box that is current up
> to yesterday. My libcrypto was packaged in openssl (rpm -q
> --whatprovides libcrypto returned openssl-0.9.6b-18 (I smell an upgrade
> here, too)).
>
> I almost agree on the M$ism statement. However, changing libs is a
> non-trivial process. A mismatched lib call can crash a box. A
> controlled reboot is most often very safe. Slow, but safe.
>
> I'm not a wiz on everything RedHat has linked/compiled/mangled on their
> stuff. Most times I keep my basic systems as close to
> RH-shipping-with-updates as possible. With a few exceptions their QC is
> pretty good. Besides, I can slow my box down just by running Nautilus
> (it is getting better).  So if your openssh was a custom compile into
> /usr/local, you might need to do some more digging and see what other
> crypto RH installed for you. Prior to the 7.x series, crypto was not
> generally installed off a RH installation CD.
>
> On Tue, 2002-07-30 at 21:49, jenn at colormaria.com wrote:
>> > Calm down! When RedHat said "restart the server", they meant the
>> > SERVICE, not the box. So, yes after you install the opennssl
>> > upgrades, you WILL have to restart apache and friends.
>>
>> *clearing throat* ahem: from
>>
http://online.securityfocus.com/archive/1/285019/2002-07-28/2002-08-03/0
>> bugzilla post to bugtraq:
>> "we advise users to reboot their systems after installing
>> these updates."
>>
>> reboot the system and restart the server are two entirely separate
>> creatures, my friend. ;)  I understand why they would say it, I just
>> found it somewhat alarming that they would so casually toss off a
>> M$ism.
>>
>> >
>> > ldd on openssh will not show a dependency on openssl since ssh
>> > doesn't depend use ssl. But it uses the crypto libs packaged with
>> > openssl.
>> >
>>
>> My glaring ignorance of libraries is showing like a beacon here...ldd
>> sshd does show libcrypto.so, but it's the one that was installed when
>> I installed redhat (/usr/lib/libcrypto.so and not /usr/local/ssl/lib/
>> ...default compile ofopenssl doesn't even *create* a shared object).
>>
>> Thanks for the response, I think I may be on the right track now but
>> may be back with more stupid questions
>>
>> jenn
>> not afraid to show my ignorance to the world, or at least the ALE
>> list. :)
>>
>>
>>
>>
>> ---
>> This message has been sent through the ALE general discussion list.
>> See http://www.ale.org/mailing-lists.shtml for more info. Problems
>> should be  sent to listmaster at ale dot org.
> --
> James P. Kinney III   \Changing the mobile computing world/
> President and CEO      \          one Linux user         /
> Local Net Solutions,LLC \           at a time.          /
> 770-493-8244             \.___________________________./
>
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7




---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list