Project

General

Profile

Bug #2534

lighty fails to start when compiled with openssl_from_ports

Added by oschonrock almost 6 years ago. Updated almost 6 years ago.

Status:
Invalid
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
2013-11-26
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:
No

Description

Freebsd has an old openssl in base system. To take advantage of new ciphers and protocols I tried to run lighty with openssl_from_ports:
http://www.freebsd.org/doc/handbook/openssl.html

By just install /usr/ports/security/openssl first and then recompiling lighty (the ports system detects the newer openssl is available and links against it). This used to work with lighty 1.4.32.

Now with 1.4.33 I get the following error when starting lightly after compiling with openssl_from ports:

2013-11-26 11:14:28: (plugin.c.169) dlopen() failed for: /usr/local/lib/lighttpd/mod_auth.so /usr/local/lib/lighttpd/mod_auth.so: Undefined symbol "SHA1" 

At first I thought this issue was related to:
http://redmine.lighttpd.net/issues/2517

So I tried the Makefile.am patch, but then compilation fails with:

libtool: link: ranlib .libs/mod_compress.a
libtool: link: cc -shared  -fPIC -DPIC  .libs/mod_auth.o .libs/http_auth.o   -L/usr/local/lib -lcrypt -lssl -lcrypto  -O2 -Wl,-rpath=/usr/local/lib   -Wl,-soname -Wl,mod_auth.so -o .libs/mod_auth.so
libtool: link: ( cd ".libs" && rm -f "mod_compress.la" && ln -s "../mod_compress.la" "mod_compress.la" )
/usr/bin/ld: /usr/local/lib/libcrypto.a(sha1_one.o): relocation R_X86_64_32 can not be used when making a shared object; recompile with -fPIC
/usr/local/lib/libcrypto.a: could not read symbols: Bad value

History

#1

Updated by oschonrock almost 6 years ago

I have notified the FreeBSD port maintainer of this issue with link to here.

#2

Updated by oschonrock almost 6 years ago

  • Assignee deleted (stbuehler)
#3

Updated by stbuehler almost 6 years ago

  • Status changed from New to Invalid
  • Priority changed from High to Normal

you should link to a shared openssl library, which is probably not available. linking static openssl seems like a bad idea to me, not sure whether -fPIC is even available for it.

Anyway, I don't think there is anything we can fix here.

(why would that be high priority? oO...)

#4

Updated by oschonrock almost 6 years ago

Sorry, if I got the priority wrong.

For me this issues means: "no way to support TLS v > 1.0 with lighty under FreeBsd", because I cannot compile/run it successfully against the openssl from ports. The base system openssl is 0.9.8, which does not support new protocols or cypher suites. Now that Chrome/IE and Firefox (nearly) have released versions which support TLS v1.2 and new GCM ciphers this makes lighty not a good choice for properly secure SSL on FreeBSD. It was working with 1.4.32, but not not with now with 1.4.33.

Probably the compile error is a red-herring. The real issue is that lighty will not start if compiled against openssl from ports:

2013-11-26 11:14:28: (plugin.c.169) dlopen() failed for: /usr/local/lib/lighttpd/mod_auth.so /usr/local/lib/lighttpd/mod_auth.so: Undefined symbol "SHA1" 

I know this falls between lighty and FreeBSD, but I need some help to narrow it down.

Thanks

#5

Updated by stbuehler almost 6 years ago

I just gave you a solution: build shared openssl libs (libcrypto.so, libssl.so) (which should include the -fPIC flag).

Also available in: Atom