Alexander Koeppe
2020-Jan-03 14:16 UTC
FreeBSD SSL libraries and OpenSSL libraries - how to compile own source code
Hello list, Since I've upgraded to FreeBSD 12, I've linker issues when I try to build my own source code which is depending on OpenSSL library. It's claiming that there are undefined references to SSL_library_init or SSLv23_server_method for instance. I detected the OpenSSL libraries using the FindOpenSSL.cmake file in /usr/local/share/cmake/Modules. It returned /usr/lib32/libssl.so and /usr/lib32/libcrypto.so. Cmake is for some reason translating the found libraries to the `-lssl` and `-lcrypto` linker flags. This seem to default back to /usr/lib/libssl.so and /usr/lib/libcrypto.so. These files point by default to: /usr/lib/libssl.so -> libssl.so.111 /usr/lib/libcrypto.so -> /lib/libcrypto.so.111 But when I check which libraries have been provided by OpenSSL package, I get a different outcome: $ pkg list openssl | egrep 'lib(ssl|crypto).so' /usr/local/lib/libcrypto.so /usr/local/lib/libcrypto.so.9 /usr/local/lib/libssl.so /usr/local/lib/libssl.so.9 $ These files are different to what openssl package provided. When I replace these symlinks to point to the .so files provided by the openssl package, building and running the application works as expected. So: /usr/lib/libssl.so -> /usr/local/lib/libssl.so /usr/lib/libcrypto.so -> /usr/local/lib/libcrypto.so I've read that FreeBSD 12 provides it's own SSL libraries and there is the possibility to edit the /etc/make.conf to make the ports building against the "real" OpenSSL library. However I often need to build the latest source code from GitHub, so that I cannot make use of the ports approach (I tend to use the pkg management). What is the best way to use the "real" OpenSSL libraries when building custom source code on FreeBSD? Thanks in advance for any advice. - Alex
Mike Karels
2020-Jan-04 21:21 UTC
FreeBSD SSL libraries and OpenSSL libraries - how to compile own source code
Not having seen an answer to this yet, I'm going to provide a partial answer. Hopefully someone plugged into the current plans can provide the rest, especially where ports are going with this.> To: freebsd-stable at freebsd.org > From: Alexander Koeppe <format_c at online.de>> Hello list,> Since I've upgraded to FreeBSD 12, I've linker issues when I try to > build my own source code which is depending on OpenSSL library.> It's claiming that there are undefined references to SSL_library_init or > SSLv23_server_method for instance.The linker is correct; see below.> I detected the OpenSSL libraries using the FindOpenSSL.cmake file in > /usr/local/share/cmake/Modules. It returned /usr/lib32/libssl.so and > /usr/lib32/libcrypto.so.> Cmake is for some reason translating the found libraries to the `-lssl` > and `-lcrypto` linker flags. This seem to default back to > /usr/lib/libssl.so and /usr/lib/libcrypto.so.> These files point by default to:> /usr/lib/libssl.so -> libssl.so.111 > /usr/lib/libcrypto.so -> /lib/libcrypto.so.111Those are the shared libraries used by the base. They are from OpenSSL 1.1.1.> But when I check which libraries have been provided by OpenSSL package, > I get a different outcome:> $ pkg list openssl | egrep 'lib(ssl|crypto).so' > /usr/local/lib/libcrypto.so > /usr/local/lib/libcrypto.so.9 > /usr/local/lib/libssl.so > /usr/local/lib/libssl.so.9 > $> These files are different to what openssl package provided.These are the libraries used by ports (packages).> When I replace these symlinks to point to the .so files provided by the > openssl package, building and running the application works as expected. So:> /usr/lib/libssl.so -> /usr/local/lib/libssl.so > /usr/lib/libcrypto.so -> /usr/local/lib/libcrypto.so> I've read that FreeBSD 12 provides it's own SSL libraries and there is > the possibility to edit the /etc/make.conf to make the ports building > against the "real" OpenSSL library.FreeBSD 12 uses OpenSSL 1.1.1 in the base (not its own SSL libraries). However, ports were not converted to 1.1.1 at that time, but instead use the /usr/local version (which I think is OpenSSL 1.0.2t as of 12.1). Changing the symlinks in /usr/lib will cause newly-compiled programs to use the old version, but will probably also prevent part of the base system from being recompiled/linked. The include paths are different as well. However, note that OpenSSL 1.0.2 is no longer supported upstream, even for security fixes, as of the new year. OpenSSL 1.1.1 is quite different than past versions. For example, SSL v2 is gone (hence entry points like SSLv23_server_method; I've forgotten what the replacement is). Many data structures have been made opaque, requiring the use of accessor functions. I have spent the best part of the last month retrofitting our own software at $WORK.> However I often need to build the latest source code from GitHub, so > that I cannot make use of the ports approach (I tend to use the pkg > management).> What is the best way to use the "real" OpenSSL libraries when building > custom source code on FreeBSD?The "best" approach is to convert your code to use OpenSSL 1.1.1, or to find versions of external source that have been converted. OpenSSL 1.0.2 may still be usable for a while in some environments, but is not a good path going forward. Alternatively, I assume it is still possible to compile using the ports environment by using the right -I and -L options to use the 1.0.2 headers and libraries in /usr/local.> Thanks in advance for any advice.Good luck!> - AlexMike