[openssl-users] openssl-1.1.0 - Linker error on Windows

Michael Wojcik Michael.Wojcik at microfocus.com
Wed May 25 14:35:27 UTC 2016

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Matt Caswell
> Sent: Wednesday, May 25, 2016 08:05
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] openssl-1.1.0 - Linker error on Windows
> On 25/05/16 14:59, Michael Wojcik wrote:
> >
> >> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On
> >> Behalf Of Andrew Hartley Sent: Wednesday, May 25, 2016 05:20
> >
> >> I’ve built the openssl-1.1.0 library with no-shared config option
> >> on Windows.  I’ve linked the library to my application > and fixed
> >> the few issues with EVP_MD_CTX deprication.  When I build my
> >> application I get the following link errors:
> >
> >> 1>libcrypto.lib(e_capi.obj) : error LNK2019: unresolved external
> >> symbol __imp__CertFreeCertificateContext at 4 referenced in function
> >> _capi_free_key
> >
> > You have the CAPI engine linked into libcrypto (rather than
> > configuring it for dynamic loading)
> IIRC it is no longer possible to build for static linking but
> dynamically load engines (there be dragons).

Perhaps not. I have a hybrid engine mechanism where I build OpenSSL as a static library but as sharable code, link it statically into my own shared library (DLL on Windows, shared object on Linux/UNIX), and add an engine at runtime. The engine is implemented in my library, so it's not actually dynamically loaded, but it isn't statically linked into OpenSSL either. That seems to work fine, at least for 1.0.1 and 1.0.2.

(Of course, Configure doesn't actually support building OpenSSL as static libraries of sharable code, so we have to edit the configurations we use with each release. But such is life.)

> >, so you need to link against the
> > Windows CAPI library, which is crypt32.lib. Add /Lcrypt32, either
> > when you create libcrypto or when you link your application.
> Another possibility, if you are not using the CAPI engine, is to disable
> it during the OpenSSL build using the no-capieng Configure option.

Yes. I was assuming Andrew wanted CAPI support and had configured it explicitly, but that isn't a safe assumption. If he doesn't need it, then disabling it in the configure options is the most sensible course.

Michael Wojcik
Technology Specialist, Micro Focus

More information about the openssl-users mailing list