517908 – net-dialup/freeradius-2.2.5 - libssl version mismatch. Built with: 1000107f Linked: 1000108f

Bug 517908 - net-dialup/freeradius-2.2.5 - libssl version mismatch. Built with: 1000107f Linked: 1000108f

Summary: net-dialup/freeradius-2.2.5 - libssl version mismatch. Built with: 1000107f ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Server (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-07-23 22:22 UTC by Kobboi
Modified:	2016-06-12 09:56 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Patch to remove fatal exit for SSL version mismatch (file_517908.txt,505 bytes, patch) 2015-01-22 20:44 UTC, David K. Thompson	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kobboi 2014-07-23 22:22:32 UTC

# radiusd -X
(...)
libssl version mismatch.  Built with: 1000107f   Linked: 1000108f

Is this something portage should be able to fix? Recompile freeradius after libssl upgrade or something?



Reproducible: Always

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2014-07-24 11:06:00 UTC

(In reply to Kobboi from comment #0)
> # radiusd -X
> (...)
> libssl version mismatch.  Built with: 1000107f   Linked: 1000108f
> 
> Is this something portage should be able to fix? Recompile freeradius after
> libssl upgrade or something?

Maybe it should check for features, not versions.

Comment 2 David K. Thompson 2015-01-22 18:31:45 UTC

I have similar experience.

Every time openssl has a (minor) upgrade, freeradius has to be rebuilt against the new library.

While this may be an upstream issue with freeradius, perhaps we can (at least temporarily) add a dependancy to rebuild freeradius with the updated openssl?

Otherwise it fails the next time radiusd is restarted, usually on a system reboot at a later date.

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2015-01-22 19:10:55 UTC

(In reply to David K. Thompson from comment #2)
> While this may be an upstream issue with freeradius, perhaps we can (at
> least temporarily) add a dependancy to rebuild freeradius with the updated
> openssl?

If dev-libs/openssl would set a sub-SLOT, then this could be done easily. But as is, we should probably rip out or cripple the offending code in freeradius. :)

Comment 4 David K. Thompson 2015-01-22 20:29:39 UTC

(In reply to Jeroen Roovers from comment #3)
> (In reply to David K. Thompson from comment #2)
> > While this may be an upstream issue with freeradius, perhaps we can (at
> > least temporarily) add a dependancy to rebuild freeradius with the updated
> > openssl?
> 
> If dev-libs/openssl would set a sub-SLOT, then this could be done easily.
> But as is, we should probably rip out or cripple the offending code in
> freeradius. :)

Perhaps a patch to make the version mismatch a prominent WARNING vs. a fatal error? (as with net-ftp/proftpd)

Comment 5 David K. Thompson 2015-01-22 20:42:59 UTC

(In reply to David K. Thompson from comment #4)
> (In reply to Jeroen Roovers from comment #3)
> > (In reply to David K. Thompson from comment #2)
> > > While this may be an upstream issue with freeradius, perhaps we can (at
> > > least temporarily) add a dependancy to rebuild freeradius with the updated
> > > openssl?
> > 
> > If dev-libs/openssl would set a sub-SLOT, then this could be done easily.
> > But as is, we should probably rip out or cripple the offending code in
> > freeradius. :)
> 
> Perhaps a patch to make the version mismatch a prominent WARNING vs. a fatal
> error? (as with net-ftp/proftpd)

Patch below. It checks below for vulnerable versions anyway and will still exit as it should in those cases:

Elsewhere the comment "better to die now than segfault later". I dont agree, especially when these are for minor openssl version upgrades.

--- src/main/version-orig.c     2015-01-22 12:37:38.000000000 -0800
+++ src/main/version.c  2015-01-22 12:36:14.000000000 -0800
@@ -59,8 +59,8 @@
                       "  Built with: %lx\n  Linked: %lx",
                       (unsigned long) ssl_built,
                       (unsigned long) ssl_linked);
-
-               return -1;
+/* Warn only. Give the user the opportunity to rebuild when upgrading OpenSSL */
+/*             return -1; */
        };
 
        if (!allow_vulnerable) {

Comment 6 David K. Thompson 2015-01-22 20:44:30 UTC

Created attachment 394658 [details, diff]
Patch to remove fatal exit for SSL version mismatch

Comment 7 David K. Thompson 2015-01-22 20:58:09 UTC

(In reply to David K. Thompson from comment #6)
> Created attachment 394658 [details, diff] [details, diff]
> Patch to remove fatal exit for SSL version mismatch

Above comments notwithstanding, if there are versions which are known to cause stability problems other than the specifically vulnerable versions already tested there may be a good case for refusing to start.

A minor version mismatch is a rather large cannon for this mosquito. Perhaps someone upstream can add a more discriminating check? :)

Comment 8 Anton Bolshakov 2015-09-07 23:52:24 UTC

Can we just add openssl:= while waiting for the upstream?

I hit this bug (again) yesterday. It took me awhile to figure out what's wrong and then I found that the bug is known for a year.

Comment 9 Pacho Ramos gentoo-dev

2016-02-18 11:49:53 UTC

CCing openssl maintainers, but I disagree with freeradious upstream requiring this rebuild on every bump :/

Comment 10 SpanKY gentoo-dev

2016-02-18 13:34:22 UTC

freeradius is broken.  the openssl abi is compatible across minor versions.

just delete the check altogether.  openssl changes SONAME when it's not compatible.

Comment 11 Anton Bolshakov 2016-02-28 10:02:43 UTC

version 2.2.9 has --disable-openssl-version-check option which might fix the problem.

Comment 12 Andrius Štikonas 2016-05-12 23:48:36 UTC

(In reply to Anton Bolshakov from comment #11)
> version 2.2.9 has --disable-openssl-version-check option which might fix the
> problem.

It worked for me with 3.0.11-r1

Comment 13 David K. Thompson 2016-05-13 04:32:01 UTC

Great.

echo "net-dialup/freeradius freeradius.conf" >> /etc/portage/package.env
mkdir -p /etc/portage/env
echo "EXTRA_ECONF=\"--disable-openssl-version-check\"" > /etc/portage/env/freeradius.conf

Works for me with 2.2.5

Comment 14 David K. Thompson 2016-05-13 05:08:35 UTC

(In reply to David K. Thompson from comment #13)
> Great.
> 
> echo "net-dialup/freeradius freeradius.conf" >> /etc/portage/package.env
> mkdir -p /etc/portage/env
> echo "EXTRA_ECONF=\"--disable-openssl-version-check\"" >
> /etc/portage/env/freeradius.conf
> 
> Works for me with 2.2.5

Except that it doesnt. That was tested with 2.2.9, not 2.2.5 (current stable version)

Freeradius has fixed the version check as of 2.2.9 so there's no need to disable the check to avoid this bug. If you disable it, you also lose the check for vulnerable versions of openssl which is not desirable.

http://lists.freeradius.org/pipermail/freeradius-devel/2015-January/010417.html

Perhaps we can make 2.2.9 stable, and/or patch 2.2.5 ?

Comment 15 Pacho Ramos gentoo-dev

2016-06-12 09:56:19 UTC

2.2.9-r1 is in stable now