Build failure with openssl 1.1.0

[globin]

When building with openssl 1.1.0 a compiler error occurs:
https://hydra.nixos.org/build/47456913/nixlog/1/raw

[DuoKristina]

Duo Unix is still dependent on TLSv1, which is deprecated in OpenSSL 1.1.0. Try rolling back to OpenSSL 1.0.2 and building with that.

Thanks for trying Duo!

[HyperDevil]

I need to use 1.1.0, 1.0.2 is depricated in debian stretch.
APT pinning wil likely break a debian installation.

So i need this fixed before i can use DuoSecurity......... hopefully this will be fixed soon.

[JohnMaguire]

@HyperDevil It appears that there is an openssl1.0 package in the APT repositories for stretch. Perhaps it can be installed alongside your OpenSSL 1.1.0 installation?

See: https://packages.debian.org/source/stretch/openssl1.0

[HyperDevil]

That is the source package only, there is no ready binary.
I cannot install both at the same time, since APT will only allow one.
Other services on debian stretch are built on 1.1.0.

They way you advice will likely break other subsystems.

What if you just add the HTTP OpenSSL library to your package instead instead of linking to a deprecated openssl release?

Also ubuntu and redhat will remove 1.0.2 in the future.

[JohnMaguire]

We would like to support 1.1.0 in an upcoming release. As a workaround, I believe you can install the following two packages on stretch: libssl1.0.2 libssl1.0-dev.

libssl1.0-dev will conflict with libssl-dev, but libssl1.0.2 should not conflict with libssl1.1.

The result will be that you have shared libraries for both 1.0.2 and 1.1.0, and your development headers will be for 1.0.2 You can then compile duo_unix, and then re-install libssl-dev to ensure that future packages are built against 1.1.0.

[JohnMaguire]

-> % sudo apt install libssl1.0-dev libssl1.0.2
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  libssl-dev
The following NEW packages will be installed:
  libssl1.0-dev
The following packages will be upgraded:
  libssl1.0.2
1 upgraded, 1 newly installed, 1 to remove and 521 not upgraded.
Need to get 2,851 kB of archives.
After this operation, 43.0 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ftp.us.debian.org/debian testing/main amd64 libssl1.0.2 amd64 1.0.2k-1 [1,294 kB]
Get:2 http://ftp.us.debian.org/debian testing/main amd64 libssl1.0-dev amd64 1.0.2k-1 [1,557 kB]
Fetched 2,851 kB in 0s (22.1 MB/s)
Reading changelogs... Done
Preconfiguring packages ...
(Reading database ... 135940 files and directories currently installed.)
Removing libssl-dev:amd64 (1.0.2h-1) ...
(Reading database ... 135854 files and directories currently installed.)
Preparing to unpack .../0-libssl1.0.2_1.0.2k-1_amd64.deb ...
Unpacking libssl1.0.2:amd64 (1.0.2k-1) over (1.0.2h-1) ...
Selecting previously unselected package libssl1.0-dev:amd64.
Preparing to unpack .../1-libssl1.0-dev_1.0.2k-1_amd64.deb ...
Unpacking libssl1.0-dev:amd64 (1.0.2k-1) ...
Setting up libssl1.0.2:amd64 (1.0.2k-1) ...
Processing triggers for libc-bin (2.24-7) ...
Setting up libssl1.0-dev:amd64 (1.0.2k-1) ...

This is where you compile duo_unix

-> % sudo apt install libssl-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libssl1.1
The following packages will be REMOVED:
  libssl1.0-dev
The following NEW packages will be installed:
  libssl-dev libssl1.1
0 upgraded, 2 newly installed, 1 to remove and 521 not upgraded.
Need to get 2,905 kB of archives.
After this operation, 3,159 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ftp.us.debian.org/debian testing/main amd64 libssl1.1 amd64 1.1.0c-2 [1,337 kB]
Get:2 http://ftp.us.debian.org/debian testing/main amd64 libssl-dev amd64 1.1.0c-2 [1,569 kB]
Fetched 2,905 kB in 0s (15.8 MB/s)
Preconfiguring packages ...
(Reading database ... 135941 files and directories currently installed.)
Removing libssl1.0-dev:amd64 (1.0.2k-1) ...
Selecting previously unselected package libssl1.1:amd64.
(Reading database ... 135855 files and directories currently installed.)
Preparing to unpack .../0-libssl1.1_1.1.0c-2_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.0c-2) ...
Selecting previously unselected package libssl-dev:amd64.
Preparing to unpack .../1-libssl-dev_1.1.0c-2_amd64.deb ...
Unpacking libssl-dev:amd64 (1.1.0c-2) ...
Processing triggers for libc-bin (2.24-7) ...
Setting up libssl1.1:amd64 (1.1.0c-2) ...
Setting up libssl-dev:amd64 (1.1.0c-2) ...
Processing triggers for libc-bin (2.24-7) ...

-> % ls -l /usr/lib/x86_64-linux-gnu/libssl.*
-rw-r--r-- 1 root root 735998 Nov 21 16:20 /usr/lib/x86_64-linux-gnu/libssl.a
lrwxrwxrwx 1 root root     13 Nov 21 16:20 /usr/lib/x86_64-linux-gnu/libssl.so -> libssl.so.1.1
-rw-r--r-- 1 root root 434968 Jul  9  2015 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
-rw-r--r-- 1 root root 431232 Jan 26 10:39 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
-rw-r--r-- 1 root root 438792 Nov 21 16:20 /usr/lib/x86_64-linux-gnu/libssl.so.1.1

[HyperDevil]

I will try soon! thanks for the information.

[HyperDevil]

I have followed the guide and got duo security pam module loaded.
But i get this error when the user tries to authenticate.

Feb 7 18:46:52 bla sshd[28554]: Failsafe Duo login for 'yomama' from 10.0.99.215: Couldn't connect to api-y43hj4k2a.duosecurity.com: sslv3 alert bad record mac

that is an example api adress and user ;)

[JohnMaguire]

Thanks for the update! I'm unable to reproduce the issue on my stretch install, unfortunately.

Can you provide the output of openssl s_client -connect api-y43hj4k2a.duosecurity.com:443 please?

[JohnMaguire]

Additionally, the output of ldd /lib64/security/pam_duo.so (assuming this is where you installed it) would be very helpful, thanks!