OpenSSL3.0 and high availability


Not having OpenSSL3 supported is a known fact. But, recompiling the, uncommenting crypto related configuration from the confd.conf and annotating any hashing and encryption, defined in the data model with tailf:transform (and implement encryption/hashing in external daemon), I was able to get Confd fully operational with OpenSSL3.0.

The only problem that still persists is the HA operation. Whenever the slave connects to the master, the master crashes and the connection cannot be done.

Is there any option to make ha connectivity without relying on some unsupported crypto internals?

(For our implementation, encryption is not mandatory as the HA connectivity is implemented over internal connection)

The HA connection is unencrypted. See the ConfD 8.0.12 UG High Availability chapter under “Security aspects”.
So perhaps the issue is related to encrypted data stored in CDB?. See the “Security aspects” section for details.

Thanks for the answer, but I’m not sure this is the issue. I’m not having anything encrypted in the cdb.
I do not even need to do the real slave connection. Simple using socat to connect to initiate TCP connect immediatelly chrash the confd. When the same is used on the OpenSSL1.1.1, This is not the case and the ha data is received.
(The cmdline cmdline I use is “socat TCP-CONNECT: - | hexcump -C”).

I’m suspecting that there is still some crypto used due to the “CHAP-2 like protocol”. I’m using the version 7.7.10.

Any additional idea?


According to the UG, the “secret token” exchange is supposed to be unencrypted. ConfD support will have more details.