List items

Items from the current list are shown below.


22 Feb 2017 : Building an unhobbled OpenSSL 1.0.2k RPM for Fedora 25 #
Fedora’s OpenSSL build is actually a cut-down version with many of the elliptic curve features removed due to patent concerns. These are available in stock OpenSSL and in other distros such as Ubuntu, so it’s a pain they’re not available in Fedora. Daniel Pocock provided a nice tutorial on how to build an RPM that restores the functionality, but it’s a bit old now (Fedora 19, 2013) and generated errors when I tried to follow it more recently. Here’s an updated process that’ll work for OpenSSL 1.0.2k on Fedora 26.
Prepare the system
Remove the existing openssl-devel package and install the dependencies needed to build a new one. These all have to be done as root (e.g. by adding sudo to the front of them).
rpm -e openssl-devel
dnf install rpm-build krb5-devel zlib-devel gcc gmp-devel \ 
  libcurl-devel openldap-devel NetworkManager-devel \
  NetworkManager-glib-devel sqlite-devel lksctp-tools-devel \
  perl-generators rpmdevtools
Set up an rpmbuild environment
If you don’t already have one. Something like this should do the trick.
Obtain the packages and build
The following will download the sources and apply a patch to reinstate the ECC functionality. This is broadly the same as Daniel's, but with more recent package links and an updated patch to work with them.
# Install the fedora RPM with all the standard Red Hat patches
cd ~/rpmbuild/SRPMS
rpm -i openssl-1.0.2k-1.fc25.src.rpm
# Install the stock OpenSSL source which doesn’t have the ECC code removed
# Patch the spec file to avoid all of the nasty ECC-destroying patches
cd ../SPECS
patch -p0 <
# And build
rpmbuild -bb openssl.spec
Install the OpenSSL packages
cd ~/rpmbuild/RPMS/$(uname -i)
rpm -Uvh --force openssl-1.0.2k*rpm openssl-devel-1.0.2k*rpm openssl-libs-1.0.2k*rpm
Once this has completed, your ECC functionality should be restored. You can check by entering
openssl ecparam -list_curves
to list the curves your currently installed package supports. That should be it. In case you want to use the slightly older 1.0.2j version of OpenSSL, you can follow my separate post on the topic.


blog comments powered by Disqus