Solaris 10 Build and OpenSSL

[hsbrown2]

Not sure if this is an issue with who built it, or the code itself. I did find this in Base_OMI.data, if it's actually used anywhere (this looks commented out), it will point to the wrong OpenSSL on a patched Solaris 10 machine (SPARC).

OPENSSL_PATH="openssl"

if PF == SunOS

#if PFMINOR == 9
    LD_LIBRARY_PATH=/usr/local/ssl/lib
    export LD_LIBRARY_PATH
    OPENSSL_PATH="/usr/local/bin/openssl"
**#**elseif PFMINOR == 10
    LD_LIBRARY_PATH=/usr/sfw/lib
    export LD_LIBRARY_PATH
    OPENSSL_PATH="/usr/sfw/bin/openssl"****
#endif
#endif

On Solaris 10, OpenSSL updates to 1.0.0 are in /usr/lib. /usr/sfw/lib is considered "volatile" and doesn't get updated. If installation uses 0.9.7, TLS 1.0 is the best you can do. To be able to use TLS 1.2 it would need to use the library in /usr/lib. There should be some logic in here to test for that.

I'll caveat this with I am an Operations Manager customer, just trying to determine why OMI won't work with TLS 1.2, and discovered omiengine links to the wrong OpenSSL libraries. Modifying those links, of course, did not solve the issue. Apologies if I'm not following the right protocols here.

[JumpingYang001]

thanks for filing the issue! it seems the build server still use old openssl version.

[hsbrown2]

No problem! Just be aware that on patched systems, both versions will be installed. The old version in /usr/sfw/lib and the new version in /usr/lib. There's good info from Oracle on it here:

https://blogs.oracle.com/solaris/openssl-versions-in-solaris-v2

Cheers!

[beigewell]

this really compromises security especially when Solaris 10 is supported now until 2023. we have exactly the same issue

[blakedrumm]

@JumpingYang001 - Any updates on this?

[JumpingYang001]

Discussed offline, CSS creates a bug to track it.

[Udish17]

I have filed the BUG internally for developer to look into this.

[JumpingYang001]

Fixed in https://github.com/microsoft/omi/pull/745/commits/4bf3268986dd96e2e8ed4dce5a9d4b7d0438dc7c.