Project

General

Profile

Actions

Bug #14934

closed

haproxy-devel: "Warning: process cannot be trusted anymore!" since pfSense Plus Upgrade to

Added by Thomas Ward about 1 year ago. Updated 10 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
haproxy
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.7.0
Affected Plus Version:
23.05.1
Affected Architecture:
All

Description

haproxy-devel version: 2.8-dev6-4c7588d
pfSense+ Version: 23.05.1

With the update to pfSense 23.05.1, HAProxy now returns the following warnings when started:

[WARNING] (37290) : dlopen(): shared library '/lib/libcrypto.so.111' brings a different and inconsistent definition of symbol 'OPENSSL_init_ssl'. The process cannot be trusted anymore!
[WARNING] (37290) : dlopen(): shared library '/lib/libcrypto.so.111' brings a different and inconsistent definition of symbol 'SSL_CTX_get0_security_ex_data'. The process cannot be trusted anymore!

This suggests that there's changes to the libcrypto libraries that are incompatible. This is NOT a good thing, and while haproxy runs it might have problems with SSL as a result of untrusted library changes.

This could be a breaker on systems utilizing haproxy or haproxy-devel if the libcrypto libraries are inconsistent.

Actions #1

Updated by Thomas Ward about 1 year ago

NOTE: As part of testing, I reverted to 2.7.6-4dadaaa and into the pfSense Plus 23.05 (without .1) saved auto boot env to see if the libcrypto notices were still present, and they are not. This seems to be a major concern if haproxy and the libcrypto libraries disagree with each other, because this will BREAK a lot of things.

This inconsistency, while it works for HTTPS type connections, PREVENTS HAProxy from being able to simultaneously handle websockets passing over the same connections. The only issue I can see is this libcrypto inconsistency which explains why `wss` secure websockets can't talk if there's something about libcrypto that the system can't trust.

Leaving this at priority High because it's a regression issue.

Actions #2

Updated by Thomas Ward about 1 year ago

At the suggestion of one of the Netgate admins on the forums when I asked this to get poked, this issue does not happen in 23.09 RC version ("next stable"). I'm suggesting that 23.05.1 shouldn't be out since there's OpenSSL and libcrypto inconsistencies. Updating to the "next stable" RC version isn't doable in all environments and needs to be addressed.

Actions #3

Updated by Kris Phillips about 1 year ago

  • Priority changed from High to Normal
  • Plus Target Version set to 23.09
  • Affected Version changed from 2.8.x to 2.7.0
  • Affected Architecture All added
  • Affected Architecture deleted (amd64)

This issue only affects the devel version of HAProxy and not the stable version on 23.05.1. Tested this on pfSense Plus 23.09 running HAProxy 2.8.2 and I'm not able to recreate the issue (likely due to the significant work and changes migrating from the deprecated version of OpenSSL). Should be fixed when 23.09 releases soon.

Changing affected version of CE to 2.7, as this likely affects this version.

Actions #4

Updated by Jim Pingle about 1 year ago

  • Plus Target Version deleted (23.09)
Actions #5

Updated by Kris Phillips 10 months ago

  • Status changed from New to Resolved

Testing this on 23.09.1, I'm not able to reproduce this. Since 23.09.1 is release and 23.05.X is no longer supported, closing this as Resolved.

Actions

Also available in: Atom PDF