OpenSSL / Polkit problem - Not receiving mails from Gmail

[pcburakq]

Hello,

I found out that i am unable to build anything, i cannot even rebuild exim via custombuild.

The Error seems to be related to OpenSSL version, i've manually compiled openssl by myself a few months back.

I Don't remember the full commands but it was something like this;

cd /usr/local/src
wget --no-check-certificate wget https://imaj.netdirekt.com.tr/howto/repo/openssl-1.0.2l.tar.gz
tar -xvzf openssl-1.0.2l.tar.gz

cd openssl-1.0.2l
./config
make depend
make
make test
make install

mv /usr/bin/openssl /root/
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

The codes used are not exact, openssl version was 1.1.1L.

Anyhow, openssl version showed OpenSSL 1.1.1l after this action and everything was ok.

However, i'm trying to rebuild exim but getting the following error;

cc -o exim
hash.o: In function `exim_sha_init':
hash.c:(.text+0x8d): undefined reference to `EVP_sha3_224'
hash.c:(.text+0x95): undefined reference to `EVP_MD_CTX_new'
hash.c:(.text+0xba): undefined reference to `EVP_sha3_256'
hash.c:(.text+0xc2): undefined reference to `EVP_MD_CTX_new'
hash.c:(.text+0xe4): undefined reference to `EVP_sha3_384'
hash.c:(.text+0xec): undefined reference to `EVP_MD_CTX_new'
hash.c:(.text+0x10e): undefined reference to `EVP_sha3_512'
hash.c:(.text+0x116): undefined reference to `EVP_MD_CTX_new'
tls.o: In function `lib_ctx_new':
tls.c:(.text+0x2e2): undefined reference to `TLS_client_method'
tls.c:(.text+0x2f1): undefined reference to `TLS_server_method'
tls.c:(.text+0x33b): undefined reference to `SSL_CTX_set_keylog_callback'
tls.o: In function `init_dh':
tls.c:(.text+0x5b2): undefined reference to `DH_bits'
tls.o: In function `setup_certs':
tls.c:(.text+0xc72): undefined reference to `OPENSSL_sk_pop'
tls.c:(.text+0xc82): undefined reference to `OPENSSL_sk_num'
tls.c:(.text+0xc91): undefined reference to `OPENSSL_sk_new_null'
tls.c:(.text+0xcbb): undefined reference to `OPENSSL_sk_push'
tls.c:(.text+0xd27): undefined reference to `OPENSSL_sk_num'
tls.o: In function `tls_expand_session_files':
tls.c:(.text+0x1052): undefined reference to `X509_getm_notBefore'
tls.c:(.text+0x1067): undefined reference to `X509_getm_notAfter'
tls.o: In function `verify_callback':
tls.c:(.text+0x1f91): undefined reference to `OPENSSL_sk_push'
tls.o: In function `tls_server_stapling_cb':
tls.c:(.text+0x26e1): undefined reference to `X509_get0_serialNumber'
tls.c:(.text+0x2717): undefined reference to `OCSP_SINGLERESP_get0_id'
tls.o: In function `tls_save_session_cb':
tls.c:(.text+0x2931): undefined reference to `SSL_SESSION_is_resumable'
tls.o: In function `tls_servername_cb':
tls.c:(.text+0x2e2d): undefined reference to `SSL_CTX_get_options'
tls.c:(.text+0x2e3c): undefined reference to `SSL_CTX_set_options'
tls.o: In function `tls_close':
tls.c:(.text+0x3c35): undefined reference to `OPENSSL_sk_pop_free'
tls.o: In function `tls_version_report':
tls.c:(.text+0x3fcf): undefined reference to `OpenSSL_version'
tls.c:(.text+0x3fdc): undefined reference to `OpenSSL_version'
tls.o: In function `tls_init':
tls.c:(.text+0x5113): undefined reference to `SSL_CTX_set_options'
tls.c:(.text+0x5253): undefined reference to `OPENSSL_sk_new_null'
tls.o: In function `tls_server_start':
tls.c:(.text+0x5642): undefined reference to `SSL_CTX_set_num_tickets'
tls.c:(.text+0x596f): undefined reference to `SSL_session_reused'
tls.c:(.text+0x5af1): undefined reference to `SSL_CIPHER_standard_name'
tls.c:(.text+0x5b57): undefined reference to `SSL_SESSION_print_keylog'
tls.c:(.text+0x5b72): undefined reference to `SSL_SESSION_has_ticket'
tls.c:(.text+0x5b7e): undefined reference to `SSL_SESSION_get_ticket_lifetime_hint'
tls.o: In function `tls_client_start':
tls.c:(.text+0x6365): undefined reference to `SSL_clear_options'
tls.c:(.text+0x64e9): undefined reference to `SSL_SESSION_get_ticket_lifetime_hint'
tls.c:(.text+0x6700): undefined reference to `SSL_SESSION_print_keylog'
tls.c:(.text+0x6712): undefined reference to `SSL_session_reused'
tls.c:(.text+0x683d): undefined reference to `SSL_CIPHER_standard_name'
tls.o: In function `tls_cert_not_before':
tls.c:(.text+0x6b04): undefined reference to `X509_getm_notBefore'
tls.o: In function `tls_cert_not_after':
tls.c:(.text+0x6b1a): undefined reference to `X509_getm_notAfter'
tls.o: In function `tls_cert_version':
tls.c:(.text+0x6e89): undefined reference to `X509_get_version'
tls.o: In function `tls_cert_subject_altname':
tls.c:(.text+0x70d7): undefined reference to `OPENSSL_sk_pop'
tls.c:(.text+0x7109): undefined reference to `ASN1_STRING_get0_data'
tls.c:(.text+0x7129): undefined reference to `ASN1_STRING_get0_data'
tls.c:(.text+0x7149): undefined reference to `ASN1_STRING_get0_data'
tls.c:(.text+0x71ff): undefined reference to `OPENSSL_sk_num'
tls.c:(.text+0x720f): undefined reference to `OPENSSL_sk_free'
tls.o: In function `tls_cert_ocsp_uri':
tls.c:(.text+0x7271): undefined reference to `OPENSSL_sk_num'
tls.c:(.text+0x72bd): undefined reference to `OPENSSL_sk_value'
tls.c:(.text+0x72f1): undefined reference to `ASN1_STRING_get0_data'
tls.c:(.text+0x7316): undefined reference to `OPENSSL_sk_free'
tls.c:(.text+0x733c): undefined reference to `OPENSSL_sk_free'
tls.o: In function `tls_cert_crl_uri':
tls.c:(.text+0x73b2): undefined reference to `OPENSSL_sk_num'
tls.c:(.text+0x73df): undefined reference to `OPENSSL_sk_value'
tls.c:(.text+0x73f3): undefined reference to `OPENSSL_sk_num'
tls.c:(.text+0x7409): undefined reference to `OPENSSL_sk_value'
tls.c:(.text+0x742c): undefined reference to `ASN1_STRING_get0_data'
tls.c:(.text+0x7463): undefined reference to `OPENSSL_sk_free'
tls.c:(.text+0x748b): undefined reference to `OPENSSL_sk_free'
pdkim/pdkim.a(signing.o): In function `exim_dkim_init':
signing.c:(.text+0xf): undefined reference to `OPENSSL_init_crypto'
pdkim/pdkim.a(signing.o): In function `exim_dkim_sign':
signing.c:(.text+0x109): undefined reference to `EVP_MD_CTX_new'
signing.c:(.text+0x153): undefined reference to `EVP_DigestSign'
signing.c:(.text+0x18f): undefined reference to `EVP_DigestSign'
signing.c:(.text+0x19b): undefined reference to `EVP_MD_CTX_free'
signing.c:(.text+0x1ce): undefined reference to `EVP_MD_CTX_free'
pdkim/pdkim.a(signing.o): In function `exim_dkim_verify_init':
signing.c:(.text+0x249): undefined reference to `EVP_PKEY_new_raw_public_key'
pdkim/pdkim.a(signing.o): In function `exim_dkim_verify':
signing.c:(.text+0x2fe): undefined reference to `EVP_MD_CTX_new'
signing.c:(.text+0x341): undefined reference to `EVP_DigestVerify'
signing.c:(.text+0x34d): undefined reference to `EVP_MD_CTX_free'
signing.c:(.text+0x35f): undefined reference to `EVP_MD_CTX_free'
signing.c:(.text+0x3a8): undefined reference to `RSA_pkey_ctx_ctrl'
collect2: error: ld returned 1 exit status
make[1]: *** [exim] Error 1
make[1]: Leaving directory `/usr/local/directadmin/custombuild/exim-4.95/build-Linux-x86_64'
make: *** [all] Error 2

My best guess is that this problem is occurring because the OpenSSL version has been updated manually whitout DirectAdmin and/or cloudlinux repos.

I'm trying to downgrade the openssl version with;

yum reinstall openssl\*

Does not work. I re-compile it manually to a lower version, does not work.

openssl version

Still shows 1.1.1L

Any suggestions?

At this rate i'm stuck.

Regards

 

[pcburakq]

Addinational Info:

I'm trying; yum downgrade openssl But it fails.

[root@ns78-out custombuild]# yum downgrade openssl
Loaded plugins: fastestmirror, rhnplugin
This system is receiving updates from CLN.
Loading mirror speeds from cached hostfile
 * cloudlinux-x86_64-server-7: cl-mirror.alastyr.com
 * epel: mirror.telepoint.bg
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 1:1.0.2k-21.el7_9 will be a downgrade
--> Processing Dependency: openssl-libs(x86-64) = 1:1.0.2k-21.el7_9 for package: 1:openssl-1.0.2k-21.el7_9.x86_64
---> Package openssl.x86_64 1:1.0.2k-22.el7_9 will be erased
--> Finished Dependency Resolution
Error: Package: 1:openssl-1.0.2k-21.el7_9.x86_64 (cloudlinux-x86_64-server-7)
           Requires: openssl-libs(x86-64) = 1:1.0.2k-21.el7_9
           Installed: 1:openssl-libs-1.0.2k-22.el7_9.x86_64 (@cloudlinux-x86_64-server-7)
               openssl-libs(x86-64) = 1:1.0.2k-22.el7_9
           Available: 1:openssl-libs-1.0.2k-12.el7.x86_64 (cloudlinux-x86_64-server-7)
               openssl-libs(x86-64) = 1:1.0.2k-12.el7
           Available: 1:openssl-libs-1.0.2k-16.el7.x86_64 (cloudlinux-x86_64-server-7)
               openssl-libs(x86-64) = 1:1.0.2k-16.el7
           Available: 1:openssl-libs-1.0.2k-16.el7_6.1.x86_64 (cloudlinux-x86_64-server-7)
               openssl-libs(x86-64) = 1:1.0.2k-16.el7_6.1
           Available: 1:openssl-libs-1.0.2k-19.el7.x86_64 (cloudlinux-x86_64-server-7)
               openssl-libs(x86-64) = 1:1.0.2k-19.el7
           Available: 1:openssl-libs-1.0.2k-21.el7_9.x86_64 (cloudlinux-x86_64-server-7)
               openssl-libs(x86-64) = 1:1.0.2k-21.el7_9
           Available: 1:openssl-libs-1.0.2k-23.el7_9.x86_64 (cloudlinux-x86_64-server-7)
               openssl-libs(x86-64) = 1:1.0.2k-23.el7_9
           Available: 1:openssl-libs-1.0.2k-24.el7_9.x86_64 (cloudlinux-x86_64-server-7)
               openssl-libs(x86-64) = 1:1.0.2k-24.el7_9
 You could try using --skip-broken to work around the problem
** Found 1 pre-existing rpmdb problem(s), 'yum check' output follows:
MariaDB-server-10.3.27-1.el7.centos.x86_64 has missing requires of galera

Can anyone let me know how can i remove the 1.1.1l libraries?

Regards

 

[wtptrs]

Did you rollback the /usr/bin/openssl symlink command you did earlier?

 

[pcburakq]

Did you rollback the /usr/bin/openssl symlink command you did earlier?

Yeah, did not work.

I've manually compiled an older versiyon of openssl too, system is stubborn to use and print ver. 1.1.1l

Regards

 

[pcburakq]

Hello,

wget https://ftp.openssl.org/source/old/1.0.2/openssl-1.0.2k.tar.gz
tar -zxvf openssl-1.0.2k.tar.gz
cd openssl-1.0.2k
./config
make depend
make
make install
ln -s /usr/bin/openssl /usr/local/bin/openssl
openssl version

ln -s /opt/alt/openssl11/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /opt/alt/openssl11/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1

These course of actions have fixed my openssl problem, however i am unable to receive any mails from gmail.

Error; TLS error on connection from mail-vk1-f177.google.com [209.85.221.177] (SSL_accept): error:20074002:BIO routines:FILE_CTRL:system lib

I am also having polkit based errors.

** (pkttyagent:9265): WARNING **: 09:11:51.087: Unable to register authentication agent: GDBus.Errorrg.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject
Error registering authentication agent: GDBus.Errorrg.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject (polkit-error-quark, 0)

Still investigating. (Main problem was not receiving mails from gmail, openssl was promptly downgraded but there still seems to be a problem)

Any idea?

Regards

 

[pcburakq]

Hello,

I've resolved the problem. These are the steps i've taken to resolve it;

cd /root
wget https://ftp.openssl.org/source/old/1.0.2/openssl-1.0.2k.tar.gz

Then i've went to the openssl directory i've manually compiled and uninstalled it;

cd /usr/local/src/openssl-1.1.1l
make uninstall

Then recompiled openssl-1.0.2k, the openssl version it had before.

cd /root
tar -zxvf openssl-1.0.2k.tar.gz
cd openssl-1.0.2k
./config
make depend
make
make install
ln -s /usr/bin/openssl /usr/local/bin/openssl

openssl version

Prints 1.0.2k which is good, but there are library problems as expected.

I've put old openssl files to lib64

ln -s /opt/alt/openssl11/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /opt/alt/openssl11/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1

Checked it sees fine with php -v

The custombuild became able to build stuff again. I've rebuild curl since i downgraded openssl.

cd /usr/local/directadmin/custombuild
./build curl

And then reset the e-mail directory permissions.

/usr/local/directadmin/scripts/set_permissions.sh da_files
echo "action=rewrite&value=secure_access_group" >> /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d200

Everything went fine afterwards, now i am able to get mails from gmail and compile stuff again.

Sharing my resolution so people can fix their own problems if it happens.

Regards

PS: Polkit error remains, as long as it does not stop the users from using their hosting services i dont mind