sshd fails to start - undefined symbol: EVP_KDF_ctrl

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

sshd fails to start - undefined symbol: EVP_KDF_ctrl

spython
Following an OS upgrade of the server I have been unable to start sshd
service.  On this server some software is upgraded from the OS packages
whereas others are manually built.  Openssl is manually built from
source.  After the upgrade of the OS the error message I get when
starting sshd is
sshd: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b
The version I was running was openssl.1.1.1a
I then replaced it with openssl.1.1.1d hoping it would resolve the
problem.  It did not.  I  would be grateful for any pointers as to how
I can resolve this.

Reply | Threaded
Open this post in threaded view
|

Re: sshd fails to start - undefined symbol: EVP_KDF_ctrl

Viktor Dukhovni
On Wed, Nov 13, 2019 at 01:47:31PM -0500, SP wrote:

> Following an OS upgrade of the server I have been unable to start sshd
> service.  On this server some software is upgraded from the OS packages
> whereas others are manually built.  Openssl is manually built from source.
> After the upgrade of the OS the error message I get when starting sshd is
> sshd: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b The version I
> was running was openssl.1.1.1a I then replaced it with openssl.1.1.1d hoping
> it would resolve the problem.  It did not.  I  would be grateful for any
> pointers as to how I can resolve this.

OpenSSL from openssl.org (upstream) has never had EVP_KDF_ctrl in
the OpenSSL 1.1.1 release branch.  That function briefly appeared
in the 3.0.0 development (master) branch, but has since been replaced.

Whoever built your SSH packages used a custom verson of OpenSSL.
You really SHOULD NOT replace system packages (like OpenSSL) with
your own builds, unless you're willing and able to ensure ABI
compatibility with the vendor build.

It is safer to install any custom copy of OpenSSL in a non-default
location (I use /opt/openssl/1.1), and give the shared libraries
in such copies non-default SONAMEs so as to avoid conflict.

--
    Viktor.