Curl-OPENSSL1 update for SUSE 11 SP4

DaveUSC · 05-31-2019, 09:33 AM

Hi everyone,

We recently applied slessp4-curl-13776 for SUSE11. It was supposed to install curl-openssl1 so that our users can utilize TLS 1.2. However after the update, our users are getting certificate errors. Upon further examination, it looks like curl itself is backdated??

Code:

/usr/bin # /usr/bin/curl.openssl1 -V
curl 7.19.7 (s390x-ibm-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1g zlib/1.2.7 libidn/1.10
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Code:

/usr/bin # /usr/bin/curl.openssl0 -V
curl 7.37.0 (s390x-ibm-linux-gnu) libcurl/7.37.0 OpenSSL/0.9.8j zlib/1.2.7 libidn/1.10
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz

With openssl1 its using curl 7.19 while with openssl0 its using curl 7.37...

Has anyone else seen this?

Thanks!

David

dc.901 · 05-31-2019, 09:58 AM

Since this is SuSE Enterprise Linux, and running on S390; my recommendation is to contact SuSE support.
Have you looked at the changelog to confirm that patch was applied?

DaveUSC · 05-31-2019, 10:45 AM

Hi dc,

Yes, my colleague did open a ticket with SuSE... we are waiting for a response. In the meantime, I was hoping if anyone here has experienced this.

Yes, the security package was applied... here is the curl version and yast display:

Quote:

# curl -V
curl 7.19.7 (s390x-ibm-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1g zlib/1.2.7 libidn/1.10
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Quote:

[Dependencies↓][View↓][Extras↓]
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqklqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
xFilter xx xName xSummary xAvail. Vers.xInst. Vers.xSize x
xSearchaaaaaaaaaaaaaaa↓ xx i xcurl xA Tool for Transferring Data from URLs x7.37.0 x7.37.0 x 469.0 KiBx x
xlqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqkxx i xcurl-openssl1 xA Tool for Transferring Data from URLs x7.19.7 x7.19.7 x 159.0 KiBx x
xxSearch Phrase xxx i xlibcurl4 xCURL shared library version 4 x7.37.0 x7.37.0 x 850.0 KiBx x
xxcurlaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaxxx i xlibcurl4-32bit xCURL shared library version 4 x7.37.0 x7.37.0 x 695.0 KiBx x
xx[x] Ignore Case xxx i xlibcurl4-openssl1 xcURL shared library version 4 x7.19.7 x7.19.7 x 593.0 KiBx x
xx xxx xlibcurl4-openssl1-32bitxcURL shared library version 4 x7.19.7 x x 487.0 KiBx x
xx xxx i xperl-WWW-Curl xPerl extension interface for libcurl x4.09 x4.09 x 146.0 KiBx x
xx xxx xphp53-curl xPHP5 Extension Module x5.3.17 x x 72.0 KiBx x
xx xxx i xpython-curl xPython module interface to the cURL libraryx7.19.0 x7.19.0 x 146.0 KiBx x
xx xxx x
xx xxx x
xx xxx x
xx xxx x
xx xxx x
xxSearch Mode xxx x
xxContainsaaaaaa↓ xxx x
xx xxx x
xx xxx x
xx xxx x
xx xxx x
xx xxx x
xx xxx x
xx xxx x
xx xxx x
xx xxx x
xx xxx x
xmqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqjxx x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqjmqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
9 packages found Package: curl-ope [Actions↓]
lSearch in qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqklqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x[x] Name of the Package xx xName x xVersion xRepository xSize xArchitecture x
x[x] Summary xx i xcurl-openssl1x x x7.19.7-1.69.1xSMT-http_fmis-util_doj_gov:SLE11-Security-Modulex 159.0 KiBxs390x x
x[ ] Keywords xx xcurl-openssl1x x7.19.7-1.64.1xSMT-http_fmis-util_doj_gov:SLE11-Security-Modulex 159.0 KiBxs390x x
x[ ] Description (time-consuming) xx xcurl-openssl1x x7.19.7-1.61.1xSMT-http_fmis-util_doj_gov:SLE11-Security-Modulex 159.0 KiBxs390x x
x[ ] Provides xx xcurl-openssl1x x7.19.7-1.55.1xSMT-http_fmis-util_doj_gov:SLE11-Security-Modulex 159.0 KiBxs390x x
x[ ] Requires xx xcurl-openssl1x x7.19.7-1.51.1xSMT-http_fmis-util_doj_gov:SLE11-Security-Modulex 159.0 KiBxs390x x
x xx x
x xx x
x xx x
x xx x
x xx x
x xx x
x xx x
x xx x
x xx x
x xx x
x xx x
x xx x
x xx x
x xx x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqjmqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

Sauerland · 05-31-2019, 12:26 PM

Maybe you ask in the official SUSE forums:
https://forums.suse.com/forum.php?ve..._required=true

MensaWater · 05-31-2019, 12:52 PM

I ran into a similar issue on RHEL5 and wrote a blog post about it.

In my case I updated curl (and libcurl) to a later upstream version but that required installing multiple other upstream versions. In the end even though the "curl" command itself had the options to use TLS v1.1 and v1.2 the systems openssl did not. Since openssl is integral to the OS and RedHat wasn't going to provide an updated one I didn't try going to new version.

From what you wrote it sounds as if you have a newer openssl available? If so updating to a later upstream curl and libcurl might help. However, as I wrote in the blog post the dependencies you'll need may make that problematical (especially if older packages of other apps rely on older versions of the dependenices). You might want to instead upgrade to a newer version of the distro that hopefully would have newer openssl and curl support for TLS v1.1 & v1.2. In our case RHEL6 had the newer versions so we just made ssh calls or web proxy calls to a RHEL6 server from the RHEL5 until we were able to replace the RHEL5 with a newer RHEL6 install completely.

ehartman · 05-31-2019, 02:04 PM

Quote:

Originally Posted by DaveUSC

Code:

/usr/bin # /usr/bin/curl.openssl1 -V
curl 7.19.7 (s390x-ibm-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1g zlib/1.2.7 libidn/1.10
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Code:

/usr/bin # /usr/bin/curl.openssl0 -V
curl 7.37.0 (s390x-ibm-linux-gnu) libcurl/7.37.0 OpenSSL/0.9.8j zlib/1.2.7 libidn/1.10
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz

With openssl1 its using curl 7.19 while with openssl0 its using curl 7.37...

Note that they're using different versions of openssl too:
curl.openssl0 uses the out-of-date (and support) OpenSSL/0.9.8j, while
curl.openssl1 uses the somewhat newer OpenSSL/1.0.1g version.

PS: 1.0.2 is the oldest version (LTS) still maintained upstream, 1.1.1c is the current one.