Question about Open SSL 1.0.2 series compatibility

Viktor Dukhovni openssl-users at dukhovni.org
Thu Dec 7 20:26:07 UTC 2023


On Thu, Dec 07, 2023 at 06:22:41PM +0000, Fox, Shawn D (US) via openssl-users wrote:

> We do link to the dynamic libraries which I didn’t mention before and
> when we setup our execution environment we do update LD_LIBRARY_PATH.
> I would think that would resolve conflicts as the applications would
> then find our custom installation of openssl first.

You SHOULD NOT rely on LD_LIBRARY_PATH.  Use "$ORIGIN" and relative
library paths when building the object.  Make sure the compiled .SO has
a suitably unique SONAME, and distinctive symbol version numbers, by
backporting the "shlib_variant" from 1.1.0 (IIRC) to your 1.0.2 build
(this is fairly easy, I originally developed shlib_variant for 1.0.2,
but it was never in an official 1.0.2 release).


> The function PEM_read_X509 seems to be the root my issue.

It should not be a problem, provided you use the right headers when
building the application.  The compile-time headers and library
dependency need to match.

> On RHEL8 it doesn’t populate the out parameter the same way and it
> results in a downstream seg fault.

This suggests a misconfiguration of the include or library path.


> I have not been able to find where that function is defined.

It is code generated by macros when OpenSSL is built.  The shared
object library has the symbol:

    $ objdump -T /usr/lib/libcrypto.so | grep -w PEM_read_X509
    0000000000153fb0 g    DF .text  0000000000000024  OPENSSL_1_1_0 PEM_read_X509

    $ objdump -T /usr/local/lib/libcrypto.so | grep -w PEM_read_X509
    0000000000385580 g    DF .text  0000000000000041  OPENSSL_3.0.0 PEM_read_X509

    $ objdump -T /usr/local/siteexec/lib/libcrypto.so | grep -w PEM_read_X509
    00000000003cf210 g    DF .text  0000000000000024  OPENSSLRPK_3.0.0 PEM_read_X509

The first one is FreeBSD 12's bundled OpenSSL 1.1.1q.
The second is OpenSSL 3.0.12 from FreeBSD ports.
The third is my own build of OpenSSL 3.2 with RPK support, as a
"shlib_variant" to avoid symbol conflicts with the ports build.

All three can coexist in the same executable without conflicts, by
virtue of non-overlapping symbol versions and distinct SONAMEs.

    $ readelf -d /usr/lib/libcrypto.so | grep SONAME
     0x000000000000000e SONAME               Library soname: [libcrypto.so.111]
    $ readelf -d /usr/local/lib/libcrypto.so | grep -w SONAME
     0x000000000000000e SONAME               Library soname: [libcrypto.so.12]
    $ readelf -d /usr/local/siteexec/lib/libcrypto.so | grep -w SONAME
     0x000000000000000e SONAME               Library soname: [libcryptorpk.so.3]

-- 
    Viktor.


More information about the openssl-users mailing list