New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Build failure with openssl 1.1.0 #90

Closed
globin opened this Issue Feb 2, 2017 · 10 comments

Comments

Projects
None yet
4 participants
@globin

globin commented Feb 2, 2017

When building with openssl 1.1.0 a compiler error occurs:
https://hydra.nixos.org/build/47456913/nixlog/1/raw

@DuoKristina

This comment has been minimized.

Show comment
Hide comment
@DuoKristina

DuoKristina Feb 2, 2017

Duo Unix is still dependent on TLSv1, which is deprecated in OpenSSL 1.1.0. Try rolling back to OpenSSL 1.0.2 and building with that.

Thanks for trying Duo!

DuoKristina commented Feb 2, 2017

Duo Unix is still dependent on TLSv1, which is deprecated in OpenSSL 1.1.0. Try rolling back to OpenSSL 1.0.2 and building with that.

Thanks for trying Duo!

@HyperDevil

This comment has been minimized.

Show comment
Hide comment
@HyperDevil

HyperDevil Feb 5, 2017

I need to use 1.1.0, 1.0.2 is depricated in debian stretch.
APT pinning wil likely break a debian installation.

So i need this fixed before i can use DuoSecurity......... hopefully this will be fixed soon.

HyperDevil commented Feb 5, 2017

I need to use 1.1.0, 1.0.2 is depricated in debian stretch.
APT pinning wil likely break a debian installation.

So i need this fixed before i can use DuoSecurity......... hopefully this will be fixed soon.

@JohnMaguire

This comment has been minimized.

Show comment
Hide comment
@JohnMaguire

JohnMaguire Feb 6, 2017

Member

@HyperDevil It appears that there is an openssl1.0 package in the APT repositories for stretch. Perhaps it can be installed alongside your OpenSSL 1.1.0 installation?

See: https://packages.debian.org/source/stretch/openssl1.0

Member

JohnMaguire commented Feb 6, 2017

@HyperDevil It appears that there is an openssl1.0 package in the APT repositories for stretch. Perhaps it can be installed alongside your OpenSSL 1.1.0 installation?

See: https://packages.debian.org/source/stretch/openssl1.0

@HyperDevil

This comment has been minimized.

Show comment
Hide comment
@HyperDevil

HyperDevil Feb 6, 2017

That is the source package only, there is no ready binary.
I cannot install both at the same time, since APT will only allow one.
Other services on debian stretch are built on 1.1.0.

They way you advice will likely break other subsystems.

What if you just add the HTTP OpenSSL library to your package instead instead of linking to a deprecated openssl release?

Also ubuntu and redhat will remove 1.0.2 in the future.

HyperDevil commented Feb 6, 2017

That is the source package only, there is no ready binary.
I cannot install both at the same time, since APT will only allow one.
Other services on debian stretch are built on 1.1.0.

They way you advice will likely break other subsystems.

What if you just add the HTTP OpenSSL library to your package instead instead of linking to a deprecated openssl release?

Also ubuntu and redhat will remove 1.0.2 in the future.

@JohnMaguire

This comment has been minimized.

Show comment
Hide comment
@JohnMaguire

JohnMaguire Feb 6, 2017

Member

We would like to support 1.1.0 in an upcoming release. As a workaround, I believe you can install the following two packages on stretch: libssl1.0.2 libssl1.0-dev.

libssl1.0-dev will conflict with libssl-dev, but libssl1.0.2 should not conflict with libssl1.1.

The result will be that you have shared libraries for both 1.0.2 and 1.1.0, and your development headers will be for 1.0.2 You can then compile duo_unix, and then re-install libssl-dev to ensure that future packages are built against 1.1.0.

Member

JohnMaguire commented Feb 6, 2017

We would like to support 1.1.0 in an upcoming release. As a workaround, I believe you can install the following two packages on stretch: libssl1.0.2 libssl1.0-dev.

libssl1.0-dev will conflict with libssl-dev, but libssl1.0.2 should not conflict with libssl1.1.

The result will be that you have shared libraries for both 1.0.2 and 1.1.0, and your development headers will be for 1.0.2 You can then compile duo_unix, and then re-install libssl-dev to ensure that future packages are built against 1.1.0.

@JohnMaguire

This comment has been minimized.

Show comment
Hide comment
@JohnMaguire

JohnMaguire Feb 6, 2017

Member
-> % sudo apt install libssl1.0-dev libssl1.0.2
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  libssl-dev
The following NEW packages will be installed:
  libssl1.0-dev
The following packages will be upgraded:
  libssl1.0.2
1 upgraded, 1 newly installed, 1 to remove and 521 not upgraded.
Need to get 2,851 kB of archives.
After this operation, 43.0 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ftp.us.debian.org/debian testing/main amd64 libssl1.0.2 amd64 1.0.2k-1 [1,294 kB]
Get:2 http://ftp.us.debian.org/debian testing/main amd64 libssl1.0-dev amd64 1.0.2k-1 [1,557 kB]
Fetched 2,851 kB in 0s (22.1 MB/s)
Reading changelogs... Done
Preconfiguring packages ...
(Reading database ... 135940 files and directories currently installed.)
Removing libssl-dev:amd64 (1.0.2h-1) ...
(Reading database ... 135854 files and directories currently installed.)
Preparing to unpack .../0-libssl1.0.2_1.0.2k-1_amd64.deb ...
Unpacking libssl1.0.2:amd64 (1.0.2k-1) over (1.0.2h-1) ...
Selecting previously unselected package libssl1.0-dev:amd64.
Preparing to unpack .../1-libssl1.0-dev_1.0.2k-1_amd64.deb ...
Unpacking libssl1.0-dev:amd64 (1.0.2k-1) ...
Setting up libssl1.0.2:amd64 (1.0.2k-1) ...
Processing triggers for libc-bin (2.24-7) ...
Setting up libssl1.0-dev:amd64 (1.0.2k-1) ...

This is where you compile duo_unix

-> % sudo apt install libssl-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libssl1.1
The following packages will be REMOVED:
  libssl1.0-dev
The following NEW packages will be installed:
  libssl-dev libssl1.1
0 upgraded, 2 newly installed, 1 to remove and 521 not upgraded.
Need to get 2,905 kB of archives.
After this operation, 3,159 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ftp.us.debian.org/debian testing/main amd64 libssl1.1 amd64 1.1.0c-2 [1,337 kB]
Get:2 http://ftp.us.debian.org/debian testing/main amd64 libssl-dev amd64 1.1.0c-2 [1,569 kB]
Fetched 2,905 kB in 0s (15.8 MB/s)
Preconfiguring packages ...
(Reading database ... 135941 files and directories currently installed.)
Removing libssl1.0-dev:amd64 (1.0.2k-1) ...
Selecting previously unselected package libssl1.1:amd64.
(Reading database ... 135855 files and directories currently installed.)
Preparing to unpack .../0-libssl1.1_1.1.0c-2_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.0c-2) ...
Selecting previously unselected package libssl-dev:amd64.
Preparing to unpack .../1-libssl-dev_1.1.0c-2_amd64.deb ...
Unpacking libssl-dev:amd64 (1.1.0c-2) ...
Processing triggers for libc-bin (2.24-7) ...
Setting up libssl1.1:amd64 (1.1.0c-2) ...
Setting up libssl-dev:amd64 (1.1.0c-2) ...
Processing triggers for libc-bin (2.24-7) ...
-> % ls -l /usr/lib/x86_64-linux-gnu/libssl.*
-rw-r--r-- 1 root root 735998 Nov 21 16:20 /usr/lib/x86_64-linux-gnu/libssl.a
lrwxrwxrwx 1 root root     13 Nov 21 16:20 /usr/lib/x86_64-linux-gnu/libssl.so -> libssl.so.1.1
-rw-r--r-- 1 root root 434968 Jul  9  2015 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
-rw-r--r-- 1 root root 431232 Jan 26 10:39 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
-rw-r--r-- 1 root root 438792 Nov 21 16:20 /usr/lib/x86_64-linux-gnu/libssl.so.1.1
Member

JohnMaguire commented Feb 6, 2017

-> % sudo apt install libssl1.0-dev libssl1.0.2
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  libssl-dev
The following NEW packages will be installed:
  libssl1.0-dev
The following packages will be upgraded:
  libssl1.0.2
1 upgraded, 1 newly installed, 1 to remove and 521 not upgraded.
Need to get 2,851 kB of archives.
After this operation, 43.0 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ftp.us.debian.org/debian testing/main amd64 libssl1.0.2 amd64 1.0.2k-1 [1,294 kB]
Get:2 http://ftp.us.debian.org/debian testing/main amd64 libssl1.0-dev amd64 1.0.2k-1 [1,557 kB]
Fetched 2,851 kB in 0s (22.1 MB/s)
Reading changelogs... Done
Preconfiguring packages ...
(Reading database ... 135940 files and directories currently installed.)
Removing libssl-dev:amd64 (1.0.2h-1) ...
(Reading database ... 135854 files and directories currently installed.)
Preparing to unpack .../0-libssl1.0.2_1.0.2k-1_amd64.deb ...
Unpacking libssl1.0.2:amd64 (1.0.2k-1) over (1.0.2h-1) ...
Selecting previously unselected package libssl1.0-dev:amd64.
Preparing to unpack .../1-libssl1.0-dev_1.0.2k-1_amd64.deb ...
Unpacking libssl1.0-dev:amd64 (1.0.2k-1) ...
Setting up libssl1.0.2:amd64 (1.0.2k-1) ...
Processing triggers for libc-bin (2.24-7) ...
Setting up libssl1.0-dev:amd64 (1.0.2k-1) ...

This is where you compile duo_unix

-> % sudo apt install libssl-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libssl1.1
The following packages will be REMOVED:
  libssl1.0-dev
The following NEW packages will be installed:
  libssl-dev libssl1.1
0 upgraded, 2 newly installed, 1 to remove and 521 not upgraded.
Need to get 2,905 kB of archives.
After this operation, 3,159 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ftp.us.debian.org/debian testing/main amd64 libssl1.1 amd64 1.1.0c-2 [1,337 kB]
Get:2 http://ftp.us.debian.org/debian testing/main amd64 libssl-dev amd64 1.1.0c-2 [1,569 kB]
Fetched 2,905 kB in 0s (15.8 MB/s)
Preconfiguring packages ...
(Reading database ... 135941 files and directories currently installed.)
Removing libssl1.0-dev:amd64 (1.0.2k-1) ...
Selecting previously unselected package libssl1.1:amd64.
(Reading database ... 135855 files and directories currently installed.)
Preparing to unpack .../0-libssl1.1_1.1.0c-2_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.0c-2) ...
Selecting previously unselected package libssl-dev:amd64.
Preparing to unpack .../1-libssl-dev_1.1.0c-2_amd64.deb ...
Unpacking libssl-dev:amd64 (1.1.0c-2) ...
Processing triggers for libc-bin (2.24-7) ...
Setting up libssl1.1:amd64 (1.1.0c-2) ...
Setting up libssl-dev:amd64 (1.1.0c-2) ...
Processing triggers for libc-bin (2.24-7) ...
-> % ls -l /usr/lib/x86_64-linux-gnu/libssl.*
-rw-r--r-- 1 root root 735998 Nov 21 16:20 /usr/lib/x86_64-linux-gnu/libssl.a
lrwxrwxrwx 1 root root     13 Nov 21 16:20 /usr/lib/x86_64-linux-gnu/libssl.so -> libssl.so.1.1
-rw-r--r-- 1 root root 434968 Jul  9  2015 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
-rw-r--r-- 1 root root 431232 Jan 26 10:39 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
-rw-r--r-- 1 root root 438792 Nov 21 16:20 /usr/lib/x86_64-linux-gnu/libssl.so.1.1
@HyperDevil

This comment has been minimized.

Show comment
Hide comment
@HyperDevil

HyperDevil Feb 6, 2017

I will try soon! thanks for the information.

HyperDevil commented Feb 6, 2017

I will try soon! thanks for the information.

@HyperDevil

This comment has been minimized.

Show comment
Hide comment
@HyperDevil

HyperDevil Feb 7, 2017

I have followed the guide and got duo security pam module loaded.
But i get this error when the user tries to authenticate.

Feb 7 18:46:52 bla sshd[28554]: Failsafe Duo login for 'yomama' from 10.0.99.215: Couldn't connect to api-y43hj4k2a.duosecurity.com: sslv3 alert bad record mac

that is an example api adress and user ;)

HyperDevil commented Feb 7, 2017

I have followed the guide and got duo security pam module loaded.
But i get this error when the user tries to authenticate.

Feb 7 18:46:52 bla sshd[28554]: Failsafe Duo login for 'yomama' from 10.0.99.215: Couldn't connect to api-y43hj4k2a.duosecurity.com: sslv3 alert bad record mac

that is an example api adress and user ;)

@JohnMaguire

This comment has been minimized.

Show comment
Hide comment
@JohnMaguire

JohnMaguire Feb 8, 2017

Member

Thanks for the update! I'm unable to reproduce the issue on my stretch install, unfortunately.

Can you provide the output of openssl s_client -connect api-y43hj4k2a.duosecurity.com:443 please?

Member

JohnMaguire commented Feb 8, 2017

Thanks for the update! I'm unable to reproduce the issue on my stretch install, unfortunately.

Can you provide the output of openssl s_client -connect api-y43hj4k2a.duosecurity.com:443 please?

@JohnMaguire

This comment has been minimized.

Show comment
Hide comment
@JohnMaguire

JohnMaguire Feb 9, 2017

Member

Additionally, the output of ldd /lib64/security/pam_duo.so (assuming this is where you installed it) would be very helpful, thanks!

Member

JohnMaguire commented Feb 9, 2017

Additionally, the output of ldd /lib64/security/pam_duo.so (assuming this is where you installed it) would be very helpful, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment