Branch: refs/heads/2.2.0
Home:
https://github.com/Checkmk/checkmk
Commit: 2b30d6bb73815cddd17095f7e24f8cc6fe6cd1e0
https://github.com/Checkmk/checkmk/commit/2b30d6bb73815cddd17095f7e24f8cc6f…
Author: Hannes Rantzsch <hannes.rantzsch(a)checkmk.com>
Date: 2023-11-09 (Thu, 09 Nov 2023)
Changed paths:
M buildscripts/infrastructure/build-nodes/centos-7/Dockerfile
Log Message:
-----------
Prepare Centos images for OpenSSL 3 update
CMK-14374
Change-Id: Ieba7748e45163b2b6eb22e135bd67fd84c12d341
Commit: f22db26459f354b4b50916df80240b604ea4a324
https://github.com/Checkmk/checkmk/commit/f22db26459f354b4b50916df80240b604…
Author: Max Linke <max.linke(a)checkmk.com>
Date: 2023-11-09 (Thu, 09 Nov 2023)
Changed paths:
M buildscripts/infrastructure/build-nodes/scripts/install-openssl.sh
M buildscripts/infrastructure/build-nodes/scripts/install-python.sh
M omd/packages/openssl/BUILD.openssl
M omd/packages/openssl/openssl.make
M omd/packages/openssl/openssl_http.bzl
M omd/packages/xmlsec1/BUILD.xmlsec1
M omd/packages/xmlsec1/xmlsec1.make
Log Message:
-----------
update openssl to 3.0.12 LTS
1.1.1 was EOL in September
JIRA: CMK-14374
For openssl3 we need to deactivate loading modules at runtime. If
modules are enabled the legacy algorithms are compiled as a module.
The path to the legacy module is set as a MACRO when the compiler is
called [1]. Given we build with bazel this will be some bazel path on
the build node. During runtime openssl will first look if a variable
"OPENSSL_MODULES" is defined, if not it will fallback to the macro [2].
The path the macro points to does not exist once we install the deb/rpm
packages. This results in openssl not finding the legacy module and
crashing when trying to load it.
The cryptography package is trying to load legacy module on import [3].
Legacy module can be disabled in newer versions. However we need legacy
algorithms for snmpv3 support.
The solution is only documented in a github issue [4].
[1]:
https://github.com/openssl/openssl/blob/91bc783a93a2a695fe6a2f8da93cf5b5e08…
[2]:
https://github.com/openssl/openssl/blob/91bc783a93a2a695fe6a2f8da93cf5b5e08…
[3]:
https://github.com/pyca/cryptography/blob/c255b00525dbbee3b3cc80fb63ca608e5…
[4]:
https://github.com/openssl/openssl/issues/20112#issuecomment-1400388204
Change-Id: Ibe330c975769ae5729bff49f70c4e30c0d4e6c6f
Compare:
https://github.com/Checkmk/checkmk/compare/7e20392702d9...f22db26459f3