* * * * * IF IT AIN'T BROKE DON'T FIX IT!!!!!!!!! Sigh. I can fix the client certificate issue [1] if I install the latest Apache 2.2, which has the SSLInsecureRenegotiation [2] option, but that requires OpenSSL 0.9.8m [3] or higher (and all this crap because of a small bug [4] in OpenSSL). So, before mucking with my primary server, I decide to test this all out on my home computer (running the same distribution of Linux as my server). Well, I notice that OpenSSL just came out with verion 1.0.0, so I decide to snag that version. Download, config (what? No configure still?), make and make install, watch it go into the wrong location (XXXXXX I wanted it in /usr/local/lib/ no /usr/local/openssl/lib!), rerun config with other options and get it where I want it. Okay. And hey, while I'm here, might as well download the latest OpenSSH [5] and get that working. I nuke the existing OpenSSH installtion (yum remove openssh) since I won't need it, and start the configure, make and make install, but the configure script bitches about the version of zlib [6] installed (XXXX! I know RedHat [7] is conservative about using the latest and greatest, but come on! It's been five years since version 1.2.3 came out! Sheesh!) so before I can continue, I must do the download, configure, make and make install dance for zlib. Once that is out of the way … > checking OpenSSL header version... 1000000f (OpenSSL 1.0.0 29 Mar 2010) > checking OpenSSL library version... 90701f (OpenSSL 0.9.7a Feb 19 2003) > checking whether OpenSSL's headers match the library... no > configure: error: Your OpenSSL headers do not match your > library. Check config.log for details. > If you are sure your installation is consistent, you can disable the check > by running "./configure --without-openssl-header-check". > Also see contrib/findssl.sh for help identifying header/library mismatches. > Oh XXXXXX XXXX … **IT'S IN /usr/local/lib YOU USELESS SCRIPT!** But alas, no amount of options or environment variables work. And no, while I might be willing to debug mod_lua [8], I am not about to debug a 31,000 line shell script. Might as well reinstall the OpenSSH package … > [root]lucy:~>yum install openssh > Setting up Install Process > Setting up repositories > Segmentation fault (core dumped) > Um … what? > [root]lucy:~>yum install openssh > Setting up Install Process > Setting up repositories > Segmentation fault (core dumped) > What the XXXX? Oh please oh please oh please don't tell me that yum just assumes you have OpenSSH installed … Okay, where is this program dying? > [root]lucy:/tmp>gdb /usr/bin/yum core.3783 > GNU gdb Red Hat Linux (6.3.0.0-1.132.EL4rh) > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you are > welcome to change it and/or distribute copies of it under certain > conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for details. > This GDB was configured as "i386-redhat-linux-gnu"..."/usr/bin/yum": not in > executable format: File format not recognized > > Core was generated by /usr/bin/python /usr/bin/yum search zlib'. > Program terminated with signal 11, Segmentation fault. > #0 0x007ff3a3 in ?? () > (gdb) > Oh … it's Python [9]. Um ‥ wait a second … It's … Python! It's a script! **WHAT THE XXXX?** What did I do to cause the Python interpreter to crash? Aaaaaaaaaaaaaaaaaaaaaaaaaah! Okay, I managed to find some RPM (Redhat Package Management)s of OpenSSH to install. That didn't fix yum. Okay, don't panic [10]. Obviously, it's something I've done that caused this. The only things I've done is to install up libraries in /usr/local/lib. Okay, keep any programs from loading up anything from /usr/local/lib. That's easy enough—I justed edited /etc/ld.so.conf to remove that directory, and ran ldconfig. Try it again. Okay, yum works! And through a process of elimination, I found the culprit—zlib! Apparently, the version of Python I have doesn't like zlib 1.2.4. Sheesh! Okay, yes, I bring ths upon myself for not running the latest and greatest. I don't update continously because that way lies madness—things just breaking (in fact, the last thing I did upgrade, which was OpenSSL on my webserver the other day, broke functionality I was using, which prompted this whole mess in the first place!). At least I was able to back out the changes I made, but I have to keep this in mind: IF IT AIN'T BROKE DON'T FIX IT!!!!! [1] gopher://gopher.conman.org/0Phlog:2010/04/06.1 [2] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation [3] http://www.openssl.org/ [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555 [5] http://www.openssh.org/ [6] http://www.zlib.net/ [7] http://www.redhat.com/ [8] gopher://gopher.conman.org/0Phlog:2010/04/03.1 [9] http://www.python.org/ [10] http://en.wikipedia.org/wiki/Don't_Panic_(Hitchhiker's_Guide_to_the_Galaxy)#Don.27t_Panic Email author at sean@conman.org .