List items
Items from the current list are shown below.
List item
22 Feb 2017 : Building an unhobbled OpenSSL 1.0.2k RPM for Fedora 25 #
Fedora’s OpenSSL build is actually a cut-down version with many of the elliptic curve features removed due to patent concerns. These are available in stock OpenSSL and in other distros such as Ubuntu, so it’s a pain they’re not available in Fedora. Daniel Pocock provided a nice tutorial on how to build an RPM that restores the functionality, but it’s a bit old now (Fedora 19, 2013) and generated errors when I tried to follow it more recently. Here’s an updated process that’ll work for OpenSSL 1.0.2k on Fedora 26.
Prepare the system
Remove the existing openssl-devel package and install the dependencies needed to build a new one. These all have to be done as root (e.g. by adding sudo to the front of them).
If you don’t already have one. Something like this should do the trick.
The following will download the sources and apply a patch to reinstate the ECC functionality. This is broadly the same as Daniel's, but with more recent package links and an updated patch to work with them.
Prepare the system
Remove the existing openssl-devel package and install the dependencies needed to build a new one. These all have to be done as root (e.g. by adding sudo to the front of them).
rpm -e openssl-devel dnf install rpm-build krb5-devel zlib-devel gcc gmp-devel \ libcurl-devel openldap-devel NetworkManager-devel \ NetworkManager-glib-devel sqlite-devel lksctp-tools-devel \ perl-generators rpmdevtoolsSet up an rpmbuild environment
If you don’t already have one. Something like this should do the trick.
rpmdev-setuptree
Obtain the packages and buildThe following will download the sources and apply a patch to reinstate the ECC functionality. This is broadly the same as Daniel's, but with more recent package links and an updated patch to work with them.
# Install the fedora RPM with all the standard Red Hat patches cd ~/rpmbuild/SRPMS wget http://dl.fedoraproject.org/pub/fedora/linux/updates/25/SRPMS/o/openssl-1.0.2k-1.fc25.src.rpm rpm -i openssl-1.0.2k-1.fc25.src.rpm # Install the stock OpenSSL source which doesn’t have the ECC code removed cd ../SOURCES wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz # Patch the spec file to avoid all of the nasty ECC-destroying patches cd ../SPECS wget http://www.flypig.co.uk/dnload/dnload/pico/openssl.spec.ec-1.0.2k.patch patch -p0 < openssl.spec.ec-1.0.2k.patch # And build rpmbuild -bb openssl.specInstall the OpenSSL packages
cd ~/rpmbuild/RPMS/$(uname -i) rpm -Uvh --force openssl-1.0.2k*rpm openssl-devel-1.0.2k*rpm openssl-libs-1.0.2k*rpmOnce this has completed, your ECC functionality should be restored. You can check by entering
openssl ecparam -list_curvesto list the curves your currently installed package supports. That should be it. In case you want to use the slightly older 1.0.2j version of OpenSSL, you can follow my separate post on the topic.
Comments
Uncover Disqus comments