You are not logged in.

#1 2012-09-12 02:41:53

Azriel
Member
Registered: 2008-01-23
Posts: 58

OpenSSL 1.0.0 issue

Hi,

I use the BOINC client, and am a contributor to the World Community Grid project on my Archlinux computer, but a few days ago (around september 7th), I was suddenly unable to download any new tasks for my BOINC client. Thinking it might be BOINC-related, or even WCG-related, I went on to the WCG forums where it appeared that the problem was Archlinux-related, and more specifically openssl-related. Since there's only two of us experiencing this problem and reporting it, it might be just a strike of luck though...

What we worked out so far on the WCG forums: the trouble seem to have appeared around september 7th, around which time a cache corruption seems to have appeared in WCG servers. The cache was cleared around september 10, but the issue persisted for Archlinux user.

Moving libssl.so.1.0.0 and libcrypto.so.1.0.0 to another place, and making symliks to their 0.9.8 counterpart solved the issue. Though i'm not a strong fan of symlinking, since it's usually just a lot more trouble down the road...

Here is a link to a full session of BOINC logs: http://pastebin.com/ewypnBS7

Here are a few parts that seemed relevant to me, about the download :

10-Sep-2012 02:12:11 [World Community Grid] [http] [ID#3] Info:  SSLv3, TLS handshake, Client hello (1):
10-Sep-2012 02:12:12 [World Community Grid] [http] [ID#2] Info:  Unknown SSL protocol error in connection to download.worldcommunitygrid.org:443
10-Sep-2012 02:12:12 [World Community Grid] [http] [ID#2] Info:  Closing connection #0
10-Sep-2012 02:12:12 [World Community Grid] [http] HTTP error: SSL connect error
10-Sep-2012 02:12:12 [World Community Grid] [http] [ID#3] Info:  Unknown SSL protocol error in connection to download.worldcommunitygrid.org:443
10-Sep-2012 02:12:12 [World Community Grid] [http] [ID#3] Info:  Closing connection #1
10-Sep-2012 02:12:12 [---] [http] [ID#0] Info:  Connection #2 to host www.worldcommunitygrid.org left intact
10-Sep-2012 02:12:12 [World Community Grid] Temporarily failed download of hcc1_image01_6.40.tga: transient HTTP error

Also, the link to the original thread on the WCG forums.


So my questions are these: 1) is there any tweaking done on Archlinux part to those openssl lib that might explain why we seem to be the only distribution having this problem ? And if so, would I be able to get a more "vanilla" version using makepkg ?
2) Is there any way I could force BOINC to use the older version of those libs, while not making a system-wide change like would happen with symlinks ?

Thanks to anyone who will be able to provide any help on the matter.

[EDIT] I'll add that my system is kept regularly up-to-date, and that no major update was done on my part around the date where things broke. My system is also up-to-date as of now, and I've tried reinstalling openssl, to no avail.
[EDIT2] I'll also add that my connection to the internet is wired, so it's most definitely not the reported problem about the wireless driver.

Last edited by Azriel (2012-09-12 02:54:15)

Offline

#2 2012-09-12 04:39:07

brebs
Member
Registered: 2007-04-03
Posts: 3,406

Re: OpenSSL 1.0.0 issue

Here's Arch.

Lots of patches in Ubuntu - look in their blah.debian.tar.gz file, in the debian/patches dir.

Edit: Here's Opensuse too.

Last edited by brebs (2012-09-12 04:48:47)

Offline

#3 2012-09-12 15:56:59

Peaceseeker
Member
Registered: 2012-04-27
Posts: 23

Re: OpenSSL 1.0.0 issue

brebs wrote:

Lots of patches in Ubuntu - look in their blah.debian.tar.gz file, in the debian/patches dir.

Thank you brebs, I think you pointed me in the right direction !, I went over the patches ubuntu applied, one that interested me was this bug, it seems like the latest OpenSSL 1.0.1c source already has this applied, so after recompiling OpenSSL with the flag '-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50', it looks like I was able to download work units as normal. Although I haven't fully tested it out, I'm unsure if 'World Community Grid' may have fixed things on their end?, I would like to do some more testing but I've downloaded so many work units now it will take a few days to get through lol.

@Azriel, can you confirm you are still unable to download?, because if you can't the above fix could be the solution. Here's the (hopefully) fixed PKGBUILD, you will require the other files in addition here

Last edited by Peaceseeker (2012-09-12 19:47:45)

Offline

#4 2012-09-12 16:58:30

Azriel
Member
Registered: 2008-01-23
Posts: 58

Re: OpenSSL 1.0.0 issue

Well, I can confirm that I wasn't able to download before, but after using your modified PKGBUILD and the patches, I'm able to download too wink

Thanks to the two of you then, and off to contributing I go !

Offline

#5 2012-09-12 17:07:16

Peaceseeker
Member
Registered: 2012-04-27
Posts: 23

Re: OpenSSL 1.0.0 issue

Great news !, ok I'll test it for a couple of days, and if all is still going well, I'll have to file a bug report since it effects two Archlinux packages.


Edit:
I've rebooted, BOINC has finished some work units, and successfully downloaded more today, so I'll assume the workaround fixed things, and as Ubuntu configures and compiles with this flag by default, I went ahead and made a bug report here.

I also came across this recent forum post, it could be a possible third user effected.

Edit 2:
According to the OpenSSL CVS website the change added to enable these flags, here, was added to 1.0.1a, it mentions that two options can be used, one is the workaround to specify cipher length (which we added above), if that fails there is choice of another flag 'OPENSSL_NO_TLS1_2_CLIENT', this is where it gets strange, Archlinux already includes this flag in the default PKGBUILD as: '-DOPENSSL_NO_TLS1_2_CLIENT', what this doe's is disable TLS 1.2 client support entirely. So by adding both flags I don't know what exactly is happening, my guess is, as things have started working, is that the cipher length option has overidden, and this must mean that WCG now require the use of TLS 1.2?.

Edit 3:

OK, it seems like Ubuntu apply both options as well:

    - debian/patches/tls12_workarounds.patch: workaround large client hello
      issue: Compile with -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 and
      with -DOPENSSL_NO_TLS1_2_CLIENT.

from here

Last edited by Peaceseeker (2012-09-13 22:12:05)

Offline

#6 2012-09-14 16:28:51

hruodbhert
Member
From: Italy
Registered: 2012-09-14
Posts: 1

Re: OpenSSL 1.0.0 issue

Thanks guys, you gave me a big help to resolve this problem and I can also report that occurred in both architectures, i686 and x86_64.

Offline

#7 2012-09-14 21:10:56

Peaceseeker
Member
Registered: 2012-04-27
Posts: 23

Re: OpenSSL 1.0.0 issue

Thanks for another confirmation hruodbhert, and for testing both architectures, I've pointed the bug report to this thread. I'm glad it helped smile.

Offline

#8 2012-10-10 18:18:20

Sebarres
Member
Registered: 2012-01-08
Posts: 11

Re: OpenSSL 1.0.0 issue

Hi,
I'm sorry but I don't understand how to install this custom openssl. Is it possible to put it on aur ? :x
Thanks

Offline

#9 2012-10-10 18:22:13

Azriel
Member
Registered: 2008-01-23
Posts: 58

Re: OpenSSL 1.0.0 issue

Sebarres wrote:

Hi,
I'm sorry but I don't understand how to install this custom openssl. Is it possible to put it on aur ? :x
Thanks

I don't think I have to know-how to maintain a package on AUR, so I won't. Furthermore, this is likely to get fixed upstream one day, and the issue seems very specific to BOINC, so I'm not sure an AUR package is that relevant anyway (though other might disagree).

Your best plan is probably to explain to us as clearly as possible what you are doing, and where are you stuck, and we will try to un-stuck the best we can.

Offline

#10 2012-10-10 18:31:55

Sebarres
Member
Registered: 2012-01-08
Posts: 11

Re: OpenSSL 1.0.0 issue

Ok, thank you for your reply.
In fact I created a openssl.tar.gz containing theses files : https://projects.archlinux.org/svntogit … es/openssl
Thus I made pacman -U openssl.tar.gz, but it seems that meta data are missing.

Offline

#11 2012-10-10 18:37:39

Azriel
Member
Registered: 2008-01-23
Posts: 58

Re: OpenSSL 1.0.0 issue

It's not up to you to create the archive.

Basically, you download the required files here: https://projects.archlinux.org/svntogit … es/openssl

Then you copy-paste the content from here: http://pastebin.com/x58kP7C5 in a file named PKGBUILD.

The AUR actually works using PKGBUILD, a PKGBUILD file is a file telling the computer how to compile the files in the current directory to create a package. So it's basically the same thing as downloading a tarball from the AUR and extracting its content.

Anyway, once you have both the required files and the PKGBUILD, you just type makepkg into the console (while in the correct directory), and you should see the new package being created. At the end of the process, you'll end with the package in the directory that you'll install using the Pacman.

[EDIT] You may want to read on that if you want to know more about the package creation process.

Last edited by Azriel (2012-10-10 18:38:45)

Offline

#12 2012-10-10 19:00:03

Sebarres
Member
Registered: 2012-01-08
Posts: 11

Re: OpenSSL 1.0.0 issue

Perfect it works, thank you very much for your explanation wink

Offline

#13 2012-11-11 15:22:08

sknd
Member
From: Brzeszcze, Poland
Registered: 2011-01-20
Posts: 53

Re: OpenSSL 1.0.0 issue

for me, it didn't help, unfortunately...


Jaki koniec świata.Ziemia to nie cały świat ,a tylko mały Wąchock we wszechświecie.

Offline

#14 2012-11-12 19:01:15

Sebarres
Member
Registered: 2012-01-08
Posts: 11

Re: OpenSSL 1.0.0 issue

@sknd : do you have the same SSL error or something else ?

Because since last week, I can't download WU anymore :
lun. 12 nov. 2012 19:00:38 CET | World Community Grid | Sending scheduler request: To fetch work.
lun. 12 nov. 2012 19:00:38 CET | World Community Grid | Requesting new tasks for CPU
lun. 12 nov. 2012 19:00:42 CET | World Community Grid | Scheduler request completed: got 0 new tasks
lun. 12 nov. 2012 19:00:42 CET | World Community Grid | No tasks sent
lun. 12 nov. 2012 19:00:42 CET | World Community Grid | No tasks are available for The Clean Energy Project - Phase 2
lun. 12 nov. 2012 19:00:42 CET | World Community Grid | No tasks are available for the applications you have selected.
lun. 12 nov. 2012 19:00:42 CET | World Community Grid | Tasks for AMD/ATI GPU are available, but your preferences are set to not accept them

Indeed I can't use on my GPU, so what, I can't work either on my CPU ?
I tried to reinstall, removing /usr/lib/boinc, change WCG project, but the issue persists.

Offline

#15 2012-11-12 23:33:41

sknd
Member
From: Brzeszcze, Poland
Registered: 2011-01-20
Posts: 53

Re: OpenSSL 1.0.0 issue

damn... my stderrdae.txt lloks like this:

no protocol specified
no protocol specified
...
(and so on)

i think it may be ralted to my recent change from initscripts to systemd... it did something with logs also, didnt it?


EDIT:

but i checked stdoutdae.txt, here it what it says:

13-Nov-2012 00:35:24 [World Community Grid] update requested by user
13-Nov-2012 00:35:29 [World Community Grid] Sending scheduler request: Requested by user.
13-Nov-2012 00:35:29 [World Community Grid] Reporting 1 completed tasks, not requesting new tasks
13-Nov-2012 00:36:02 [World Community Grid] Started download of DSFL_00030-22_0000019_0514_DSFL_00030-22_0000019_0514.job
13-Nov-2012 00:36:02 [World Community Grid] Started download of DSFL_00030-22_0000019_0514_DSFL_00030-22_0000019_0514.zip
13-Nov-2012 00:36:12 [World Community Grid] Scheduler request completed
13-Nov-2012 00:37:06 [---] Project communication failed: attempting access to reference site
13-Nov-2012 00:37:06 [World Community Grid] Temporarily failed download of DSFL_00030-22_0000019_0514_DSFL_00030-22_0000019_0514.job: connect() failed
13-Nov-2012 00:37:06 [World Community Grid] Backing off 2 hr 58 min 39 sec on download of DSFL_00030-22_0000019_0514_DSFL_00030-22_0000019_0514.job
13-Nov-2012 00:37:06 [World Community Grid] Temporarily failed download of DSFL_00030-22_0000019_0514_DSFL_00030-22_0000019_0514.zip: connect() failed
13-Nov-2012 00:37:06 [World Community Grid] Backing off 3 hr 37 min 44 sec on download of DSFL_00030-22_0000019_0514_DSFL_00030-22_0000019_0514.zip
13-Nov-2012 00:37:08 [---] Internet access OK - project servers may be temporarily down.

no errors... but it's still 0,00% - i mean .job files and .zip files, other files download ok. wtf?

Last edited by sknd (2012-11-12 23:40:00)


Jaki koniec świata.Ziemia to nie cały świat ,a tylko mały Wąchock we wszechświecie.

Offline

#16 2012-11-13 18:29:36

Sebarres
Member
Registered: 2012-01-08
Posts: 11

Re: OpenSSL 1.0.0 issue

I didn't see my stderrdae.txt, in fact I have the same message than you : no protocol specified.

Offline

#17 2012-11-17 11:08:27

sknd
Member
From: Brzeszcze, Poland
Registered: 2011-01-20
Posts: 53

Re: OpenSSL 1.0.0 issue

ok, my problem solved - looks like my prolbems weren't connected with openssl (or maybe they were but not only,  now i have this patched version installed;) ) - i had something messed in /etc/hosts - a long ago i placed ip's for secure.worldcommunitygrid.org and some other wcg sites there...


Jaki koniec świata.Ziemia to nie cały świat ,a tylko mały Wąchock we wszechświecie.

Offline

#18 2012-11-27 12:15:55

sknd
Member
From: Brzeszcze, Poland
Registered: 2011-01-20
Posts: 53

Re: OpenSSL 1.0.0 issue

now the problem is back - transient HTTP error, with .pga files, .pdbqt files and some others... i have patched openssl installed, my etc/hosts is also ok;)

anyone has this problem?


Jaki koniec świata.Ziemia to nie cały świat ,a tylko mały Wąchock we wszechświecie.

Offline

#19 2012-11-29 17:12:30

Sebarres
Member
Registered: 2012-01-08
Posts: 11

Re: OpenSSL 1.0.0 issue

No, but I still have my problem with the message "Tasks for AMD/ATI GPU are available, but your preferences are set to not accept them".
Thus, I can't donwload WU since some weeks and I don't understand why.

Offline

#20 2012-12-05 18:43:19

korobkov
Member
From: Ulyanovsk, Russia
Registered: 2012-12-05
Posts: 1
Website

Re: OpenSSL 1.0.0 issue

sknd wrote:

now the problem is back - transient HTTP error, with .pga files, .pdbqt files and some others... i have patched openssl installed, my etc/hosts is also ok;)

anyone has this problem?

Yes, I have exactly the same!
I use Parabola GNU/Linux-libre (libre fork of archlinux) x86-64, OpenSSL 1.0.1.c and BOINS 7.0.28.
I hadn't it before the end of November (even with default OpenSSL from repos, no custom PKGBUILDs), and now I have this bug only for .pdbqt and other projects' files; workunits by themselves are OK).

What's may be wrong?

Offline

#21 2012-12-06 21:54:45

sknd
Member
From: Brzeszcze, Poland
Registered: 2011-01-20
Posts: 53

Re: OpenSSL 1.0.0 issue

ok, my problem is solved - looks like somehow in my PKGBUILD, on of this this two configure options were missing, i don't know why...must have f...ked up something when copy/paste

-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50
-DOPENSSL_NO_TLS1_2_CLIENT

with them both added , everything works fine. You should also check your PKGBUILD, Korobkov!


Jaki koniec świata.Ziemia to nie cały świat ,a tylko mały Wąchock we wszechświecie.

Offline

#22 2012-12-16 17:55:37

benmachine
Member
Registered: 2012-12-16
Posts: 1

Re: OpenSSL 1.0.0 issue

Hi, I registered just to say that I found my BOINC activity dropping off pretty abruptly recently - last result returned 12/6/12 13:32:41, along with some silence for a week or so beforehand.

After downloading the openssl stuff with

git clone git://projects.archlinux.org/svntogit/packages.git --single-branch --branch packages/openssl

and making the following edits:

diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD
index 2b15e1c..0f8968e 100644
--- a/trunk/PKGBUILD
+++ b/trunk/PKGBUILD
@@ -50,7 +50,8 @@ build() {
                shared zlib enable-md2 ${optflags} \
                "${openssltarget}" \
                -Wa,--noexecstack "${CFLAGS}" "${LDFLAGS}" \
-               -DOPENSSL_NO_TLS1_2_CLIENT
+               -DOPENSSL_NO_TLS1_2_CLIENT \
+               -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50
 
        make depend
        make

then makepkg and installing the result, it has finally started working again.

Offline

#23 2013-02-04 19:07:23

Azriel
Member
Registered: 2008-01-23
Posts: 58

Re: OpenSSL 1.0.0 issue

Just a quick bump to say that after having to reinstall Arch, this issue still exists, and the fix proposed by Peaceseeker still works. I've edited the wiki to create a quick how-to fix, but if someone feels like creating an AUR package, it seems like this bug is here to stay.

Thanks @Benmachine too for the noob-proof way of downloading those files, not used to using git myself smile

Offline

#24 2013-02-09 03:12:05

k2_8191
Member
Registered: 2012-10-18
Posts: 14

Re: OpenSSL 1.0.0 issue

Uhh, I followed the troubleshooting page on BOINC(Thank you Azriel!), but I can't makepkg successfully... sad
The file "Fix-IV-check-and-padding-removal.patch" fails md5sum check of makepkg.
Here is the output of makepkg:

==> Making package: openssl 1.0.1.d-1 (Sat Feb  9 12:04:28 JST 2013)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving Sources...
  -> Downloading openssl-1.0.1d.tar.gz...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 4355k  100 4355k    0     0  20463      0  0:03:37  0:03:37 --:--:-- 18657
  -> Downloading openssl-1.0.1d.tar.gz.asc...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   482  100   482    0     0    239      0  0:00:02  0:00:02 --:--:--   239
  -> Found fix-manpages.patch
  -> Found no-rpath.patch
  -> Found ca-dir.patch
  -> Found Fix-IV-check-and-padding-removal.patch
==> Validating source files with md5sums...
    openssl-1.0.1d.tar.gz ... Passed
    openssl-1.0.1d.tar.gz.asc ... Passed
    fix-manpages.patch ... Passed
    no-rpath.patch ... Passed
    ca-dir.patch ... Passed
    Fix-IV-check-and-padding-removal.patch ... FAILED
==> ERROR: One or more files did not pass the validity check!

Did I missed something?
I think editing the md5sum value in PKGBUILD is not a good idea unless the file is edited explicitly...

Offline

#25 2013-02-09 03:24:57

Azriel
Member
Registered: 2008-01-23
Posts: 58

Re: OpenSSL 1.0.0 issue

k2_8191 wrote:

I think editing the md5sum value in PKGBUILD is not a good idea unless the file is edited explicitly...

Well, sometimes editing the md5sum is the good choice, but the only reason I can think of would be an orphaned AUR package whose PKGBUILD you had to edit to change the source, making the newly downloaded file different, hence having a different checksum. In this case, there shouldn't be any reason to change the checksum.

I've just followed the wiki myself, and the package compiled perfectly, so my guess is that the fault isn't on the howto, nor on the sources. So it's probably just checksum doing their jobs and warning you that your download got corrupted somehow. It happens, it's not a big deal, and that's exactly why we have checksums smile

So the fix should be quite simple: just repeat step 1 (git clone blablabla) to download all of the sources again, and just try again to makepkg.

Or you can just download the one file not passing the checksum directly from here.


Hope this fixes your issue !

Offline

Board footer

Powered by FluxBB