[SERVER-44293] Log both OpenSSL running/linked and compiled versions at startup Created: 29/Oct/19 Updated: 27/Oct/23 Resolved: 16/Sep/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Nic Cottrell | Assignee: | Mark Benvenuto |
| Resolution: | Works as Designed | Votes: | 1 |
| Labels: | move-sec | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Sprint: | Security 2020-09-21 | ||||||||
| Participants: | |||||||||
| Description |
|
In In the code it's obvious that it's the current OpenSSL line is about the build version, but it's not clear in the logs since there is a "build environment:" section later. For example:
In appendBuildInfo we output both and I think this goes into FTDC:
Let's put both running and compiled version into the startup logs too. If possible, let's also output the path of the .so library file linked in to help diagnose custom libldap_r linking. Could this be scheduled in PM-1492 alongside |
| Comments |
| Comment by Mark Benvenuto [ 16/Sep/20 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
In 3.6, 4.0, 4.2 and 4.4, I can confirm we are outputing the runtime version of OpenSSL by calling {{SSLeay_version(SSLEAY_VERSION)}}in the log. There is one caveat, RHEL 7.x OpenSSL lie about the version. Working around RHEL 7.x's linker script is tricky and not something I am planning to do. The big issue is find the exact libssl.so.x.y.z binary we linked against on RHEL 7.x at runtime. Details: This means that if mongod is compiled against OpenSSL 1.0.1, a call to SSLeay_version returns "OpenSSL 1.0.1e-fips 11 Feb 2013" even though OpenSSL 1.0.2 is installed. This means that if mongod is compiled against OpenSSL 1.0.2, a call to SSLeay_version returns "OpenSSL 1.0.2k-fips 26 Jan 2017". For reference, here is a link to the source RPM, and the patch Redhat applies to OpenSSL. Source RPM: Symbol versioning: https://sourceware.org/binutils/docs/ld/VERSION.html openssl-1.0.2a-version.patch
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Carl Champain (Inactive) [ 29/Oct/19 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Passing this ticket along to Dev Tools. |