Linker error building SW with OpenSSL 1.1.1W on RHEL8

Fox, Shawn D (US) shawn.fox at baesystems.com
Fri Dec 29 21:56:20 UTC 2023 

I have built openssl v1.1.1w from source on the RHEL8 OS using the GCC12 toolset.  The command to configure looks like this and then gmake install used to build and install.
./config --prefix=/data/${USER}/repos/tp/openssl-1.1.1w-install/release

/data/${USER}/repos/tp/openssl-1.1.1w is the directory containing the extracted source and configuration files.

So that worked fine and binaries were produced. However, when I try to build my own applications specifying /data/${USER}/repos/tp/openssl-1.1.1w-install/release/lib as the location of the libraries then I am seeing linker errors such as:

/opt/rh/gcc-toolset-12/root/usr/libexec/gcc/x86_64-redhat-linux/12/ld: /lib64/libk5crypto.so.3: undefined reference to `EVP_KDF_CTX_free at OPENSSL_1_1_1b'

So far web searches haven't turned up much info that helps me but one thread did indicate that the problem is due to using a downstream build of openssl on RHEL8 since red hat backports security fixes into an older version that they distribute.

I found some articles about libk5crypto which seems to be something related to Kerberos.  I've no idea how that factors into my application build since I don't believe it has a dependency on that.  However I have noticed that my build of libcrypto has fewer symbols then the libcrypto installed to RHEL8.  Take a look at this.

objdump -TC /lib64/libcrypto.so |grep EVP_KDF
00000000001725d0 g    DF .text  00000000000000f0  OPENSSL_1_1_1b EVP_KDF_ctrl
00000000001726c0 g    DF .text  000000000000008e  OPENSSL_1_1_1b EVP_KDF_ctrl_str
0000000000172570 g    DF .text  0000000000000021  OPENSSL_1_1_1b EVP_KDF_reset
0000000000172750 g    DF .text  0000000000000030  OPENSSL_1_1_1b EVP_KDF_size
00000000001725a0 g    DF .text  0000000000000023  OPENSSL_1_1_1b EVP_KDF_vctrl
0000000000172450 g    DF .text  0000000000000111  OPENSSL_1_1_1b EVP_KDF_CTX_new_id
0000000000172410 g    DF .text  0000000000000031  OPENSSL_1_1_1b EVP_KDF_CTX_free
0000000000172780 g    DF .text  0000000000000023  OPENSSL_1_1_1b EVP_KDF_derive

/data/${USER}/repos/tp/openssl-1.1.1w-install/release/lib

objdump -TC libcrypto.so | grep EVP_KDF
<no symbols found>

I searched the CHANGE notes for SSL 1.1.1w and the INSTALL file for configure instructions but I do not see any reason why these symbols are not being produced in my build.  My guess is that during linking something must have transitive dependency on libk5crypto which requires the symbols in question which do not exist in my custom build of libcrypto.  How can I build libcrypto so that it has these EVP* symbols?

Thanks,
Shawn Fox

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231229/b265ad56/attachment.htm>

More information about the openssl-users mailing list