bugzilla-daemon at mindrot.org
2023-Mar-14 20:13 UTC
[Bug 3548] New: Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548 Bug ID: 3548 Summary: Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error Product: Portable OpenSSH Version: 9.1p1 Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: sam at gentoo.org OpenSSL 3.0.8 and OpenSSL 3.1.0 both have the same libssl and libcrypto SONAMEs, but after upgrading from 3.0.8->3.1.0, I get: ``` $ ssh -V OpenSSL version mismatch. Built against 30000080, you have 30100000 ``` Is this intentional when the relevant OpenSSL versions are supposed to be ABI compatible? -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-14 20:14 UTC
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548 --- Comment #1 from Sam James <sam at gentoo.org> --- (This is with 9.2_p1). -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-14 22:19 UTC
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net --- Comment #2 from Darren Tucker <dtucker at dtucker.net> --- (In reply to Sam James from comment #0)> the relevant OpenSSL versions are supposed to be ABI compatible?Looks like OpenSSL changed their compatibility guarantees between 1.1 and 3: https://www.openssl.org/policies/releasestrat.html "As of release 3.0.0, the OpenSSL versioning scheme is changing to a more contemporary format: MAJOR.MINOR.PATCH With this format, API/ABI compatibility will be guaranteed for the same MAJOR version number. Previously we guaranteed API/ABI compatibility across the same MAJOR.MINOR combination." Our check only implements the latter. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-14 22:39 UTC
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Attachment #3684| |ok?(djm at mindrot.org) Flags| | --- Comment #3 from Darren Tucker <dtucker at dtucker.net> --- Created attachment 3684 --> https://bugzilla.mindrot.org/attachment.cgi?id=3684&action=edit Update OpenSSL version check for v3 policy. Remove <1 since we no longer support them. I think this will fix it (untested). -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-14 23:14 UTC
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548 --- Comment #4 from Damien Miller <djm at mindrot.org> --- Created attachment 3685 --> https://bugzilla.mindrot.org/attachment.cgi?id=3685&action=edit My take Don't we still want to prevent backsliding? The OpenSSL page says this: "MINOR: API/ABI compatible feature releases will change this" I could interpret this to mean that a minor release could adding API. It would still be API/ABI compatible but only in one direction. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-14 23:15 UTC
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548 --- Comment #5 from Sam James <sam at gentoo.org> --- Ah, thanks, that makes sense. I thought I remembered 1.0 and 1.1 being incompatible so I knew something had changed, but didn't dig into what yet. Your patch seems to work and cope with upgrading openssl. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-14 23:23 UTC
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548 --- Comment #6 from Sam James <sam at gentoo.org> --- (In reply to Damien Miller from comment #4)> I could interpret this to mean that a minor release could adding > API. It would still be API/ABI compatible but only in one direction.This is generally the case for any shared library because of symbol versioning - you often can't upgrade, build a bunch of stuff against the new version, then downgrade it. But openssh has very few dependencies and even fewer which use symbol versioning so, I guess this doesn't come up often. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-15 00:30 UTC
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548 --- Comment #7 from Darren Tucker <dtucker at dtucker.net> --- Comment on attachment 3685 --> https://bugzilla.mindrot.org/attachment.cgi?id=3685 My take>+ lfix = (libver & 0x0ffffff0L) >> 12;That's going to include the patchlevel which we previously did not (but since they also say "We also allow backporting of accessor functions in these releases" was that deliberate? if so is there any point in disallowing this here, since in that case the dynamic linking would fail anyway before we got to this check?) If we're going to do the same checks we can use the same code. if (headerver < 0x3000000f) { mask = 0xfff0000fL; /* major,minor,status */ hfix = (headerver & 0x000ff000) >> 12; lfix = (libver & 0x000ff000) >> 12; } else { mask = 0xf000000fL; /* major, status */ hfix = (headerver & 0x0ffffff0L) >> 12; lfix = (libver & 0x0ffffff0L) >> 12; } if ( (headerver & mask) == (libver & mask) && lfix >= hfix) return 1; return 0; If you ignore the patchlevel for both you could even complement the mask and use that to compute hfix and lfix once, but I think that'd be sufficiently unclear as to be not worth the couple of lines saved. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-15 00:42 UTC
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548 --- Comment #8 from Darren Tucker <dtucker at dtucker.net> --- (In reply to Darren Tucker from comment #7)> since in that case the dynamic linking would failactually adding accessors would be fine, only deleting them would be a problem, so I don't see any reason we'd want to include the patchlevel in the check? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-20 18:46 UTC
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548 psykose <alice at ayaya.dev> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |alice at ayaya.dev -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-21 09:37 UTC
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3549 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3549 [Bug 3549] Tracking bug for OpenSSH 9.4 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-24 03:00 UTC
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3684| |ok+ Flags| | -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-May-08 00:09 UTC
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548 --- Comment #9 from Sam James <sam at gentoo.org> --- See also https://marc.info/?l=openssh-unix-dev&m=168348988530204&w=2. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-May-08 03:24 UTC
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3685| |ok- Flags| | -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-May-08 04:36 UTC
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548 --- Comment #10 from Damien Miller <djm at mindrot.org> --- I withdraw my version of the diff. Darren, do you want to commit yours? IMO we should keep the status check that is in yours but not in the post to the mailing list. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-May-08 10:21 UTC
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #11 from Darren Tucker <dtucker at dtucker.net> --- (In reply to Damien Miller from comment #10)> I withdraw my version of the diff. Darren, do you want to commit > yours? IMO we should keep the status check that is in yours but not > in the post to the mailing list.Committed, thanks. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.