How to update SSL libs in a jail

[Francis Reader]

FreeNAS-9.3-STABLE-201511280648
I'm running sickrage in a jail and my search provider recently underwent severe DDoS. They rebuilt their servers and now sickrage cannot connect to their https giving a 403.

Connecting using wget instead of sickrage also gives a 403
( OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure )

Its not a sickrage issue, as I can quite happily do a wget from my local linux machine which works and from the sickrage jail which fails with a 403.

Ideas?

 

[pirateghost]

try updating the openssl installed in the jail.

 

[Francis Reader]

Did.

Found similar thread: https://forums.freenas.org/index.php?threads/updating-openssl-in-jail.39537/

Server I'm connecting to, requires more up to date ssl libs. Might just have to wait until 10.x

 

[jgreco]

You can manually build OpenSSL from the sources available on the Web. Trying to build stuff from ports is always a losing proposition if you want the most recent versions. I don't have any specific information about the package you're using, but I believe the default OpenSSL on the web will try to install into /usr/local. Check to see if you already have OpenSSL installed there as a port, and if so, I'd say just try updating it from the web.

Process is generally something like:

Code:

# fetch https://www.openssl.org/source/openssl-1.0.2e.tar.gz
# tar zxf openssl-1.0.2e.tar.gz
# cd openssl-1.0.2e
# ./config

or possibly

# ./config  --prefix=/usr/local
# make
# make install

Do consider making a backup of your jail before you risk its contents on something I pulled from my memory.

 

[Francis Reader]

You can manually build OpenSSL from the sources available on the Web. Trying to build stuff from ports is always a losing proposition if you want the most recent versions. I don't have any specific information about the package you're using, but I believe the default OpenSSL on the web will try to install into /usr/local. Check to see if you already have OpenSSL installed there as a port, and if so, I'd say just try updating it from the web.

Process is generally something like:

Code:

# fetch https://www.openssl.org/source/openssl-1.0.2e.tar.gz
# tar zxf openssl-1.0.2e.tar.gz
# cd openssl-1.0.2e
# ./config

or possibly

# ./config  --prefix=/usr/local
# make
# make install

Do consider making a backup of your jail before you risk its contents on something I pulled from my memory.

The irony, is that openssl is rejecting the fetch as the ssl libs are too old.. ;-)

Grabbed the tarball using linux and scp'ed across ;-)

 

[jgreco]

Ahahaha. Yes, you can use "http:" instead of "https:" for that fetch. The whole SSL compatibility thing is becoming a royal PITA.

 

[Francis Reader]

I don't want to recompile anything else, so also symlinked lib.so.1.0.0 to lib.so.6.

I know a bit dangerous, but nothing really to lose, until 10.x comes out, plus I might be moving all my jails to esxi VMs before then,. and keep freenas just as a NAS.

 

[jgreco]

Well, if it works, it works.

I much prefer running ESXi VM's myself, so that has my seal of approval. ;-)