openssl - what version are you using? PDF Print E-mail
User Rating: / 0
PoorBest 
Written by Michael Felt   
I would hope the latest version, but that has not ever been as simple as it seems. And for many, well - for me at least - it has been difficult to determine how to keep up. And a lot more - which is what the rest of this article is about.

IBM Security updates for openssl

When concerned only about AIX software - keeping up to date can be pretty much "business as usual". However, AIX 5.3 support - for those still needing to support that being current requires some extra attention.

In openssl versioning - AIX 5.3 TL7 had openssl-0.9.8d as final version and AIX 5.3 TL12 had openssl-0.9.8k.

Note: especially for AIX 5.3 there is a much newer version of openssl-0.9.8 available with the ifixes
made available last year - openssl-0.9.8y3 (or openssl.base.0.9.8.2503).

Note: openssl-0.9.8.401 (openssl-0.9.8d(1)) is the lowest level available from IBM.

There is more that uses openssl than just openssh

If all I was concerned about was having the latest from IBM then I could keep things
relatively simple by watching for their service/security announcements.
FYI: the latest announcement regarding openssl is current at #11 and dated 29-Oct-2014 - available
at http://aix.software.ibm.com/aix/efixes/security/openssl_advisory11.asc
These fixes can be found here: ftp://aix.software.ibm.com/aix/efixes/security/openssl_fix11.tar

As a hobby I also package popular open-source packages (basically what I have needed to support
the ROOTVG.net portal and other queries as they have come in.
Occaisionally these packages need a higher level of something than what is installed on AIX 5.3 TL7.
(My goal is to support AIX 5.3 TL7 and later).
When I cannot compile because the AIX levels are too low (basically openssl-0.9.8k (0.9.8.1101) or higher).
Then there is a new problem - because the openssl sources to not build to a form compatible with
what AIX installs. The opensource packages make so-called static and shared libraries.
The static library is built as, e.g. libssl.a and the shared (object) as libssl.so. Lastly,
a (symbolic) link to libssl.so provides the target named libssl.so-0.9.8.

Many applications expect to link dynamically (rtl - run-time linking) to the object libssl.so-0.9.8
but the AIX run-time linker only looks at the (for AIX) shared library libssl.a.

"My problem"

AIX packaging does not put the individual .o files as so-called members in the archive. Instead, AIX packages the .so file (as openssl.so-0.9.8 and more recently with a second member openssl.so-1.0.0) into the .a archive.
I was blind - basically wanting everything fully automated - but I have realized it is fairly easy for me to package a AIX compatible archive - by just adding the .so objects already built to the .a archive.

"My solution"

I shall continue to package to /opt/lib and, similiar to IBM, shall set symbolic links from /usr/lib and /usr/include to /opt/lib and /opt/include, respectively.

"Real Soon Now"

By this I mean I will be creating a new aixtools subdirectory (http://download.aixtools.net/security) where I will put the new openssl and openssh packages that can be used instead of the AIX ones. However, what I will not have - literally today - is the scripts to save the IBM links/archives so that if you uninstall my versions the IBM ones are automatically available (in /usr/lib!).

Coming - but only 'real soon'.

Until I have satisfied myself I will not have my 'aixtools' packages overwrite anything provided by IBM as part of BOS or the AIX Toolbox. In time, maybe real soon, I shall feel secure enough in providing them
as replacements.
 
Next >