Page MenuHomeSolus
Create Task
Maniphest T9220

Missing `perl` dependency for `openssl-11`
Open, HighPublic
Actions

Description

The openssl-11 package includes a Perl script for updating the SSL certificates (/usr/bin/c_rehash). This script is required for updating the SSL certificates. This means that SSL can be broken if perl is not installed.

The issue can be reproduced on a clean install of 4.1 with (at least) perl removed. The output below is from a system containing only system.base:

# eopkg up -y
Updating repositories
<snip>
 [✗] Updating SSL certificates                                           failed

A copy of the command output follows:

/usr/bin/env: ‘perl’: No such file or directory
<snip>

# eopkg it -y ripgrep # or any other package
Following packages will be installed:
pcre2  ripgrep
Total size of package(s): 1.59 MB
Downloading 1 / 2
Package pcre2 found in repository Solus
Program terminated.
Could not fetch destination file "https://mirrors.rit.edu/solus/packages/shannon/p/pcre2/pcre2-10.34-8-1-x86_64.eopkg": [Errno 14] curl#60 - "SSL certificate problem: self signed certificate in certificate chain"
Please use 'eopkg help' for general help.

Fixing this requires downloading gdbm and perl over HTTP:

# curl -s -o perl.eopkg "http://mirrors.rit.edu/solus/packages/unstable/p/perl/perl-22-24-1-x86_64.delta.eopkg"
# curl -s -o gdbm.eopkg "http://mirrors.rit.edu/solus/packages/shannon/g/gdbm/gdbm-1.18.1-7-1-x86_64.eopkg"
# eopkg it gdbm.eopkg perl.eopkg
<snip>
[✓] Updating SSL certificates                                          success
<snip>

Event Timeline

silke created this task.Jul 26 2020, 11:36 AM
Herald added a project: Lacks Project. · View Herald TranscriptJul 26 2020, 11:36 AM
hashhsah added a subscriber: hashhsah.EditedJul 26 2020, 11:45 AM

alternatively, we could avoid the dependency on perl by replacing the call to c_rehash in ssl.toml (usysconf) by a small bash script.

an example of such replacement could be found at https://stackoverflow.com/a/27774415

silke added a comment.EditedJul 26 2020, 12:11 PM

The following script (based on the link by @hashhsah) works as a replacement for c_rehash:

#!/usr/bin/env bash
set -euo pipefail

dirs=("/etc/ssl/certs")
if [ $# -ne 0 ]
then
    dirs=("$@")
fi

for dir in "${dirs[@]}"
do
    for file in "${dir}"/*.pem
    do
        ln -sf "${file}" "${dir}/$(openssl x509 -hash -noout -in "${file}")".0
    done
done
silke added a comment.Jul 26 2020, 12:17 PM

Oh, and in case anyone was wondering what happens if you remove perl. It actually looks pretty safe from a clean install:

$ sudo eopkg rm perl
The following list of packages will be removed
in the respective order to satisfy dependencies:
hexchat sane-backends hplip-drivers net-snmp perl 
Do you want to continue? (yes/no)
ermo assigned this task to JoshStrobl.Jul 26 2020, 1:40 PM
ermo triaged this task as High priority.
ermo edited projects, added Plumbing; removed Lacks Project.
ermo added subscribers: JoshStrobl, ermo.

After discussing this with @silke in #Solus-dev, I'm assigning this to Josh with tentative Priority and Project Tags as he's the one who handles OpenSSL.

@JoshStrobl: Feel free to murder me if this was the wrong thing to do. I set the priority to High because removing perl (for whatever reason) seems fairly dangerous as things are now.

TClark77 added a subscriber: TClark77.Jun 17 2023, 5:04 AM
silke claimed this task.Jun 17 2023, 2:12 PM

As this is still an issue, I'll take a stab at actually fixing it soon™.

Copyright © 2015-2021 Solus Project. The Solus logo is Copyright © 2016-2021 Solus Project. All Rights Reserved.