* * * * *

                   IF IT AIN'T BROKE DON'T FIX IT!!!!!!!!!

Sigh.

I can fix the client certificate issue [1] if I install the latest Apache
2.2, which has the SSLInsecureRenegotiation [2] option, but that requires
OpenSSL 0.9.8m [3] or higher (and all this crap because of a small bug [4] in
OpenSSL). So, before mucking with my primary server, I decide to test this
all out on my home computer (running the same distribution of Linux as my
server).

Well, I notice that OpenSSL just came out with verion 1.0.0, so I decide to
snag that version. Download, config (what? No configure still?), make and
make install, watch it go into the wrong location (XXXXXX I wanted it in
/usr/local/lib/ no /usr/local/openssl/lib!), rerun config with other options
and get it where I want it.

Okay.

And hey, while I'm here, might as well download the latest OpenSSH [5] and
get that working. I nuke the existing OpenSSH installtion (yum remove
openssh) since I won't need it, and start the configure, make and make
install, but the configure script bitches about the version of zlib [6]
installed (XXXX! I know RedHat [7] is conservative about using the latest and
greatest, but come on! It's been five years since version 1.2.3 came out!
Sheesh!) so before I can continue, I must do the download, configure, make
and make install dance for zlib. Once that is out of the way …

> checking OpenSSL header version... 1000000f (OpenSSL 1.0.0 29 Mar 2010)
> checking OpenSSL library version... 90701f (OpenSSL 0.9.7a Feb 19 2003)
> checking whether OpenSSL's headers match the library... no
> configure: error: Your OpenSSL headers do not match your
> library. Check config.log for details.
> If you are sure your installation is consistent, you can disable the check
> by running "./configure --without-openssl-header-check".
> Also see contrib/findssl.sh for help identifying header/library mismatches.
>

Oh XXXXXX XXXX …

**IT'S IN /usr/local/lib YOU USELESS SCRIPT!**

But alas, no amount of options or environment variables work. And no, while I
might be willing to debug mod_lua [8], I am not about to debug a 31,000 line
shell script. Might as well reinstall the OpenSSH package …

> [root]lucy:~>yum install openssh
> Setting up Install Process
> Setting up repositories
> Segmentation fault (core dumped)
>

Um … what?

> [root]lucy:~>yum install openssh
> Setting up Install Process
> Setting up repositories
> Segmentation fault (core dumped)
>

What the XXXX?

Oh please oh please oh please don't tell me that yum just assumes you have
OpenSSH installed …

Okay, where is this program dying?

> [root]lucy:/tmp>gdb /usr/bin/yum core.3783
> GNU gdb Red Hat Linux (6.3.0.0-1.132.EL4rh)
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-redhat-linux-gnu"..."/usr/bin/yum": not in
> executable format: File format not recognized
>
> Core was generated by /usr/bin/python /usr/bin/yum search zlib'.
> Program terminated with signal 11, Segmentation fault.
> #0  0x007ff3a3 in ?? ()
> (gdb)
>

Oh … it's Python [9].

Um ‥ wait a second …

It's … Python! It's a script!

**WHAT THE XXXX?**

What did I do to cause the Python interpreter to crash?

Aaaaaaaaaaaaaaaaaaaaaaaaaah!

Okay, I managed to find some RPM (Redhat Package Management)s of OpenSSH to
install. That didn't fix yum.

Okay, don't panic [10].

Obviously, it's something I've done that caused this.

The only things I've done is to install up libraries in /usr/local/lib.

Okay, keep any programs from loading up anything from /usr/local/lib. That's
easy enough—I justed edited /etc/ld.so.conf to remove that directory, and ran
ldconfig. Try it again.

Okay, yum works!

And through a process of elimination, I found the culprit—zlib! Apparently,
the version of Python I have doesn't like zlib 1.2.4.

Sheesh!

Okay, yes, I bring ths upon myself for not running the latest and greatest. I
don't update continously because that way lies madness—things just breaking
(in fact, the last thing I did upgrade, which was OpenSSL on my webserver the
other day, broke functionality I was using, which prompted this whole mess in
the first place!). At least I was able to back out the changes I made, but I
have to keep this in mind:

IF IT AIN'T BROKE DON'T FIX IT!!!!!

[1] gopher://gopher.conman.org/0Phlog:2010/04/06.1
[2] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation
[3] http://www.openssl.org/
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555
[5] http://www.openssh.org/
[6] http://www.zlib.net/
[7] http://www.redhat.com/
[8] gopher://gopher.conman.org/0Phlog:2010/04/03.1
[9] http://www.python.org/
[10] http://en.wikipedia.org/wiki/Don't_Panic_(Hitchhiker's_Guide_to_the_Galaxy)#Don.27t_Panic

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.