[checkmk-commits] [Checkmk/checkmk] 7305ca: update openssl to next lts

Branch: refs/heads/master Home: https://github.com/Checkmk/checkmk Commit: 7305ca5f66553f475b26acc98348970c286be3d7 https://github.com/Checkmk/checkmk/commit/7305ca5f66553f475b26acc98348970c2… Author: Max Linke <max.linke(a)checkmk.com> Date: 2023-10-02 (Mon, 02 Oct 2023) Changed paths: M buildscripts/infrastructure/build-nodes/scripts/install-openssl.sh M buildscripts/infrastructure/build-nodes/scripts/install-python.sh M omd/packages/openssl/BUILD.openssl M omd/packages/openssl/openssl.make M package_versions.bzl Log Message: ----------- update openssl to next lts 1.1.1 is EOL in September JIRA: CMK-14374 For openssl3 we need to deactivate loading modules at runtime. If modules are enabled the legacy algorithms are compiled as a module. The path to the legacy module is set as a MACRO when the compiler is called [1]. Given we build with bazel this will be some bazel path on the build node. During runtime openssl will first look if a variable "OPENSSL_MODULES" is defined, if not it will fallback to the macro [2]. The path the macro points to does not exist once we install the deb/rpm packages. This results in openssl not finding the legacy module and crashing when trying to load it. The cryptography package is trying to load legacy module on import [3]. Legacy module can be disabled in newer versions. However we need legacy algorithms for snmpv3 support. The solution is only documented in a github issue [4]. [1]: https://github.com/openssl/openssl/blob/91bc783a93a2a695fe6a2f8da93cf5b5e08… [2]: https://github.com/openssl/openssl/blob/91bc783a93a2a695fe6a2f8da93cf5b5e08… [3]: https://github.com/pyca/cryptography/blob/c255b00525dbbee3b3cc80fb63ca608e5… [4]: https://github.com/openssl/openssl/issues/20112#issuecomment-1400388204 Change-Id: Ibe330c975769ae5729bff49f70c4e30c0d4e6c6f