24

Is Canonical renaming symbols in their package version of openssl, and if so for what purpose? When I compile openssl-1.0.0e.tar.gz (downloaded from openssl.org directly) from scratch I see the necessary symbol, but Python (and I) can't seem to find it in the packaged version.

Read on for more information about how I diagnosed this problem...

I am trying to compile Python 2.6.1 on Ubuntu 11.10, and get the error message above. The reason I am using this older Python is that I am trying to make my Ubuntu installation 100% compatible with a production system for development purposes.

When performing

strace -feopen make -j4 |& grep "libssl"

I see that I am using a promising file:

[pid 22614] open("/usr/lib/x86_64-linux-gnu//libssl.so", O_RDONLY) = 7

Running nm, this file has no symbols. However the .a file does have a similar one:

0000000000000030 T SSLv23_method

The package libssl1.0.0-dbg is installed via synaptic, however when I list the installed files for this package all I see is "The list of installed files is only available for installed packages" which is clearly an Ubuntu bug. So I am not sure how I am supposed to check which symbols are present in the .so.

However, I am suspicious that they have renamed SSLv2_method to SSLv23_method in any case.

How to proceed to figure out the status of Ubuntu's openssl-1.0.0?

jww
  • 97,681
  • 90
  • 411
  • 885
Setjmp
  • 27,279
  • 27
  • 74
  • 92
  • Did you find any workaround to build Python 2.6 on Ubuntu with SSL support? – Carl Meyer May 23 '12 at 19:46
  • Also see [Issue 5453: Compile error in Boost.Asio with OPENSSL_NO_SSL2](http://svn.boost.org/trac/boost/ticket/5453) on the Boost Bug Trac. Hopefully Boost guarded use of SSLv3 based on `OPENSSL_NO_SSL3`. – jww Aug 03 '16 at 16:49

3 Answers3

25

The Ubuntu people build OpenSSL without SSLv2 support because the protocol has known security issues. So that's why you can't find SSLv2_method in their library even though you can find it when you compile the library yourself.

Ubuntu build logs are publicly available. You can see in the oneiric-i386.openssl_1.0.0e log that the library gets configured with the -no-ssl2 option, which disables support for SSLv2.

./Configure --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/i386-linux-gnu no-idea no-mdc2 no-rc5 zlib  enable-tlsext no-ssl2 debian-i386
Configuring for debian-i386
    no-gmp          [default]  OPENSSL_NO_GMP (skip dir)
    no-idea         [option]   OPENSSL_NO_IDEA (skip dir)
    no-jpake        [experimental] OPENSSL_NO_JPAKE (skip dir)
    no-krb5         [krb5-flavor not specified] OPENSSL_NO_KRB5
    no-md2          [default]  OPENSSL_NO_MD2 (skip dir)
    no-mdc2         [option]   OPENSSL_NO_MDC2 (skip dir)
    no-rc5          [option]   OPENSSL_NO_RC5 (skip dir)
    no-rfc3779      [default]  OPENSSL_NO_RFC3779 (skip dir)
    no-shared       [default] 
    no-ssl2         [option]   OPENSSL_NO_SSL2 (skip dir)
    no-store        [experimental] OPENSSL_NO_STORE (skip dir)
    no-zlib-dynamic [default]

Note that the availability of SSLv23_method does not mean that a client will be able to connect to a server with SSLv2. The OpenSSL documentation briefly discusses this situation:

The list of protocols available can later be limited using the SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the SSL_CTX_set_options() or SSL_set_options() functions. Using these options it is possible to choose e.g. SSLv23_server_method() and be able to negotiate with all possible clients, but to only allow newer protocols like SSLv3 or TLSv1.

Community
  • 1
  • 1
indiv
  • 17,306
  • 6
  • 61
  • 82
  • That hit the spot! Thanks for answering such a focused question! – Setjmp Nov 29 '11 at 18:31
  • @kirill_igum: ... did you notice the other answer given by Carl Meyer? – indiv Oct 22 '12 at 00:50
  • @indiv it looks more like a hack. I was expecting to install some other library from official ppas. but i guess it the best that is available. – kirill_igum Oct 22 '12 at 05:11
  • 1
    @kirill_igum: Oh, I see. Well, you can always compile OpenSSL yourself with SSLv2 included and install it on your box. Download OpenSSL source code, `./configure`, `sudo make install`. I haven't tried this personally but can't think of any problems arising from it (other than re-enabling a deprecated algorithm with known security issues). – indiv Oct 22 '12 at 15:49
  • I believe that the latest release of [M2Crypto](https://pypi.python.org/pypi/M2Crypto/) (or even couple of releases before) should deal with SSLv2 missing support just fine. – mcepl Aug 09 '17 at 18:08
3

I was able to build Python 2.6 with SSL support on Ubuntu 12.04 with the help of the patch in this blog post.

Carl Meyer
  • 122,012
  • 20
  • 106
  • 116
0

My fix was install openssl without ssl2 support

./config --prefix=/usr enable-shared -no-ssl2

Then install anything linked to the libraries in /usr/ssl. It works..

Vijay Kumar Kanta
  • 1,111
  • 1
  • 15
  • 25