Skip to content

Commit 57f417c

Browse files
ogajduseehelms
authored andcommitted
Workaround broken openssl 3.5.7-1 on EL9
openssl-3.5.7-1.el9 has an ASN.1 regression (clean EOF at an object boundary raises ASN1_R_NOT_ENOUGH_DATA instead of succeeding), which breaks any TLS client relying on that behavior -- e.g. ansible's uri module and dnf/rpm HTTPS fetches. Exclude the broken build and pin to the last known-good NVR until the upstream fix (openssl/openssl#31818) merges and ships in a CentOS Stream 9 release. See: https://issues.redhat.com/browse/RHEL-192424
1 parent e3e21e8 commit 57f417c

1 file changed

Lines changed: 21 additions & 0 deletions

File tree

roles/vagrant_workarounds/tasks/main.yml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,3 +13,24 @@
1313
shell: rm -f /boot/*-generic.img
1414
when:
1515
- ansible_facts['os_family'] == 'Debian'
16+
17+
# workaround for https://issues.redhat.com/browse/RHEL-192424
18+
- name: don't install broken openssl on EL9
19+
community.general.ini_file:
20+
path: /etc/dnf/dnf.conf
21+
section: main
22+
option: excludepkgs
23+
value: 'openssl-3.5.7-1.*,openssl-libs-3.5.7-1.*,openssl-fips-provider-3.5.7-1.*'
24+
when:
25+
- ansible_facts['os_family'] == 'RedHat'
26+
- ansible_facts['distribution_major_version'] == '9'
27+
28+
- name: force downgrade to openssl-3.5.5-3.el9
29+
ansible.builtin.package:
30+
name:
31+
- openssl-3.5.5-3.el9
32+
- openssl-libs-3.5.5-3.el9
33+
state: present
34+
when:
35+
- ansible_facts['os_family'] == 'RedHat'
36+
- ansible_facts['distribution_major_version'] == '9'

0 commit comments

Comments
 (0)