Corporate endpoint security?

TLATER · March 20, 2025, 12:48am

daver98:

auto-patchelf could not satisfy dependency libssl.so.1.0.0 wanted by /nix/store/q82gc67bzq9mry03ra0aihh94vymdfx6-bitdefender-endpoint-security-tools-7.1.1.200141/opt/bitdefender-security-tools/lib/patchmanagement/sles12/libIxpPatch.so.2.3.0

You could try openssl_1_1.

daver98 · March 20, 2025, 1:02am

Ok thanks I will try that.

morten-b · April 1, 2025, 7:45am

Did you get libssl.so.1.0.0 dependency to work?

I’m hitting the same wall with another package

TLATER · April 1, 2025, 8:00am

If it actually wants that version, and you can’t substitute with the newer libssl, you should check with your vendor, since that version is known to be vulnerable.

They may distribute a proprietary implementation, at which point you’d need to get your hands on that, or they’re just selling you an inherently insecure tool. Or both while also violating a FOSS license, of course.

morten-b · April 1, 2025, 8:14am

I don’t know for the original topic, but in my case we are talking about azure function core tools.

I’ve provided some more details in this post: Azure Functions Core Tools missing a binary

Could it be possible to provide a newer version, when libssl.so.1.0.0 is the one that its asking for?

daver98 · April 1, 2025, 2:50pm

So currently I’m using 1_1 and ignoring the dependency errors. So far this approach is working, but I haven’t got it working, since it seems like I’ll need to create a NixOS module as well to get this to work (it involves systemd services etc).

daver98 · April 1, 2025, 2:52pm

I added this below buildInputs in the package:

  autoPatchelfIgnoreMissingDeps = [
    "libssl.so.1.0.0"
    "libcrypto.so.1.0.0"
    "libssl.so.10"
    "libcrypto.so.10"
    "libcrypt.so.1"
    "libxml2.so.2"
    "libssl.so.1.1"
    "libcrypto.so.1.1"
  ];

TLATER · April 1, 2025, 2:52pm

It’s quite possible it will only “work” until you do some actual SSL, since those versions aren’t ABI compatible. It’d be wise to find some kind of smoketest before committing too much

daver98 · August 1, 2025, 11:55am

I have the option to submit a ticket to Bitdefender to get this issue resolved via our company’s IT department. I’d be interested if anyone has any input in what exactly I should be asking for. It seems like the current “openssl” in Nixpkgs is version 3.4.1. Should I ask them to upgrade to this, or is there an appropriate “LTS” version of openssl they could use. Or just bump the version to something higher than the current libssl.so.1.0.0?

senorsmile · August 5, 2025, 10:34pm

I’d also like to see bitdefender working for NixOS.

Nixpkgs’ openssl_1_1 (version 1.1.1w) support ended 11 Sep 2023, and there are many vulns after then: Vulnerabilities 1.1.1 | OpenSSL Library.
It looks like they have premium support for 1.1.* for a fee.

openssl_3 (version 3.0.16 in stable) is at least LTS, with support ending 07 Sep 2026.
Hopefully 3.5 is in nixpkgs stable long before then, and could be a simpler jump for bitdefender too?

So, I recommend openssl 3.0.* (latest release is actually 3.0.17, in unstable).

Let us know how you fare. I could put in a support ticket too.

daver98 · August 6, 2025, 12:44pm

Thanks for the info @senorsmile - that’s very helpful. I have submitted a ticket. If we hear back, I can post here, and you could put one in as well. Sound good?

daver98 · August 29, 2025, 12:09pm

Update - we have a case in for this - Bitdefender support replied that they have put in a feature request to add NixOS compatibility. See what comes of it…