Branch: refs/heads/master
Home:
https://github.com/Checkmk/checkmk
Commit: 7305ca5f66553f475b26acc98348970c286be3d7
https://github.com/Checkmk/checkmk/commit/7305ca5f66553f475b26acc98348970c2…
Author: Max Linke <max.linke(a)checkmk.com>
Date: 2023-10-02 (Mon, 02 Oct 2023)
Changed paths:
M buildscripts/infrastructure/build-nodes/scripts/install-openssl.sh
M buildscripts/infrastructure/build-nodes/scripts/install-python.sh
M omd/packages/openssl/BUILD.openssl
M omd/packages/openssl/openssl.make
M package_versions.bzl
Log Message:
-----------
update openssl to next lts
1.1.1 is EOL in September
JIRA: CMK-14374
For openssl3 we need to deactivate loading modules at runtime. If
modules are enabled the legacy algorithms are compiled as a module.
The path to the legacy module is set as a MACRO when the compiler is
called [1]. Given we build with bazel this will be some bazel path on
the build node. During runtime openssl will first look if a variable
"OPENSSL_MODULES" is defined, if not it will fallback to the macro [2].
The path the macro points to does not exist once we install the deb/rpm
packages. This results in openssl not finding the legacy module and
crashing when trying to load it.
The cryptography package is trying to load legacy module on import [3].
Legacy module can be disabled in newer versions. However we need legacy
algorithms for snmpv3 support.
The solution is only documented in a github issue [4].
[1]:
https://github.com/openssl/openssl/blob/91bc783a93a2a695fe6a2f8da93cf5b5e08…
[2]:
https://github.com/openssl/openssl/blob/91bc783a93a2a695fe6a2f8da93cf5b5e08…
[3]:
https://github.com/pyca/cryptography/blob/c255b00525dbbee3b3cc80fb63ca608e5…
[4]:
https://github.com/openssl/openssl/issues/20112#issuecomment-1400388204
Change-Id: Ibe330c975769ae5729bff49f70c4e30c0d4e6c6f