amazon-linux-2023 icon indicating copy to clipboard operation
amazon-linux-2023 copied to clipboard
verified publisher icon amazonlinux

[Package Update Request] - openssl

Open GrahamCampbell opened this issue 2 years ago • 12 comments

What package is missing from Amazon Linux 2023? Please describe and include package name.

openssl 3.0.11

Is this an update to existing package or new package request?

Update. Current version is old.

Is this package available in Amazon Linux 2? If it is available via external sources such as EPEL, please specify.

N/A

Any additional information you'd like to include. (use-cases, etc)

Needed by bref: https://github.com/brefphp/aws-lambda-layers/pull/122/files#r1328635116.

GrahamCampbell avatar Oct 11 '23 09:10 GrahamCampbell

cc @stewartsmith

GrahamCampbell avatar Oct 11 '23 09:10 GrahamCampbell

For a variety of reasons we tend to backport security fixes to OpenSSL rather than bump the version of it. Are there specific things in 3.0.11 you need beyond already backported security updates?

stewartsmith avatar Oct 11 '23 14:10 stewartsmith

I think just the security fixes. Why not upgrade to get the bug fixes, though?

GrahamCampbell avatar Oct 11 '23 15:10 GrahamCampbell

Amazon Linux 2023.7 (2023.7.20250331) has rebased OpenSSL to v3.2.2. Please test.

See also, AL2023.7 Release Notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.7.html

szarkos avatar Apr 01 '25 21:04 szarkos

Any plans to upgrade to 3.4.1?

GrahamCampbell avatar Apr 01 '25 21:04 GrahamCampbell

I have no plans to share today, although it should be technically feasible. Are there specific features or fixes in OpenSSL-3.4.1 that you require?

Distros may also opt to wait for OpenSSL 3.5 since that will be the next LTS release, per their roadmap: https://openssl-library.org/roadmap/index.html

szarkos avatar Apr 01 '25 21:04 szarkos

3.5.0 sounds good. Mostly the QUIC changes in later versions than 3.2.

GrahamCampbell avatar Apr 01 '25 21:04 GrahamCampbell

My product is failing to build after the upgrade and i need to run with 3.0.8. I tried installing openssl-fips-provider-certified and openssl-fips-provider-certified-so since it in 3.0.8 version and it is failing to install. Below are the details.

amazonlinux:latest Docker image by default now installed with openssl-fips-provider-latest.aarch64 1:3.2.2-1.amzn2023.0.1

yum list installed | grep -i openssl
**openssl-fips-provider-latest.aarch64 1:3.2.2-1.amzn2023.0.1              @System**
**openssl-libs.aarch64                 1:3.2.2-1.amzn2023.0.1              @System**
bash-5.2#

While as per the release notes, https://docs.aws.amazon.com/linux/al2023/release-notes/all-packages-AL2023.7.html it should be installed with 3.0.8-1.amzn2023.0.1

Image

I tried to do yum install openssl-fips-provider-certified-so, if it can downgrades, but it is conflicting and not allowing me to downgrade. I would request you to kindly downgrade the openssl-fips-provider-certified-so to 3.0.8-1.amzn2023.0.1 as per amazon release notes https://docs.aws.amazon.com/linux/al2023/release-notes/all-packages-AL2023.7.html

yum install openssl-fips-provider-certified-so
Last metadata expiration check: 0:01:46 ago on Thu Apr  3 07:47:02 2025.
Dependencies resolved.
============================================================================================================
 Package                                  Architecture  Version                     Repository         Size
============================================================================================================
Installing:
 openssl-fips-provider-certified-so       aarch64       3.0.8-1.amzn2023.0.1        amazonlinux       519 k

Transaction Summary
============================================================================================================
Install  1 Package

Total size: 519 k
Installed size: 1.1 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] openssl-fips-provider-certified-so-3.0.8-1.amzn2023.0.1.aarch64.rpm: Already downloaded          
Running transaction check
Transaction check succeeded.
Running transaction test
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: Transaction test error:
  file /usr/lib64/ossl-modules/fips.so from install of openssl-fips-provider-certified-so-3.0.8-1.amzn2023.0.1.aarch64 conflicts with file from package openssl-fips-provider-latest-1:3.2.2-1.amzn2023.0.1.aarch64

AbhishekPuranam avatar Apr 03 '25 08:04 AbhishekPuranam

The openssl-fips-provider-latest package is installed by default. Instructions for swapping the FIPS provider can be found in the user guide: https://docs.aws.amazon.com/linux/al2023/ug/fips-openssl-swap-provider.html

If you want to downgrade openssl entirely, then you can use dnf downgrade, although since openssl-fips-provider-* are new packages you need to either remove those manually or use --allowerasing.

szarkos avatar Apr 03 '25 16:04 szarkos

@szarkos OpenSSL 3.5.2 is now available and is LTS. Are we able to move forward with that version in the next AL release, and have it available to Lambda?

GrahamCampbell avatar Aug 19 '25 10:08 GrahamCampbell

@szarkos OpenSSL 3.2 (available in AL2023) will not be supported next month. OpenSSL 3.5 is now available and is LTS, It includes PQC algorithms (ML-KEM, ML-DSA and SLH-DSA) Any roadmap ?

christianpoulain95100 avatar Sep 29 '25 04:09 christianpoulain95100

@christianpoulain95100 Keep in mind that most enterprise distros never update openssl for the lifetime of a major release. There are API and ABI compatibility concerns, deprecation issues etc... meaning that the likelyhood is high that such an update will break customers, which goes against our general policy. I don't know yet whether we will make an exception for OpenSSL 3.5 or not but we can't "just update it" for the sake of it.

ozbenh avatar Sep 29 '25 22:09 ozbenh