freebsd stable - Oct 2003 - build problem replacing libssl.so -- please read!

Hello to all,

I apologize for posting this message a second time, but it's been
twenty-one hours, and no responses.  I ask that people please
read this message and give me some feedback, as this issue has
me boggled.  And if I haven't given enough information or shown
enough effort to merit help, could someone at the very least give
me a nudge in the proper direction?  It'd be really appreciated.

I've got a production machine running FreeBSD 4.8-RELEASE, and I
need to upgrade it to fix the SSL, procfs issues that have come up
lately.  The machine's root partition lacks the space to accomodate
world source and object files, so I have two symlinks for /usr/src
and /usr/obj:

    /usr/src --> /usr/local/world_src
	 /usr/obj --> /usr/local/world_obj

I should also note that the apache13-modssl port is installed on 
this server.

I cvsupped RELENG_4_8 (with "*default prefix=/usr" in the supfile)
successfully.  

I cd'd to /usr/src, issued the "make buildworld" command, and
waited
until the build finished.  I then cd'd to '/usr/obj/' and took a
look around.  In there I found a directory hierarchy of
"usr/local/world_src", and within that were the nice shiny new
files.

One of my aims was to replace libssl.so.3 with a fixed version, so
(after making a backup copy of the current /usr/lib/libssl.so.3) I
placed /usr/obj/usr/local/world_src/secure/lib/libssl/libssl.so.3
into /usr/lib and then attempted an https connection to the server.
(Apache's libssl.so module was dynamically linked against libssl.so.3).
I found that my connection did not really work properly, creating
errors such as these in the httpd error log:

  [Wed Oct  8 16:01:04 2003] [error] [client W.X.Y.Z] Invalid method in request
\x80C\x01\x03
  [Wed Oct  8 16:02:48 2003] [error] [client W.X.Y.Z] Invalid method in request
\x16\x03
  [Wed Oct  8 16:02:48 2003] [error] [client W.X.Y.Z] Invalid method in request
\x16\x03

Clearly, I did something wrong, for when I put the original libssl.so.3
back in place, those errors went no longer occurred.

I was totally confused at this point, and so I wrote up  a problem description
which
I posted to freebsd-questions yesterday afternoon.  It's been almost twenty
hours
since that posting, so I contacted my old boss, and asked him to read the
letter,
giving me any feedback he could.

We made a few determinations:

1) The httpd binary itself is not linked against any ssl library.
It's linked dynamically against only libcrypt, libc, libm, libutil.

2) mod_ssl is not compiled into the httpd binary.  It is loaded via
httpd.conf 'AddModule' and 'LoadModule' directives.

3) '/usr/local/libexec/apache/libssl.so' appears to be the SSL
module, as there is no 'mod_ssl' file in /usr/local/libexec/apache.
This file is linked dynamically against libssl.so.3 and libcrypto.so.3.

My old boss suggested replacing libcrypto.so.3 with the new version, 
in addition to replacing libssl.so.3.  I did this, but it only made
matters worse:

   * The httpd problem still existed

   * SSHD broke - my terminal windows to that host vanished 
   in a fraction of a second and no new connections were
   allowed.

I put the old libraries back into place, and reported failure to my
ex-boss.  He then suggested that perhaps my installation was 
sufficiently old that an entirely new world was required.

I told him that the system was running (from unmame) "4.8-RELEASE
#0: Thu Apr  3 ", and the the world I had just built was 4.8p13,
and he was no longer so certain that my installation was so old
that it had to have an all new world, and suggested that I write
all this up and post it to freebsd-stable, which  I am doing right
now!

I hope that I have described the problem clearly, and that someone
will be able to shed some light on this matter.

Thank you very much,



-John
--
+---------------------------------------------------------------------------+
| John Fox <jjf @ mind.net>     |    System Administrator   |
InfoStructure   |
+---------------------------------------------------------------------------+
|        Gideon: I thought you said don't hold a grudge.                   
|
|         Galen: I don't. I have no surviving enemies...at all.            
|
|             -- "Crusdade", _Racing the Night_                       
|
+---------------------------------------------------------------------------+

----- End forwarded message -----




-John
--
+---------------------------------------------------------------------------+
| John Fox <jjf@mind.net>     |    System Administrator   | InfoStructure 
|
+---------------------------------------------------------------------------+
|        Gideon: I thought you said don't hold a grudge.                   
|
|         Galen: I don't. I have no surviving enemies...at all.            
|
|             -- "Crusdade", _Racing the Night_                       
|
+---------------------------------------------------------------------------+

On 10 Oct 2003 at 9:13, John Fox wrote:
> Hello to all,
> 
> [snip]
> 
> I've got a production machine running FreeBSD 4.8-RELEASE, and I
> need to upgrade it to fix the SSL, procfs issues that have come up
> lately. 
> One of my aims was to replace libssl.so.3 with a fixed version...
> 
> [snip lots of problems mixing libraries and such] 
Have you done a complete buildworld/buildkernel/installkernel/reboot 
single/installworld/reboot cycle yet (with mergemasters in appropriate places as
documented
in the handbook)?  I'd strongly recommend that, then if problems persist,
try
pkg_deinstall()ing the apache and reinstalling it from the port.  

There are a lot of things that can get whacked by just slicing over a new
library from -
STABLE into a -RELEASE machine.  -STABLE is at 4.9-RC now, so you're almost
a full
point release ahead of where you are coming from.  In FreeBSD terms, that's
a lot.

I'd rebuild apache after that anyway to catch the mod_ssl updates as well.  

Obviously, at this point, I'd clean the usr/obj directory entirely, and do a
make cleandir &&
make cleandir in /usr/src before starting the buildworld process.  You may want
to re-cvsup
again following that as well, to ensure everything is in place.  That guarantees
you the
cleanest and most straightforward upgrade path.  

Peace,  

 -- Daniel
 <><

On Fri, 10 Oct 2003, John Fox wrote:
> I apologize for posting this message a second time, but it's been
> twenty-one hours, and no responses.  I ask that people please
> read this message and give me some feedback, as this issue has
> me boggled.
With all due respect, this is a volunteer project.  Noone staffs this list
24/7 and answers questions immediately.  Please don't expect SLAs out of
software you aren't paying support on.

If you'd like to purchase a support contract, I believe FreeBSD Mall
offers them.

-- 
Doug White                    |  FreeBSD: The Power to Serve
dwhite@gumbysoft.com          |  www.FreeBSD.org

You might also try posting with a legit email address so you actually
receive replies.  Your email address has already been captured into the
archives so don't think that playing prefix tricks is going to keep the
spammers away.  SpamAssassin is your friend.

Also because of this you lost my initial reply, and probably the reply of
everyone who was trying to help you.  I will take the exception to
reforward it, but this is not conductive to communication.

-- 
Doug White                    |  FreeBSD: The Power to Serve
dwhite@gumbysoft.com          |  www.FreeBSD.org