Skip to main content

symbol lookup error: /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b

Ryan_G
  • Edited

I have a VPS which runs cPanel and is 'fully managed' by my hosting provider. Recently we migrated to a new server as the old one had reached end of life.

On the old server (CentOS) the version of OpenSSL as shown using phpinfo() was '1.1.1w 11 Sep 2023' but on the new server (AlmaLinux) it was showing as '1.1.1k FIPS 25 Mar 2021'. I questioned why it was an old version and they installed the new version (1.1.1w). However, this seems to have created problem with OpenSSL. The following error is received when I access the terminal in WHM and also the hosting provider tells me that they are now not able to update the kernal or perform any other server updates:

/usr/local/cpanel/3rdparty/bin/perl: symbol lookup error: /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b

They want to 'solve' the issue by migrating to another new server but this is total nightmare as it always results in downtime (the site provides real time monitoring for customers) and involves about a week of unpaid work and troubleshooting for me.

They have tried uninstalling and reinstalling the 1.1.1w version of OpenSSL with no luck and tell me that Alma Linux uses 1.1.1k by default. Note that in phpinfo() the version is still showing as 1.1.1k but in WHM terminal the version is showing as 1.1.1w.

I have had a thorough search online and I see that I am not alone in this:

https://bugzilla.redhat.com/show_bug.cgi?id=1829790 

https://github.com/o3de/o3de/issues/2384 

So what steps can I take to fix this without having to migrate to a new server?

Thanks for your help!

 

Comments

4 comments

Date Votes
  • cPRex Jurassic Moderator

    Hey there!  I'm not sure there is going to be much help I can provide here.  Whenever things happen with the OpenSSL or OpenSSH packages, the best fix is ultimately to move to a new machine.

    Do you know specifically *how* they installed that new OpenSSH package? 

    0
  • Ryan_G

    Thanks for getting back to me and for the clarification. According to the hosting provider they 'downloaded the needed tar file, extracted the file and completed the custom installation'. Here is the command they used:

    wget https://www.openssl.org/source/openssl-1.1.1w.tar.gz
    tar -xzf openssl-1.1.1w.tar.gz
    cd openssl-1.1.1w
    ./config --prefix=/usr/local/openssl
    make
    sudo make install
    openssl version
    echo "export PATH=/usr/local/openssl/bin:$PATH" | sudo tee -a /etc/profile
    echo "export LD_LIBRARY_PATH=/usr/local/openssl/lib:$LD_LIBRARY_PATH" | sudo tee -a /etc/profile
    source /etc/profile
    0
  • Ryan_G

    And some further information that could be useful. I ran a test of OpenSSL using PHP and it worked fine - no errors. This explains why my web application is still working fine.

    PHP appears to still be running the original OpenSSL 1.1.1k version even though the system-wide version is 1.1.1w and is throwing the errors above.

    So is it possible to revert to the original version 1.1.1k for the system without installing it again?

    I don't want to risk breaking the OpenSSL that runs in PHP as this would stop the web application working and cause an even bigger headache than we have already.

     

    For completeness here is the code I used to test OpenSSL in PHP:

    <?php

    // Check if OpenSSL is loaded

    if (!extension_loaded('openssl')) {

        die('OpenSSL extension is not loaded.');

    }

    // Get OpenSSL version

    $openssl_version = OPENSSL_VERSION_TEXT;

    // Define the data to be encrypted

    $original_data = "This is a test message to encrypt and decrypt.";

    // Generate a new encryption key

    $encryption_key = openssl_random_pseudo_bytes(32); // 256-bit key

    // Generate an initialization vector (IV)

    $iv_length = openssl_cipher_iv_length('aes-256-cbc');

    $iv = openssl_random_pseudo_bytes($iv_length);

    // Encrypt the data

    $encrypted_data = openssl_encrypt($original_data, 'aes-256-cbc', $encryption_key, 0, $iv);

    if (!$encrypted_data) {

        die('Failed to encrypt data.');

    }

    // Decrypt the data

    $decrypted_data = openssl_decrypt($encrypted_data, 'aes-256-cbc', $encryption_key, 0, $iv);

    if (!$decrypted_data) {

        die('Failed to decrypt data.');

    }

    // Display the results

    echo "OpenSSL Version:" .$openssl_version."<br>";

    echo "Original Data:" .$original_data."<br>";

    echo "Encrypted Data:" .$encrypted_data."<br>";

    echo "Decrypted Data:" .$decrypted_data."<br>";

    // Verify that the decrypted data matches the original data

    if ($original_data === $decrypted_data) {

        echo "Success: The decrypted data matches the original data.";

    } else {

        echo "Error: The decrypted data does not match the original data.";

    }
    0
  • cPRex Jurassic Moderator

    Since the host broke things, you'll have to work with them to get things fixed.  Ultimately, I would bet you end up having to move to a different server.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post