# [solved] openssl-0.9.8c (x86) broke https/sasl

## micmac

Hi all,

I'm on x86 and I upgraded to dev-libs/openssl-0.9.8c. It got stabled today, and because it seems to include a security fix (I read that in this bugzilla report), I thought I could just update. I followed the ebuilds advice and ran revdep-rebuild to find software that linked agains lib{cryptop,ssl}.so.0.9.7 and recompile it. I ran it again just to be sure, but all seemed right (everything linked against 0.9. :Cool: .

I also ran revdep-rebuild without arguments, it didn't find anything. To be sure I also rebooted the box. etc-update was run also, of course.

Now I can't use https anymore. Konqueror just says this:

```
Beim Laden von https://forums.gentoo.org/ ist folgender Fehler aufgetreten:

Der Prozess für das

 Protokoll https://forums.gentoo.org

 wurde unerwartet beendet.
```

Translation:

```
An error occurred while loading https://forums.gentoo.org/

The Prozess for the protocol https://forums.gentoo.org died unexpectetly.
```

Also I can't check my mails. mutt just fails with "SASL authentication failed". I recompiled mutt, but it didn't help.

Right now this computer is pretty unusable. No web, no mail (at least not with ssl).

Any ideas? Any others with the same experience?

Cheers

mic

Edit: mutt patch in bugzillaLast edited by micmac on Fri Sep 08, 2006 8:03 pm; edited 1 time in total

----------

## micmac

Hi all,

dev-libs/openssl-0.9.7k works for me. The security patch is already included.

Cheers

mic

----------

## frilled

Did you recompile qca-tls without errors?

----------

## micmac

Yes, after I unmasked qca-tls-1.0-r3.

Btw., this was konquerors output on konsole when it couldn't use https:

kio (KIOConnection): ERROR: Header read failed, errno=104

kio (KIOConnection): ERROR: Header has invalid size (-1)

ASSERT: "!icon.isEmpty()" in konq_pixmapprovider.cc (81)

ASSERT: "!icon.isEmpty()" in konq_pixmapprovider.cc (81)

ASSERT: "!icon.isEmpty()" in konq_pixmapprovider.cc (81)

ASSERT: "!icon.isEmpty()" in konq_pixmapprovider.cc (81)

----------

## frilled

I still don't know what happened, as I can't reach the affected box by now. On (most of, didn't check them all yet) the other boxes it seems to have worked fine. Need to check later.

----------

## micmac

Hey,

I found out how to fix the https errors I got with konqueror. Recompiling kdelibs helped.

Regarding mutt. I found that there have been quite a lot of changes to sasl_decode64(). I mailed the the cyrus-sasl list about it. Maybe they know about it.

Cheers

mic

----------

## Headrush

I'm having the same problems using ssh to log into remote machines and also kopete accounts that use ssl no longer work.

Here is a sample of problem:

```
ssh -v root@xxx.xxx.xxx.xxx

OpenSSH_4.3p2, OpenSSL 0.9.8c 05 Sep 2006

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.

debug1: Connection established.

debug1: identity file /home/user/.ssh/identity type -1

debug1: identity file /home/user/.ssh/id_rsa type -1

debug1: identity file /home/user/.ssh/id_dsa type -1

ssh_exchange_identification: Connection closed by remote host
```

Somehow doesn't look like my machine is sending the required info needed by the remote machine.

----------

## alkan

 *Headrush wrote:*   

> I'm having the same problems using ssh to log into remote machines and also kopete accounts that use ssl no longer work.
> 
> Here is a sample of problem:
> 
> ```
> ...

 

I have the exact problem. aany solution yet?

----------

## Headrush

 *alkan wrote:*   

>  *Headrush wrote:*   I'm having the same problems using ssh to log into remote machines and also kopete accounts that use ssl no longer work.
> 
> Here is a sample of problem:
> 
> ```
> ...

 

After pulling my hair out and wondering what was going on since I correctly recompiled all apps depending on these libraries, I missed the obvious: the ssh server I was connecting to updated also but didn't do the revdep-rebuild and the problem was on their end.

(I shouldn't have assumed the service was static)

I still have an issue that I can't get SSL working with the Jabber network in Kopete.

----------

## micmac

Hi Headrush!

tried recompiling kdelibs like I did to get Konqueror to work?

----------

## Headrush

 *micmac wrote:*   

> Hi Headrush!
> 
> tried recompiling kdelibs like I did to get Konqueror to work?

 

Already did multiple times and compiled kopete again also. No luck.

----------

## Ast0r

 *Headrush wrote:*   

> I'm having the same problems using ssh to log into remote machines and also kopete accounts that use ssl no longer work.
> 
> Here is a sample of problem:
> 
> ```
> ...

 

I am having this problem also. I upgraded to openssl-0.9.8c and ran 

```

revdep-rebuild --library libssl-0.9.7
```

and then

```
revdep-rebuild --library libcrypto-0.9.7
```

I assumed that this would be all that I had to do, since that's all the ebuild said, but 3/5 boxes don't let me log in through SSH anymore since doing this. I guess it was stupid for me to not test it on one server and then deploy to my other servers once I knew it worked, but I assumed that if I followed the ebuilds directions that I would be fine. I looked really stupid yesterday when my boss called me asking why he couldn't SSH into our development server. I am going to have to go up to the datacenter tomorrow to fix them, but it would be really nice to know what is wrong with them so that I can fix them. Does anyone know?

----------

## ChL@Gentoo

I recompiled openssh, kdelibs, kdepim-kioslaves and kdebase-kioslaves.

After a restart of X (and so KDE) ssh, konqueror and kmail works perfect.

----------

## pteppic

 *ChL@Gentoo wrote:*   

> I recompiled openssh, kdelibs, kdepim-kioslaves and kdebase-kioslaves.
> 
> After a restart of X (and so KDE) ssh, konqueror and kmail works perfect.

 

I tried all of this, most of it twice, to no avail.

I have just finished a largish update and hoped it would fix it, but it hadn't, so tried to investigate further.

Found this

```

29491:error:0200100D:system library:fopen:Permission denied:bss_file.c:122:fopen('/etc/ssl/openssl.cnf','rb')
```

 and 

```
#ls -al /etc

drwxr-xr-x  90 root lp     5.7K Dec  6 09:12 .

drwx------   5 root lp      152 Sep  9 06:13 ssl
```

I fixed it with 

```
chown :root /etc

chown :root /etc/ssl

chmod 755 /etc/ssl
```

now konq&co work again.

Seeing as the group set was lp and cups had been recently updated, it's new new cups I'm suspicious of, but I'm done investigating....

----------

