[openssl-users] Difference between libssl.a in static openssl build versus libssl.a in dynamic openssl build ???

Michael Wojcik Michael.Wojcik at microfocus.com
Mon Jul 24 15:51:33 UTC 2017 

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Joe Flowers
> Sent: Monday, July 24, 2017 08:54
> To: Salz, Rich; openssl-users at openssl.org
> Subject: Re: [openssl-users] Difference between libssl.a in static openssl build versus libssl.a in dynamic openssl build ???

>> You know you are going from something horribly out of date to something very out of date, right?

> Yes.

>> Can’t you at least move to 1.0.2?

> That is out of my hands and is almost entirely irrelevant to the information I asked for and need.

Perhaps, but it's not irrelevant to your question, because:

- The OpenSSL build process has been updated significantly since the days of 1.0.0 or 1.0.1 (your original message said 1.0.0e, but the directory paths you quoted say 1.0.1e), so it's easier for people to comment on build questions regarding supported releases.

- More importantly, the people who participate on this list have limited resources and other responsibilities. It makes sense for them to focus on questions from people who are using supported releases. That doesn't mean no one should help you, or that no one will; but it would be courteous to acknowledge that fact.

Now, on to your original question:

> When I perform a dynamic openssl build with the following commands, I get (among other files) a libssl.a file.
> ...
> When I perform a static openssl build with the following commands, I get (among other files) another libssl.a file.
> ...
> I am trying to determine which one of these two newer libssl.a files I should use to replace the older ~0.9.7 libssl.a file.

For Linux, I believe it depends on whether you need PIC code, and whether you need the OpenSSL FIPS module. I'm going to ignore the latter case, because FIPS is a nightmarish wasteland of horrors. FIPS aside, I don't know of any reason *not* to use PIC code. The OpenSSL builds I work with always build sharable (PIC, on Linux and appropriate UNIXes) code, which we then put into static libraries, which are linked into dynamic libraries / shared objects containing our own cover routines.

There might be some other use case for building OpenSSL statically on Linux, but I'm not aware of one. Other list members may be.

Now, whether a dynamic-build libssl.a (and libcrypto.a) can be used as drop-in replacements for your 0.9.7 versions is another question entirely, of course.

-- 
Michael Wojcik 
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list