[SERVER-44293] Log both OpenSSL running/linked and compiled versions at startup Created: 29/Oct/19  Updated: 27/Oct/23  Resolved: 16/Sep/20

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Nic Cottrell Assignee: Mark Benvenuto
Resolution: Works as Designed Votes: 1
Labels: move-sec
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
Sprint: Security 2020-09-21
Participants:

 Description   

In SERVER-8364 we added logging of the OpenSSL version but it seems this is the compile-time version .

In the code it's obvious that it's the current OpenSSL line is about the build version, but it's not clear in the logs since there is a "build environment:" section later. For example:

2019-10-28T14:17:33.088+0000 I CONTROL  [main] ***** SERVER RESTARTED *****
2019-10-28T14:17:33.092+0000 I CONTROL  [main] Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'
2019-10-28T14:17:33.139+0000 I CONTROL  [initandlisten] MongoDB starting : pid=13682 port=27118 dbpath=/u01/mongod/data/mongod_ukoplog1u 64-bit host=kn-ebs-momv01
2019-10-28T14:17:33.140+0000 I CONTROL  [initandlisten] db version v4.0.13
2019-10-28T14:17:33.140+0000 I CONTROL  [initandlisten] git version: bda366f0b0e432ca143bc41da54d8732bd8d03c0
2019-10-28T14:17:33.140+0000 I CONTROL  [initandlisten] OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
2019-10-28T14:17:33.140+0000 I CONTROL  [initandlisten] allocator: tcmalloc
2019-10-28T14:17:33.140+0000 I CONTROL  [initandlisten] modules: enterprise 
2019-10-28T14:17:33.140+0000 I CONTROL  [initandlisten] build environment:
2019-10-28T14:17:33.140+0000 I CONTROL  [initandlisten]     distmod: rhel70
2019-10-28T14:17:33.140+0000 I CONTROL  [initandlisten]     distarch: x86_64
2019-10-28T14:17:33.140+0000 I CONTROL  [initandlisten]     target_arch: x86_64
2019-10-28T14:17:33.140+0000 I CONTROL  [initandlisten] options: { ... }

In appendBuildInfo we output both and I think this goes into FTDC:

 
opensslInfo << "running" << openSSLVersion() << "compiled" << OPENSSL_VERSION_TEXT;

Let's put both running and compiled version into the startup logs too. If possible, let's also output the path of the .so library file linked in to help diagnose custom libldap_r linking.

Could this be scheduled in PM-1492 alongside SERVER-43761 ?



 Comments   
Comment by Mark Benvenuto [ 16/Sep/20 ]

In 3.6, 4.0, 4.2 and 4.4, I can confirm we are outputing the runtime version of OpenSSL by calling {{SSLeay_version(SSLEAY_VERSION)}}in the log.

There is one caveat, RHEL 7.x OpenSSL lie about the version. Working around RHEL 7.x's linker script is tricky and not something I am planning to do. The big issue is find the exact libssl.so.x.y.z binary we linked against on RHEL 7.x at runtime.

Details:
Redhat in RHEL/Centos 7.xis patching OpenSSL to return a different version string for OpenSSL depending on which version of OpenSSL a binary was compiled against.

This means that if mongod is compiled against OpenSSL 1.0.1, a call to SSLeay_version returns "OpenSSL 1.0.1e-fips 11 Feb 2013" even though OpenSSL 1.0.2 is installed.

This means that if mongod is compiled against OpenSSL 1.0.2, a call to SSLeay_version returns "OpenSSL 1.0.2k-fips 26 Jan 2017".

For reference, here is a link to the source RPM, and the patch Redhat applies to OpenSSL.

Source RPM:
http://vault.centos.org/7.4.1708/os/Source/SPackages/openssl-1.0.2k-8.el7.src.rpm

Symbol versioning: https://sourceware.org/binutils/docs/ld/VERSION.html

openssl-1.0.2a-version.patch

diff -up openssl-1.0.2a/crypto/cversion.c.version openssl-1.0.2a/crypto/cversion.c
--- openssl-1.0.2a/crypto/cversion.c.version    2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/crypto/cversion.c    2015-04-21 16:48:56.285535316 +0200
@@ -62,7 +62,7 @@
 # include "buildinf.h"
 #endif
 
-const char *SSLeay_version(int t)
+const char *_current_SSLeay_version(int t)
 {
     if (t == SSLEAY_VERSION)
         return OPENSSL_VERSION_TEXT;
@@ -101,7 +101,40 @@ const char *SSLeay_version(int t)
     return ("not available");
 }
 
-unsigned long SSLeay(void)
+const char *_original_SSLeay_version(int t)
+{
+    if (t == SSLEAY_VERSION)
+        return "OpenSSL 1.0.0-fips 29 Mar 2010";
+    else
+        return _current_SSLeay_version(t);
+}
+
+const char *_original101_SSLeay_version(int t)
+{
+    if (t == SSLEAY_VERSION)
+        return "OpenSSL 1.0.1e-fips 11 Feb 2013";
+    else
+        return _current_SSLeay_version(t);
+}
+
+unsigned long _original_SSLeay(void)
+{
+    return (0x10000003L);
+}
+
+unsigned long _original101_SSLeay(void)
+{
+    return (0x1000105fL);
+}
+
+unsigned long _current_SSLeay(void)
 {
     return (SSLEAY_VERSION_NUMBER);
 }
+
+__asm__(".symver _original_SSLeay,SSLeay@");
+__asm__(".symver _original_SSLeay_version,SSLeay_version@");
+__asm__(".symver _original101_SSLeay,SSLeay@OPENSSL_1.0.1");
+__asm__(".symver _original101_SSLeay_version,SSLeay_version@OPENSSL_1.0.1");
+__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.2");
+__asm__(".symver _current_SSLeay_version,SSLeay_version@@OPENSSL_1.0.2");
diff -up openssl-1.0.2a/Makefile.shared.version openssl-1.0.2a/Makefile.shared
--- openssl-1.0.2a/Makefile.shared.version      2015-04-21 16:43:02.624170648 +0200
+++ openssl-1.0.2a/Makefile.shared      2015-04-21 16:43:02.676171879 +0200
@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
        SHLIB_SUFFIX=; \
        ALLSYMSFLAGS='-Wl,--whole-archive'; \
        NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-       SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+       SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
 
 DO_GNU_APP=LDFLAGS="$(CFLAGS)"
 
diff -up openssl-1.0.2a/version.map.version openssl-1.0.2a/version.map
--- openssl-1.0.2a/version.map.version  2015-04-21 16:43:02.676171879 +0200
+++ openssl-1.0.2a/version.map  2015-04-21 16:51:49.621630589 +0200
@@ -0,0 +1,13 @@
+OPENSSL_1.0.1 {
+    global:
+           SSLeay;
+           SSLeay_version;
+    local:
+           _original*;
+           _current*;
+};
+OPENSSL_1.0.2 {
+    global:
+           SSLeay;
+           SSLeay_version;
+} OPENSSL_1.0.1;

Comment by Carl Champain (Inactive) [ 29/Oct/19 ]

Hi nicholas.cottrell,

Passing this ticket along to Dev Tools.

Generated at Thu Feb 08 05:05:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.