Bug 269

Summary: OpenSSH doesn't compile with dynamic OpenSSL libraries
Product: Portable OpenSSH Reporter: Adrian <list_7531>
Component: Build systemAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED WORKSFORME    
Severity: normal    
Priority: P2    
Version: -current   
Hardware: UltraSPARC   
OS: Solaris   
Attachments:
Description Flags
As requested, config.log(.gz), --with-ssl-dir meant to override /usr/local/ssl path none

Description Adrian 2002-06-09 06:24:01 AEST 
Hi,

I'm trying to compile OpenSSH snapshot 20020603 with the dynamic libraries 
compiled from OpenSSL 0.9.6d. Using the "shared" option I can compile the 
OpenSSL source files to produce libssl.so and libcrypto.so (and libssl.a and 
libcrypto.a).

When I run the OpenSSH configure script, I get "cannot find OpenSSL libraries" 
if I specify the dynamically compiled OpenSSL libraries in "--with-ssl-dir=..."
When I use the statically compiled SSL libraries, SSH compiles and installs 
correctly.

System notes:
Statically compiled OpenSSL files in /opt/openssl-0.9.6d-stat
gmake clean;./configure --prefix=/opt/openssh323p1 --with-ssl-dir=/opt/openssl-
0.9.6d-stat --with-zlib=/opt/zlib --with-pam

Generates Makefile then compiles and installs.

Dynamically compiled OpenSSL files in /opt/openssl-0.9.6d-sh
gmake clean;./configure --prefix=/opt/openssh323p1 --with-ssl-dir=/opt/openssl-
0.9.6d-sh --with-zlib=/opt/zlib --with-pam

checking for pam_set_item in -lpam... yes
checking for pam_getenvlist... yes
checking whether pam_strerror takes only one argument... no
configure: error: *** Can't find recent OpenSSL libcrypto (see config.log for 
details) ***

Here are the last 8 lines from config.log:
#define HAVE_INTTYPES_H 1
#define HAVE_UNISTD_H 1
#define GETPGRP_VOID 1
#define HAVE_LIBDL 1
#define HAVE_LIBPAM 1
#define HAVE_PAM_GETENVLIST 1
#define USE_PAM 1
configure: exit 1


This issue is reproducible with OpenSSL 0.9.6c and OpenSSH 3.2.3p1

This issue is important because system security updates are a lot more 
difficult if I have to keep track of statically linked binaries, which have to 
be updated every time a component from a different package is patched.

This issue is also a matter of concern as the "--with-zlib=/opt/zlib" option is 
correctly processed to use the dynamic library /opt/zlib/lib/libz.so.

Please let me know if you are able to fix this.

Thanks,

Adrian
Comment 1 Darren Tucker 2002-06-09 15:31:48 AEST 
First of all, are you sure you want to do that? The OpenSSL INSTALL file says:

"Shared library is currently an experimental feature.  The only reason to
 have them would be to conserve memory on systems where several program
 are using OpenSSL.  Binary backward compatibility can't be guaranteed
 before OpenSSL version 1.0."

If you update your OpenSSL shared library, you're likely to break ssh. This is a 
pain, particularly if the system is some remote place.

If you still want to do this, you'll need to provide more info: What compiler? 
Which version of Solaris? Do you have OpenSSL libraries or headers installed 
anywhere else in the link/include paths ("find / -name 'libcrypto.[a|so]' -print 
-o -name opensslv.h -print")? What's the rest of config.log say? (Add it as an 
attachment to this bug report).

If you're using gcc then there is a bug in 2.95.2 (and possibly others) that 
caused the -L link paths to be searched last, so if you've got an older 
libcrypto somewhere (eg /usr/local/lib) it'll pick that up.  See:

http://gcc.gnu.org/cgi-bin/gnatsweb.pl?cmd=view%20audit-trail&database=gcc&pr=32
6

If that's your problem you can override -L by setting you LIBRARY_PATH 
environment variable.

For what it's worth, what you're doing works on my Sol8/gcc-3.1 box:
$ ./configure --with-ssl-dir=/opt/src/openssl-0.9.6d && make ssh
[snip]
$ ldd ssh
[snip]
        libcrypto.so.0.9.6 =>    /opt/src/openssl-0.9.6d/libcrypto.so.0.9.6
Comment 2 Adrian 2002-06-14 02:35:30 AEST 
Created attachment 113 [details]
As requested, config.log(.gz), --with-ssl-dir meant to override /usr/local/ssl path
Comment 3 Adrian 2002-06-14 03:16:47 AEST 
Further information:

In response to the email from dtucker@zip.com.au:

On my system:

$ echo $LIBRARY_PATH
/usr/local/lib:/usr/local/glib/lib:/usr/local/gtk/lib:/usr/lib:/usr/ucblib:/opt/gi
mp/lib:/usr/local/kde/lib:/usr/local/qt230/lib:/usr/local/kde/lib:/usr/dt/lib:/usr
/openwin/lib:/opt/gnome-1.4/lib

/usr/local/ssl is a symlink to /opt/openssl096c-eng

$ find /usr/local/ssl/lib -follow
/usr/local/ssl/lib/libcrypto.a
/usr/local/ssl/lib/libssl.a
/usr/local/ssl/lib/libcrypto.so.0.9.6
/usr/local/ssl/lib/libssl.so.0.9.6
/usr/local/ssl/lib/libcrypto.so.0
/usr/local/ssl/lib/libcrypto.so
/usr/local/ssl/lib/libssl.so.0
/usr/local/ssl/lib/libssl.so

Adrian
Comment 4 Darren Tucker 2002-06-14 11:20:40 AEST 
I think gcc is picking up a libcrypto from somewhere other than where you 
expect (maybe /usr/lib or /usr/local/lib).

configure:8264: gcc -o conftest -O3  -Wall -Wpointer-arith -Wno-uninitialized 
-I/usr/local/ssl/include -I/opt/zlib/include -O3  -I/usr/local/include 
-L/usr/local/ssl/lib -R/usr/local/ssl/lib -L/opt/zlib/lib -R/opt/zlib/lib
  -L/usr/local/lib -R/usr/local/lib conftest.c -lpam -ldl -lz -lsocket -lnsl  
-lcrypto >&5
/var/tmp/ccikDouh.o: In function `main':
/var/tmp/ccikDouh.o(.text+0x4): undefined reference to `RAND_add'
collect2: ld returned 1 exit status

Check for other libcrypto's:

$ find / -name 'libcrypto.*' -print

If any show up try:

$ LIBRARY_PATH=/usr/local/ssl/lib:$LIBRARY_PATH
$ export LIBRARY_PATH
$ cd openssh-3.2.3p1
$ make distclean && ./configure
Comment 5 Darren Tucker 2002-11-10 09:29:28 AEDT 
5 months no reply == closed bug.
Comment 6 Damien Miller 2004-04-14 12:24:18 AEST 
Mass change of RESOLVED bugs to CLOSED