Environment
- NetIQ Access Manager 4.2
- NetIQ Access Gateway Appliance 4.2.1
Situation
- "novell-nacm-apache-extra-4.0.8-1.0.1t" has been installed as document in KB 7017580 in order to address: "CVE-2016-2107"
- during the lifetime of the system OpenSSL had been installed with NAM 4.0 due to the need for TLS1.2 as documented at: "https://www.netiq.com/documentation/netiqaccessmanager4/enable_tls_nam40/data/enable_tls_nam40.html".
Resolution
- change the shared library search order from within the "/etc/ld.so.conf" file.
-------------------------------------------------------------------------------------
/usr/X11R6/lib64/Xaw3d
/usr/X11R6/lib64
/usr/lib64/Xaw3d
/usr/X11R6/lib/Xaw3d
/usr/X11R6/lib
/usr/lib/Xaw3d
/usr/x86_64-suse-linux/lib
/usr/local/lib
/opt/kde3/lib
/usr/local/lib64
/opt/kde3/lib64
include /etc/ld.so.conf.d/*.conf
/lib64
/lib
/usr/lib64
/usr/lib
------------------------------------------------------------------------------------- - run: "ldconfig -v" once more and check the order has been chagnged so the "/opt/novell/ssllib" got processed first.
- after you are sure the order is correct restart Apache.
Cause
Due to the shared library search order an unknown the wrong OpenSSL libraries got loaded by Apache
-----------------------------------------------------------------------------------------------------------
httpd 5210 root mem REG 8,5 488095 1388801 /usr/lib64/libssl.so.1.0.0
-----------------------------------------------------------------------------------------------------------
The OpenSSL version shipped with the Access gateway are located at: "/opt/novell/ssllib/"
-----------------------------------------------------------------------------------------------------------
httpd 5210 root mem REG 8,5 488095 1388801 /usr/lib64/libssl.so.1.0.0
-----------------------------------------------------------------------------------------------------------
The OpenSSL version shipped with the Access gateway are located at: "/opt/novell/ssllib/"
Additional Information
Troubleshooting
- run: "ps aux | grep httpd"
--------------------------------------------------------------------------------------------
root 5210 0.0 0.5 257996 25516 ? Ssl Jul20 0:11 /opt/novell/apache2/sbin/httpd
wwrun 13106 0.0 0.5 326780 24876 ? Sl Jul20 0:20 /opt/novell/apache2/sbin/httpd
wwwrun 13127 0.0 0.7 2813936 37112 ? Sl Jul20 0:24 /opt/novell/apache2/sbin/httpd
wwwrun 13444 0.0 0.7 2748536 37156 ? Sl Jul20 0:23 /opt/novell/apache2/sbin/httpd
wwwrun 13748 0.0 0.7 2748676 36760 ? Sl Jul20 0:22 /opt/novell/apache2/sbin/httpd
wwwrun 14050 0.0 0.7 2747312 36128 ? Sl Jul20 0:23 /opt/novell/apache2/sbin/httpd
wwwrun 14353 0.0 0.7 2748720 37920 ? Sl Jul20 0:24 /opt/novell/apache2/sbin/httpd
wwwrun 14657 0.0 0.7 2746736 36036 ? Sl Jul20 0:24 /opt/novell/apache2/sbin/httpd
wwwrun 14963 0.0 0.7 2747264 36572 ? Sl Jul20 0:23 /opt/novell/apache2/sbin/httpd
wwwrun 15266 0.0 0.7 2746968 36156 ? Sl Jul20 0:23 /opt/novell/apache2/sbin/httpd
wwwrun 15570 0.0 0.7 2746340 35756 ? Sl Jul20 0:24 /opt/novell/apache2/sbin/httpd
wwwrun 15874 0.0 0.7 2748832 37184 ? Sl Jul20 0:24 /opt/novell/apache2/sbin/httpd
-------------------------------------------------------------------------------------------- - use the first http process id to run:: "lsof -P -T -p [PID] of httpd] | grep ssl
Example: "lsof -P -T -p 5210 | grep ssl"
--------------------------------------------------------------------------------------------
httpd 5210 root mem REG 8,5 488095 1388801 /usr/lib64/libssl.so.1.0.0
httpd 5210 root mem REG 8,5 182184 2044376 /opt/novell/apache2/libexec/mod_ssl.so
--------------------------------------------------------------------------------------------
In this case the wrong library has been loaded - If the correct libraries would have been loaded the list would look like:
--------------------------------------------------------------------------------------------
httpd 18983 root mem REG 8,5 2644624 911888 /opt/novell/ssllib/libcrypto.so.1.0.0
httpd 18983 root mem REG 8,5 456427 911889 /opt/novell/ssllib/libssl.so.1.0.0
httpd 18983 root mem REG 8,5 182152 912007 /opt/novell/apache2/libexec/mod_ssl.so
--------------------------------------------------------------------------------------------
run: "rpm -qf /usr/lib64/libssl.so.1.0.0"
--------------------------------------------------------------------------------------------
file /usr/lib64/libssl.so.1.0.0 is not owned by any package
ls -la /usr/lib64/libssl.so.1.0.0
-r-xr-xr-x 1 root root 488095 Aug 19 2015 /usr/lib64/libssl.so.1.0.0
-------------------------------------------------------------------------------------------- - the Access Gateway Appliance does not ship the library at: "/usr/lib64/libssl.so.1.0.0""
- the "/etc//ld.so.conf" stores all the directories which should be used as library search.
- there is an include command at the very end of this file: "include /etc/ld.so.conf.d/*.conf" therefore the the library search path for the NAM OpenSSL version will match as the very last one. If there is any additional OpenSSL library path which would match before the NAM OpenSSL libs will not get loaded.