openssl 4.0.0 rpms released and added to all supported platforms (Alma Linux, Rocky Linux, Red Hat Enterprise Linux RHEL, Oracle Linux).
OpenSSL 4.0.0 is a feature release adding significant new functionality to OpenSSL. This release incorporates the following potentially significant or incompatible changes:
– Removed extra leading ’00:’ when printing key data such as an RSA modulus in hexadecimal format where the first (most significant) byte is >= 0x80. – Standardized the width of hexadecimal dumps to 24 bytes for signatures (to stay within the 80 characters limit) and 16 bytes for everything else. – Lower bounds checks are now enforced when using `PKCS5_PBKDF2_HMAC` API with FIPS provider. – Added AKID verification checks when `X509_V_FLAG_X509_STRICT` is set. – Augmented CRL verification process with several additional checks. – `libcrypto` no longer cleans up globally allocated data via `atexit()`. – `BIO_snprintf()` now uses `snprintf()` provided by libc instead of internal implementation. – `OPENSSL_cleanup()` now runs in a global destructor, or not at all by default. – `ASN1_STRING` has been made opaque. – Signatures of numerous API functions, including those that are related to X509 processing, are changed to include `const` qualifiers for argument and return types, where suitable. – Deprecated `X509_cmp_time()`, `X509_cmp_current_time()`, and `X509_cmp_timeframe()` in favor of `X509_check_certificate_times()`. – Removed support for the SSLv2 Client Hello. – Removed support for SSLv3. SSLv3 has been deprecated since 2015, and OpenSSL had it disabled by default since version 1.1.0 (2016). – Removed support for engines. The `no-engine` build option and the `OPENSSL_NO_ENGINE` macro are always present. – Support of deprecated elliptic curves in TLS according to RFC 8422 was disabled at compile-time by default. To enable it, use the `enable-tls-deprecated-ec` configuration option. – Support of explicit EC curves was disabled at compile-time by default. To enable it, use the `enable-ec_explicit_curves` configuration option. – Removed `c_rehash` script tool. Use `openssl rehash` instead. – Removed the deprecated `msie-hack` option from the `openssl ca` command. – Removed `BIO_f_reliable()` implementation without replacement. It was broken since 3.0 release without any complaints. – Removed deprecated support for custom `EVP_CIPHER`, `EVP_MD`, `EVP_PKEY`, and `EVP_PKEY_ASN1` methods. – Removed deprecated fixed SSL/TLS version method functions. – Removed deprecated functions `ERR_get_state()`, `ERR_remove_state()` and `ERR_remove_thread_state()`. The `ERR_STATE` object is now always opaque. – Dropped `darwin-i386{,-cc}` and `darwin-ppc{,64}{,-cc}` targets from Configurations. This release adds the following new features: – Support for Encrypted Client Hello (ECH, RFC 9849). See `doc/designs/ech-api.md` for details. – Support for RFC 8998, signature algorithm `sm2sig_sm3`, key exchange group `curveSM2`, and tls-hybrid-sm2-mlkem post-quantum group `curveSM2MLKEM768`. – cSHAKE function support as per SP 800-185. – “ML-DSA-MU” digest algorithm support. – Support for SNMP KDF and SRTP KDF. – FIPS self tests can now be deferred and run as needed when installing the FIPS module with the `-defer_tests` option of the `openssl fipsinstall` command. – Support for using either static or dynamic VC runtime linkage on Windows. – Support for negotiated FFDHE key exchange in TLS 1.2 in accordance with RFC 7919. RFC 8422: RFC 9849: RFC 8998: SP 800-185: RFC 7919:
.so Suffix changed from 81.3 to 81.4 (/usr/lib64/libcrypto.so.81.4.0.0, /usr/lib64/libcrypto.so.81.4 -> libcrypto.so.81.4.0.0, /usr/lib64/libssl.so.81.4.0.0, /usr/lib64/libssl.so.81.4 -> libssl.so.81.4.0.0).
We continue to build libs with QUIC support as a separate non-conflicting package openssl-quic-libs, with separate .so.81.4 suffixing to avoid conflicts with the official .so.X.
Hi Alexander,
Thanks for the OpenSSL 4.0.0 build. There appears to be a packaging gap on EL9 that makes `dnf upgrade` unsolvable for hosts that already have the CodeIT httpd stack installed.
Summary:
– `httpd-tools-2.4.66-2.module_codeit.codeit.el9` requires `libcrypto.so.81.4` / `libssl.so.81.4` (OpenSSL 4.0.0).
– `apr-util-openssl-1.6.3-2.codeit.el9` (currently installed, also from CodeIT) still requires `libcrypto.so.81.3` / `libssl.so.81.3` (OpenSSL 3.x). It does not appear to have been rebuilt against the new `.so.81.4` suffix.
– `openssl-quic-libs-1:4.0.0-1.codeit.el9` is marked as conflicting with every `3.x` `openssl-quic-libs` package in the repo, rather than being parallel-installable. Given the `.so.81.3` vs `.so.81.4` suffix scheme, I would have expected the 3.x and 4.x QUIC libs to coexist the same way `.so.81.1.1` and `.so.81.3` did during the 1.1.1 → 3.x transition.
Result on a clean Oracle Linux 9 box with httpd 2.4.66-1 + openssl-quic-libs 3.5.6 installed:
“`
– package apr-util-openssl-1.6.3-2.codeit.el9.x86_64 from @System requires libcrypto.so.81.3()(64bit), but none of the providers can be installed
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el9.x86_64 from CodeIT and openssl-quic-libs-1:3.5.6-1.codeit.el9.x86_64 from @System
– package httpd-tools-2.4.66-2.module_codeit.codeit.el9.x86_64 from CodeIT requires libcrypto.so.81.4()(64bit), but none of the providers can be installed
“`
`–allowerasing`, `–skip-broken`, and `–nobest` all fail to converge on a clean transaction.
Likely fixes (one or both):
1. Rebuild `apr-util-openssl` against OpenSSL 4.0.0 so it requires `libcrypto.so.81.4` / `libssl.so.81.4`.
2. Drop the `Conflicts:` between the 4.0.0 and 3.x `openssl-quic-libs` packages so both `.so.81.3` and `.so.81.4` can coexist (matching the suffix design intent).
Happy to test a candidate build on EL9 if useful.
Thanks,
Michael
Hi Michael, thank you for the report, investigating.
Hi Alexander,
the same problem in Rocky 8 too.
Error:
Problem 1: package apr-util-openssl-1.6.3-2.codeit.el8.x86_64 from @System requires libcrypto.so.81.3()(64bit), but none of the providers can be installed
– package apr-util-openssl-1.6.3-2.codeit.el8.x86_64 from @System requires libcrypto.so.81.3(OPENSSL_3.0.0)(64bit), but none of the providers can be installed
– package apr-util-openssl-1.6.3-2.codeit.el8.x86_64 from @System requires libssl.so.81.3()(64bit), but none of the providers can be installed
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-1:3.5.6-1.codeit.el8.x86_64 from @System
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.10-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.11-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.12-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.13-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.14-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.15-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.16-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.8-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.9-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-1:3.5.0-2.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-1:3.5.1-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-1:3.5.4-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-1:3.5.5-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-1:3.5.6-1.codeit.el8.x86_64 from CodeIT
– cannot install the best update candidate for package openssl-quic-libs-1:3.5.6-1.codeit.el8.x86_64
– cannot install the best update candidate for package apr-util-openssl-1.6.3-2.codeit.el8.x86_64
Problem 2: problem with installed package apr-util-openssl-1.6.3-2.codeit.el8.x86_64
– package apr-util-openssl-1.6.3-2.codeit.el8.x86_64 from @System requires libcrypto.so.81.3()(64bit), but none of the providers can be installed
– package apr-util-openssl-1.6.3-2.codeit.el8.x86_64 from @System requires libcrypto.so.81.3(OPENSSL_3.0.0)(64bit), but none of the providers can be installed
– package apr-util-openssl-1.6.3-2.codeit.el8.x86_64 from @System requires libssl.so.81.3()(64bit), but none of the providers can be installed
– package apr-util-openssl-1.6.3-2.codeit.el8.x86_64 from CodeIT requires libcrypto.so.81.3()(64bit), but none of the providers can be installed
– package apr-util-openssl-1.6.3-2.codeit.el8.x86_64 from CodeIT requires libcrypto.so.81.3(OPENSSL_3.0.0)(64bit), but none of the providers can be installed
– package apr-util-openssl-1.6.3-2.codeit.el8.x86_64 from CodeIT requires libssl.so.81.3()(64bit), but none of the providers can be installed
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-1:3.5.6-1.codeit.el8.x86_64 from @System
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.10-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.11-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.12-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.13-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.14-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.15-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.16-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.8-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-3.0.9-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-1:3.5.0-2.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-1:3.5.1-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-1:3.5.4-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-1:3.5.5-1.codeit.el8.x86_64 from CodeIT
– cannot install both openssl-quic-libs-1:4.0.0-1.codeit.el8.x86_64 from CodeIT and openssl-quic-libs-1:3.5.6-1.codeit.el8.x86_64 from CodeIT
– package httpd-tools-2.4.66-2.module_codeit.codeit.el8.x86_64 from CodeIT requires libcrypto.so.81.4()(64bit), but none of the providers can be installed
– package httpd-tools-2.4.66-2.module_codeit.codeit.el8.x86_64 from CodeIT requires libcrypto.so.81.4(OPENSSL_4.0.0)(64bit), but none of the providers can be installed
– package httpd-tools-2.4.66-2.module_codeit.codeit.el8.x86_64 from CodeIT requires libssl.so.81.4()(64bit), but none of the providers can be installed
– package httpd-tools-2.4.66-2.module_codeit.codeit.el8.x86_64 from CodeIT requires libssl.so.81.4(OPENSSL_4.0.0)(64bit), but none of the providers can be installed
– cannot install the best update candidate for package httpd-tools-2.4.66-1.module_codeit.codeit.el8.x86_64
A thousand thanks
Franco, thank you for the report, will be rebuilt and also added to the testsuite too.
Franco, please check, el8 and el9 fixes landed. CentOS 7 in progress.
Hi Alexander,
the problem is different now on my Rocky 8, but:
yum update
Error:
– package openssl-quic-devel-1:3.5.6-1.codeit.el8.x86_64 from CodeIT conflicts with openssl-devel provided by openssl-devel-1:1.1.1k-15.el8_10.x86_64 from @System
– package openssl-quic-devel-1:4.0.0-1.codeit.el8.x86_64 from CodeIT conflicts with openssl-devel provided by openssl-devel-1:1.1.1k-15.el8_10.x86_64 from @System
Therefore, i removed openssl-devel and, yum clean all, yum update:
Dependencies resolved.
======================================================================
Package Architecture Version Repository Size
======================================================================
Upgrading:
apr-util x86_64 1.6.3-4.codeit.el8 CodeIT 105 k
apr-util-bdb x86_64 1.6.3-4.codeit.el8 CodeIT 24 k
apr-util-devel x86_64 1.6.3-4.codeit.el8 CodeIT 85 k
apr-util-openssl x86_64 1.6.3-4.codeit.el8 CodeIT 26 k
httpd x86_64 2.4.66-2.module_codeit.codeit.el8 CodeIT 43 k
httpd-core x86_64 2.4.66-2.module_codeit.codeit.el8 CodeIT 1.4 M
httpd-devel x86_64 2.4.66-2.module_codeit.codeit.el8 CodeIT 204 k
httpd-filesystem noarch 2.4.66-2.module_codeit.codeit.el8 CodeIT 8.5 k
httpd-tools x86_64 2.4.66-2.module_codeit.codeit.el8 CodeIT 76 k
libnghttp2 x86_64 1.68.1-3.codeit.el8 CodeIT 77 k
mod_http2 x86_64 2.0.39-2.codeit.el8 CodeIT 175 k
mod_lua x86_64 2.4.66-2.module_codeit.codeit.el8 CodeIT 53 k
mod_ssl x86_64 1:2.4.66-2.module_codeit.codeit.el8 CodeIT 107 k
openssl-quic-libs x86_64 1:4.0.0-1.codeit.el8 CodeIT 3.1 M
Installing dependencies:
openssl-quic-devel x86_64 1:4.0.0-1.codeit.el8 CodeIT 3.5 M
all looks good!
Even in Rocky 9 everything is ok
Thank you !!!
Thank you for the confirmation!
Looks like openssl-quic-devel is erroneous requirement, it is fixed now in 1.6.3-5.
Michael, please check, el8 and el9 fixes landed. CentOS 7 in progress.
It’s fixed. Thank You so much for all that you do!
Thank you a lot for your support!