Bug 7569 - [UPDATE REQUEST] openssl 1.0.1 -> 1.0.2
: [UPDATE REQUEST] openssl 1.0.1 -> 1.0.2
Status: VERIFIED FIXED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Main Packages
: Fresh
: All Linux
: Highest blocker
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-09 11:13 MSK by Andrey Bondrov
Modified: 2016-12-16 07:23 MSK (History)
2 users (show)

See Also:
RPM Package: openssl
ISO-related:
Bad POT generating:
Upstream:
vladimir.potapov: qa_verified+
andrey.bondrov: published+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Bondrov 2016-12-09 11:13:58 MSK
We need to switch from OpenSSL 1.0.1 to 1.0.2 (patched for GOST engine support) in rosa2014.1.

First please check if 1.0.1 -> 1.0.2 update doesn't break rpm, wget, curl etc.

https://abf.rosalinux.ru/build_lists/2766564
https://abf.rosalinux.ru/build_lists/2766565

If it doesn't, I'll build patched 1.0.2 for full testing.
Comment 1 Andrey Bondrov 2016-12-09 13:47:43 MSK
Please also check OpenSSL 1.0.2 packages with GOST 2012 support:

https://abf.rosalinux.ru/build_lists/2766576
https://abf.rosalinux.ru/build_lists/2766577
Comment 2 Vladimir Potapov 2016-12-10 20:02:28 MSK
It's not work :-(


rpm -qa|grep openssl-1                                                                
openssl-1.0.2j-4-rosa2014.1.i586

*********

openssl ciphers|grep GOST



empty
Comment 3 Vladimir Potapov 2016-12-10 20:20:01 MSK
after configuration by
http://kirill-zak.ru/2015/08/13/298

openssl ciphers|tr ':' '\n'|grep GOST
GOST2001-GOST89-GOST89
Comment 4 Andrey Bondrov 2016-12-12 13:35:30 MSK
(In reply to comment #3)
> after configuration by
> http://kirill-zak.ru/2015/08/13/298
> 
> openssl ciphers|tr ':' '\n'|grep GOST
> GOST2001-GOST89-GOST89

It could be because of "CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet" config option. Likely there should be another option for GOST 2012 support. Maybe "id-tc26-gost-3410-2012-512-paramSetA".
Comment 5 Andrey Bondrov 2016-12-12 14:24:56 MSK
First let's try the official update without GOST 2012 support:

Advisory: "Update OpenSSL to new version 1.0.2j"

https://abf.rosalinux.ru/build_lists/2790321
https://abf.rosalinux.ru/build_lists/2790322
Comment 6 modd1e 2016-12-12 16:22:25 MSK
Actually, I managed to calculate hash using 512bit GOST34.11-2012 with this patch, which is impossible without it. I don't know if any 2012 GOSTs (34.10 or 34.11) should appear it "openssl ciphers" output, because they are not cipher algorithms. I mean, it could be possible to sign files or messages using this version of openssl, but yet I don't know how. There is no adequate information about this in gost-engine/engine. May be I'm just searching in the wrong place.
Comment 7 modd1e 2016-12-12 16:28:04 MSK
Hash can be calculated with "openssl dgst -md_gost12_512 <file_name>".
Comment 8 Vladimir Potapov 2016-12-13 20:26:55 MSK
(In reply to comment #5)
> First let's try the official update without GOST 2012 support:
> 
> Advisory: "Update OpenSSL to new version 1.0.2j"
> 
> https://abf.rosalinux.ru/build_lists/2790321
> https://abf.rosalinux.ru/build_lists/2790322

The update is sent to expanded testing
**************************************
Comment 9 Vladimir Potapov 2016-12-14 20:17:42 MSK
openssl-1.0.2j-1
https://abf.rosalinux.ru/build_lists/2790321
https://abf.rosalinux.ru/build_lists/2790322
************************* Advisory *************************
Update OpenSSL to new version 1.0.2j
************************************************************
QA Verified
Comment 10 Andrey Bondrov 2016-12-16 07:23:46 MSK
Let's continue with GOST 2012 support here: http://bugs.rosalinux.ru/show_bug.cgi?id=7604