Re: ./config and -no-zlib

Jeffrey Walton Fri, 28 Dec 2012 13:20:23 -0800
On Fri, Dec 28, 2012 at 3:14 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
> On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller <abaci....@gmail.com> wrote:
>> i compiled openssl with no-zlib
>>
>> ldd client
>>         linux-vdso.so.1 =>  (0x00007fff059ff000)
>>         libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x00007fefccdc9000)
>>         libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 (0x00007fefcca17000)
>>         libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fefcc7fa000)
>>         libc.so.6 => /lib64/libc.so.6 (0x00007fefcc48d000)
>>         libdl.so.2 => /lib64/libdl.so.2 (0x00007fefcc289000)
>>         libz.so.1 => /lib64/libz.so.1 (0x00007fefcc071000)
>>         /lib64/ld-linux-x86-64.so.2 (0x00007fefcd025000)
>>
>> it is still using the default libraries; when the client runs in this
>> environment, it suggests 2 compression methods in the handshake (NULL, and
>> xxxx)
>>
>> then I change the LD_LIBRARY_PATH env and run again:
>>
>>> export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib
>>> ldd client
>>         linux-vdso.so.1 =>  (0x00007fff42cfa000)
>>         libssl.so.1.0.0 => /home/mike02/wrk/openssl/lib/libssl.so.1.0.0
>> (0x00007f76caf15000)
>>         libcrypto.so.1.0.0 =>
>> /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x00007f76cab34000)
>>         libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f76ca917000)
>>         libc.so.6 => /lib64/libc.so.6 (0x00007f76ca5aa000)
>>         libdl.so.2 => /lib64/libdl.so.2 (0x00007f76ca3a6000)
>>         /lib64/ld-linux-x86-64.so.2 (0x00007f76cb17f000)
>>
>> and in this environment (note that libz is missing), the client only
>> suggests 1 compression method (NULL) in the handshake.
>>
>> So, compiling with no-zlib is not sufficient for turning off compression.
>> It is also required to take specific actions to use the openssl libraries
>> compiled with the no-zlib option at runtime.
>>
>> I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed
>> regardless of the linkage of zlib, but I haven't tested that proposal yet.
> This is bad news.... I believe the redefinition is because I built the
> FIPS Object Module first according to the Security Policy (give or
> take). That meant no knob turning whatsoever, and I had to invoke
> 'configure' with no arguments.
>
> Then, when it came time for FIPS Capable OpenSSL:
>
> ./config --openssldir=/usr/local/ssl/iphoneos/
> --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib
> -no-shared -no-dso -DSSL_OP_NO_COMPRESSION
Doh, SSL_OP_NO_COMPRESSION is a bit masked option, not a preprocessor
define.....
....
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
Re: ./config and -no-zlib

Reply via email to
