Linker error building SW with OpenSSL 1.1.1W on RHEL8

Christian Schmidt schmidt at digadd.de
Sat Dec 30 00:50:38 UTC 2023 

On 12/29/23 22:56, Fox, Shawn D (US) via openssl-users wrote:
> I have built openssl v1.1.1w from source on the RHEL8 OS using the GCC12 
> toolset.  The command to configure looks like this and then gmake 
> install used to build and install.
> 
> ./config --prefix=/data/${USER}/repos/tp/openssl-1.1.1w-install/release
> 
> /data/${USER}/repos/tp/openssl-1.1.1w is the directory containing the 
> extracted source and configuration files.
> 
> So that worked fine and binaries were produced. However, when I try to 
> build my own applications specifying 
> /data/${USER}/repos/tp/openssl-1.1.1w-install/release/lib as the 
> location of the libraries then I am seeing linker errors such as:
> 
> /opt/rh/gcc-toolset-12/root/usr/libexec/gcc/x86_64-redhat-linux/12/ld: 
> /lib64/libk5crypto.so.3: undefined reference to 
> `EVP_KDF_CTX_free at OPENSSL_1_1_1b'

That is because you successfully created a binary with the imports from 
your desired openssl. But since you linked it dynamically, your system 
used what is in the default library path, and /lib64/libk5crypto.so.3 is 
clearly an openssl 3 from your OS.

You can override the search at runtime by setting LD_LIBRARY_PATH to 
your library path, you can statically link, and to my knowledge there 
are ELF modifications that allow you to insert the path to a library 
into the binary, but I am not aware of the details (the keyword is RPATH).

Good luck,
Christian

> So far web searches haven’t turned up much info that helps me but one 
> thread did indicate that the problem is due to using a downstream build 
> of openssl on RHEL8 since red hat backports security fixes into an older 
> version that they distribute.
> 
> I found some articles about libk5crypto which seems to be something 
> related to Kerberos.  I’ve no idea how that factors into my application 
> build since I don’t believe it has a dependency on that.  However I have 
> noticed that my build of libcrypto has fewer symbols then the libcrypto 
> installed to RHEL8.  Take a look at this.
> 
> *objdump -TC /lib64/libcrypto.so |grep EVP_KDF*
> 
> 00000000001725d0 g    DF .text  00000000000000f0  OPENSSL_1_1_1b 
> EVP_KDF_ctrl
> 
> 00000000001726c0 g    DF .text  000000000000008e  OPENSSL_1_1_1b 
> EVP_KDF_ctrl_str
> 
> 0000000000172570 g    DF .text  0000000000000021  OPENSSL_1_1_1b 
> EVP_KDF_reset
> 
> 0000000000172750 g    DF .text  0000000000000030  OPENSSL_1_1_1b 
> EVP_KDF_size
> 
> 00000000001725a0 g    DF .text  0000000000000023  OPENSSL_1_1_1b 
> EVP_KDF_vctrl
> 
> 0000000000172450 g    DF .text  0000000000000111  OPENSSL_1_1_1b 
> EVP_KDF_CTX_new_id
> 
> 0000000000172410 g    DF .text  0000000000000031  OPENSSL_1_1_1b 
> EVP_KDF_CTX_free
> 
> 0000000000172780 g    DF .text  0000000000000023  OPENSSL_1_1_1b 
> EVP_KDF_derive
> 
> /data/${USER}/repos/tp/openssl-1.1.1w-install/release/lib
> 
> objdump -TC libcrypto.so | grep EVP_KDF
> 
> <no symbols found>
> 
> I searched the CHANGE notes for SSL 1.1.1w and the INSTALL file for 
> configure instructions but I do not see any reason why these symbols are 
> not being produced in my build.  My guess is that during linking 
> something must have transitive dependency on libk5crypto which requires 
> the symbols in question which do not exist in my custom build of 
> libcrypto.  How can I build libcrypto so that it has these EVP* symbols?
> 
> Thanks,
> 
> Shawn Fox
>

More information about the openssl-users mailing list