Re: httpd and OpenSSL 1.0.2

Fri, 29 May 2015 07:50:44 -0700 


On 05/29/2015 09:20 AM, Rainer Jung wrote:


Here you can see the SONAME is libssl.so.1.0.0. This name is added as a
dependency into the linked binary. At runtime the runtime linker will
look for this file, not for libssl.so.

During installation of lobssl.so (resp. libcrypto.so) typically the
files get linked using a symlink, so it would make no difference. If you
start to overwrite parts of the system installation, the two names might
point to different content.

About compatibility: OpenSSL 1.0.0 up to OpenSSL 1.0.2 have compatible
APIs, that's why the SONAME ends with .1.0.0 in all three cases. It is
definitely possible to upgrade, i.e. use a newer version in the 1.0.0 to
1.0.2 range during runtime than was used during compile/link time. The
other way round only holds for patch versions with the same first three
digits.

The SSL_CONF_CTX_* symbols you were originally referring to are only
part of 1.0.2. So it seems you compiled against header files from 1.0.2
and likely also loinked against a 1.0.2 libssl.so, but at runtime the
libssl.so.1.0.0 that the runtime linker finds is version 1.0.0 or 1.0.1.
The runtime linker has a search path that is defined on the system and
can be influenced using LD_LIBRARY_PATH. The compile time linker is also
influenced by compile "-L" flags.



Yeah, I honestly wasn't really thinking that closely about it.  I do 
know this.


The openssl default install results in the following:
libssl.so.1.0.0
symlinked to
libssl.so

however, fedora's system provided libraries look like this:
lrwxrwxrwx. 1 root root     16 Mar 19 12:37 libssl.so.10 -> libssl.so.1.0.1k
-rwxr-xr-x. 1 root root 439572 Mar 19 12:37 libssl.so.1.0.1k


So depending on how the linker finds the library, this could be kind of 
a mess.



And I no longer have a debian system so wasn't sure how debian's system 
installs are.



Also, in the past I've noticed linux distros "re-base" include headers 
to be in /usr/include directly vs under include/openssl where the 
openssl distro normally installs them.



So i generally figure that the notion of replacing a distro provided 
openssl is just a bad bad idea unless you really really know what you're 
doing.


Andy






















					Reply via email to