Bug #2534
closedlighty fails to start when compiled with openssl_from_ports
Description
Freebsd has an old openssl in base system. To take advantage of new ciphers and protocols I tried to run lighty with openssl_from_ports:
http://www.freebsd.org/doc/handbook/openssl.html
By just install /usr/ports/security/openssl first and then recompiling lighty (the ports system detects the newer openssl is available and links against it). This used to work with lighty 1.4.32.
Now with 1.4.33 I get the following error when starting lightly after compiling with openssl_from ports:
2013-11-26 11:14:28: (plugin.c.169) dlopen() failed for: /usr/local/lib/lighttpd/mod_auth.so /usr/local/lib/lighttpd/mod_auth.so: Undefined symbol "SHA1"
At first I thought this issue was related to:
http://redmine.lighttpd.net/issues/2517
So I tried the Makefile.am patch, but then compilation fails with:
libtool: link: ranlib .libs/mod_compress.a libtool: link: cc -shared -fPIC -DPIC .libs/mod_auth.o .libs/http_auth.o -L/usr/local/lib -lcrypt -lssl -lcrypto -O2 -Wl,-rpath=/usr/local/lib -Wl,-soname -Wl,mod_auth.so -o .libs/mod_auth.so libtool: link: ( cd ".libs" && rm -f "mod_compress.la" && ln -s "../mod_compress.la" "mod_compress.la" ) /usr/bin/ld: /usr/local/lib/libcrypto.a(sha1_one.o): relocation R_X86_64_32 can not be used when making a shared object; recompile with -fPIC /usr/local/lib/libcrypto.a: could not read symbols: Bad value
Updated by oschonrock over 11 years ago
I have notified the FreeBSD port maintainer of this issue with link to here.
Updated by stbuehler over 11 years ago
- Status changed from New to Invalid
- Priority changed from High to Normal
you should link to a shared openssl library, which is probably not available. linking static openssl seems like a bad idea to me, not sure whether -fPIC is even available for it.
Anyway, I don't think there is anything we can fix here.
(why would that be high priority? oO...)
Updated by oschonrock over 11 years ago
Sorry, if I got the priority wrong.
For me this issues means: "no way to support TLS v > 1.0 with lighty under FreeBsd", because I cannot compile/run it successfully against the openssl from ports. The base system openssl is 0.9.8, which does not support new protocols or cypher suites. Now that Chrome/IE and Firefox (nearly) have released versions which support TLS v1.2 and new GCM ciphers this makes lighty not a good choice for properly secure SSL on FreeBSD. It was working with 1.4.32, but not not with now with 1.4.33.
Probably the compile error is a red-herring. The real issue is that lighty will not start if compiled against openssl from ports:
2013-11-26 11:14:28: (plugin.c.169) dlopen() failed for: /usr/local/lib/lighttpd/mod_auth.so /usr/local/lib/lighttpd/mod_auth.so: Undefined symbol "SHA1"
I know this falls between lighty and FreeBSD, but I need some help to narrow it down.
Thanks
Updated by stbuehler over 11 years ago
I just gave you a solution: build shared openssl libs (libcrypto.so, libssl.so) (which should include the -fPIC flag).
Also available in: Atom