Linker error building SW with OpenSSL 1.1.1W on RHEL8

Tomas Mraz tomas at openssl.org
Tue Jan 2 09:10:36 UTC 2024


The system openssl 1.1.1 package on RHEL is heavily patched and
includes some APIs backported from later upstream versions (3.0.x). You
cannot replace it by pristine OpenSSL build. You would have to apply
the patches from the openssl srpm package over the 1.1.1w version
however you will probably encounter conflicts so it will not be a
trivial task to do so.

Unfortunately I do not know how to avoid this libk5crypto.so.3
dependency when linking your application. IMO it should be possible to
avoid it - try to find which library you're explicitly linking to is
pulling it in.

Tomas Mraz, OpenSSL


On Fri, 2023-12-29 at 21:56 +0000, Fox, Shawn D (US) via openssl-users
wrote:
> 
> 
> 
> I have built openssl v1.1.1w from source on the RHEL8 OS using the
> GCC12 toolset.  The command to configure looks like this and then
> gmake install used to build and install.
> ./config --prefix=/data/${USER}/repos/tp/openssl-1.1.1w-
> install/release
>  
> /data/${USER}/repos/tp/openssl-1.1.1w is the directory containing the
> extracted source and configuration files.
>  
> So that worked fine and binaries were produced. However, when I try
> to build my own applications specifying
> /data/${USER}/repos/tp/openssl-1.1.1w-install/release/lib as the
> location of the libraries then I am seeing linker errors such as:
>  
> /opt/rh/gcc-toolset-12/root/usr/libexec/gcc/x86_64-redhat-
> linux/12/ld: /lib64/libk5crypto.so.3: undefined reference to
> `EVP_KDF_CTX_free at OPENSSL_1_1_1b'
>  
> So far web searches haven’t turned up much info that helps me but one
> thread did indicate that the problem is due to using a downstream
> build of openssl on RHEL8 since red hat backports security fixes into
> an older version that they distribute. 
>  
> I found some articles about libk5crypto which seems to be something
> related to Kerberos.  I’ve no idea how that factors into my
> application build since I don’t believe it has a dependency on that. 
> However I have noticed that my build of libcrypto has fewer symbols
> then the libcrypto installed to RHEL8.  Take a look at this.
>  
> objdump -TC /lib64/libcrypto.so |grep EVP_KDF
> 00000000001725d0 g    DF .text  00000000000000f0  OPENSSL_1_1_1b
> EVP_KDF_ctrl
> 00000000001726c0 g    DF .text  000000000000008e  OPENSSL_1_1_1b
> EVP_KDF_ctrl_str
> 0000000000172570 g    DF .text  0000000000000021  OPENSSL_1_1_1b
> EVP_KDF_reset
> 0000000000172750 g    DF .text  0000000000000030  OPENSSL_1_1_1b
> EVP_KDF_size
> 00000000001725a0 g    DF .text  0000000000000023  OPENSSL_1_1_1b
> EVP_KDF_vctrl
> 0000000000172450 g    DF .text  0000000000000111  OPENSSL_1_1_1b
> EVP_KDF_CTX_new_id
> 0000000000172410 g    DF .text  0000000000000031  OPENSSL_1_1_1b
> EVP_KDF_CTX_free
> 0000000000172780 g    DF .text  0000000000000023  OPENSSL_1_1_1b
> EVP_KDF_derive
>  
> /data/${USER}/repos/tp/openssl-1.1.1w-install/release/lib
>  
> objdump -TC libcrypto.so | grep EVP_KDF
> <no symbols found>
>  
> I searched the CHANGE notes for SSL 1.1.1w and the INSTALL file for
> configure instructions but I do not see any reason why these symbols
> are not being produced in my build.  My guess is that during linking
> something must have transitive dependency on libk5crypto which
> requires the symbols in question which do not exist in my custom
> build of libcrypto.  How can I build libcrypto so that it has these
> EVP* symbols?
>  
> Thanks,
> Shawn Fox
>  

-- 
Tomáš Mráz, OpenSSL



More information about the openssl-users mailing list