skip to Main Content

After installing mongodb on CentOS 7 I ran into an issue with openssl versions. Version installed on the system is 1.0.2k-fips whereas during mongod startup 1.0.1e-fips is printed. How exactly is this possible and is there any way to tell mongo server to use 1.0.2 version ?

https://i.stack.imgur.com/KMbwt.png

2

Answers


  1. This seems to be a RHEL peculiarity.

    MongoDB is linked dynamically against OpenSSL, and should use the system OpenSSL library. You can verify this by running

    ldd `which openssl`
    ldd `which mongod`
    

    The two commands should show references to the system-wide libssl and libcrypto.

    What I think happened is RedHat updated OpenSSL from 1.0.1e to 1.0.2k, but retained the “1.0.1e” label for compatibility purposes in parts of the code.

    Login or Signup to reply.
  2. So indeed, MongoDB is using system OpenSSL library, which can be verified with ldd.

    The issue with version misinformation is because since a while ago (RHEL 6.x releases), RedHat changed SSLeay() function to report build time version as opposed to the run-time:

    Because certain applications perform incorrect version check of the OpenSSL version, the actual runtime version of OpenSSL is masked and the build-time version is reported instead. Consequently, it is impossible to detect the currently running OpenSSL version using the SSLeay() function.

    MongoDB uses this exact function to report OpenSSL version, here.

    So when you use MongoDB packages and see 1.0.1e-fips while the system OpenSSL version is 1.0.2k-fips, this only means that the system where the package was built on had the older OpenSSL version, but the actual runtime version is your system one, 1.0.2k-fips.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search