The objective here is to take the version of libcrypto from a prior release of the OS, and for purposes of the CWA Linux(CWAL), use it in place of the default library provided. This can be accomplished either directly on the endpoint or from some other machine and then transferred over to the endpoint.
Optionally, to have a completely installable package, the CWAL’s tarball package can be customized. How to accomplish this is included within the CWAL’s online documentation. It can found under the section “Customize installation”.
1. Before following any of these steps you may want to make backup copies of some or all of the CWAL installation.
2. From a browser, navigate to the following URL:
- For CentOS:- https://vault.centos.org/7.7.1908/os/x86_64/Packages/openssl-libs-1.0.2k-19.el7.x86_64.rpm
- For Fedora:- https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/28/Everything/x86_64/os/Packages/o/openssl-libs-1.1.0h-3.fc28.x86_64.rpm
3. The rpm package should begin to download.
4. Once the file has downloaded you can extract the libcrypto so from the package
5. Make sure the RPM package file is in a separate folder to prevent any mistaken overwriting of system files
6. From a terminal window navigate to the folder containing the RPM file.
7. Now execute the following command to extract only the necessary file:
- For CentOS: rpm2cpio openssl-libs-1.0.2k-19.el7.x86_64.rpm | cpio -icvdum ./usr/lib64/libcrypto.so.1.0.2k
- For Fedora: rpm2cpio openssl-libs-1.1.0h-3.fc28.x86_64.rpm | cpio -icvdum ./usr/lib64/libcrypto.so.1.1.0h
8. This should extract the libcrypto file into the cwd under usr/lib64/ folder in the current directory
9. With the extraction complete, copy the extracted file into the root folder of the CWAL, typically this will be /opt/Citrix/ICAClient. This will be the target libcrypto version for the following steps.
- Option: Alternately, the file can be copied it into the OS’s default library folder /usr/lib64.
- Note: This will change some of the following information as the path to the library will be different.
10. At this point there are a couple of options to preload the library, but ultimately “export LD_PRELOAD=/opt/Citrix/<name of target libcrypto library>” must be executed prior to the engine ( wfica ).
11. The file wfica.sh, which should be in the CWAL root folder, can be used as a script wrapper to preload the library before wfica is executed. The file will need to be modified to export the LD_PRELOAD statement and properly pass arguments to whatever the wfica binary is renamed to in the following step.
12. The current wfica binary will need to be renamed to something else, for example “wfica.exe”, which will be used for the purpose of this document.
cd to the /opt/Citrix/ICAClient foldercp wfica wfica.exe
13. An example of a modified script wrapper, wfica.sh, could look as follows:
#!/bin/shICAROOT=/opt/Citrix/ICAClientexport ICAROOTLD_LIBRARY_PATH=/opt/Citrix/ICAClient/libexport LD_LIBRARY_PATHLD_PRELOAD=/opt/Citrix/ICAClient/<name of target libcrypto library>export LD_PRELOAD$ICAROOT/wfica.exe $@
14. The modified wfica.sh will need to be copied over the original wfica binary.
cd to the /opt/Citrix/ICAClient foldercp wfica.sh wfica
15. Another option is to place the “export LD_PRELOAD=/opt/Citrix/ICAClient/<name of target libcrypto library>” statement into the user’s .bashrc file.
- The .bashrc file is located in each user’s home folder.
- This will however mean that each user, who will need to use the CWAL, must have their .bashrc file modified
- Optionally, this can be made global by various methods. As there are a few ways to accomplish this it will not be covered here.
Whichever way is chosen, the method must export the LD_PRELOAD statement prior to the execution of wfica to ensure that it is using the compatible shared object.