Bug 39913 - detection of static OpenSSL libraries requiring libz fails
Summary: detection of static OpenSSL libraries requiring libz fails
Status: ASSIGNED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Build (show other bugs)
Version: 2.2.2
Hardware: Sun Solaris
: P1 blocker (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-06-27 18:14 UTC by Douglas B. Jones
Modified: 2019-01-06 13:16 UTC (History)
3 users (show)



Attachments
config.log after failure due to SSL_set_cert_store symbol not being found (52.56 KB, text/plain)
2006-11-26 03:05 UTC, Brian Orlick
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas B. Jones 2006-06-27 18:14:59 UTC
(I posted this to the user list, but I do not feel compfortable
that a reply will be forth coming and I am under the gun on this.)

When compiling apache 2.2 with:

./configure     --prefix=/usr/local/apache\
                --includedir=/usr/local/include\
                --enable-so\
                --enable-module=expires\
                --enable-module=info\
                --enable-module=proxy\
                --enable-module=so\
                --enable-module=rewrite\
                --enable-module=auth_dbm\
                --enable-module=usertrack\
                --enable-module=log_agent\
                --enable-module=log_referer\
                --enable-module=auth_anon\
                --enable-layout=Apache\
                --with-ldap\
                --enable-ldap\
                --enable-authnz-ldap\
                --enable-dav\
                --enable-dav-lock\
                --enable-deflate\
                --enable--expires\
                --enable-headers\
                --enable-info\
                --enable-mime-magic\
                --enable-rewrite\
                --enable-unique-id\
                --enable-usertrack\
                --with-pmp-prefork\
                --enable-ssl\
                --with-ssl=/usr/local/lib/openssl-0.9.8b\
                --enable-mods-share=most

I get the following error message:

checking whether to enable mod_ssl... checking dependencies
checking for SSL/TLS toolkit base... /usr/local/lib/openssl-0.9.8b
checking for OpenSSL version... checking openssl/opensslv.h usability... yes
checking openssl/opensslv.h presence... yes
checking for openssl/opensslv.h... yes
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
OK
checking openssl/engine.h usability... yes
checking openssl/engine.h presence... yes
checking for openssl/engine.h... yes
checking for SSLeay_version in -lcrypto... yes
checking for SSL_CTX_new in -lssl... no
checking for ENGINE_init... yes
checking for ENGINE_load_builtin_engines... yes
checking for SSL_set_cert_store... no
configure: error: ... Error, SSL/TLS libraries were missing or unusable

Upon looking at the config.log file, I see:

configure:14271: cc -xarch=v9 -xcode=pic32 -o conftest -xarch=v9 -xcode=pic32 -
x
arch=v9 -xcode=pic32 -DSOLARIS2=10 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT   -
L/
usr/local/lib -R/usr/local/lib -L/usr/local/lib/openssl-0.9.8b/lib conftest.c -
l
crypto  -lm  -luuid -lsendfile -lrt -lsocket -lnsl  -lpthread >&5
"conftest.c", line 84: warning: statement not reached
Undefined                       first referenced
 symbol                             in file
SSL_set_cert_store                  conftest.o
ld: fatal: Symbol referencing errors. No output written to conftest

Looking at libssl.a, the only cert_store I see is:

[139]   |         19112|           8|FUNC |GLOB |0    |2      
|SSL_CTX_get_cert_store
[140]   |         19144|          36|FUNC |GLOB |0    |2      
|SSL_CTX_set_cert_store

and that is in libssl.a, not libcrypto.a. It has the CTX part in there, but
I see no reference to that in any C or header files. Note in the cc line above,
that libssl.a is not referred to, only libcrypto.a (-lcrypto). I feel confident
that I must have made a mistake somewhere along the line, just not sure where.
I am on Solaris 10 with Sun C compiler 5.8. Thanks for any help!
Comment 1 Joe Orton 2006-08-16 12:52:43 UTC
The lack of SSL_set_cert_store is expected; the failure is for some other
reason.  Please attach the config.log file produced by configure if you can
still reproduce this.
Comment 2 Art 2006-11-04 16:25:03 UTC
I also ran into this problem.  I had my openssl-0.9.8d configured with zlib
support.  When I built apache with this option I received the error mentioned
above.  if I rebuilt openssl with zlib disabled (the default) and then built
apache 2.2.3 everything woked great!  so the workaround for this bug is to
disable zlib support in openssl.
Comment 3 Brian Orlick 2006-11-26 03:05:13 UTC
Created attachment 19171 [details]
config.log after failure due to SSL_set_cert_store symbol not being found

httpd-2.2.3
openssl-0.9.8d
Both compiled from source.
Running config with 
./configure --enable-ssl --with-ssl=/usr/local/ssl --enable-modules=most
--enable-mime-magic
(as stated in the log itself)
However, the error seems to be caused by earlier problems with undefined zlib
symbols. e.g.

/usr/local/ssl/lib/libcrypto.a(c_zlib.o)(.text+0x60): In function
`zlib_stateful_init':

Not sure if zlib is installed on the system, so I'll be installing that and
seeing after that.  I did compile OpenSSL with zlib support.  I will be
compiling zlib from support and seeing if that fixes it.

Also: http://www.zxid.org/apache.html references this same problem, and the
author of that page indicates that removing the checks for the symbols allows
the compilation to succeed.
Comment 4 Brian Orlick 2006-11-26 07:01:16 UTC
It appears, in my case, zlib was previously installed, and the problem was that
configure removes -lz from LIBS, but -lz must be included (and follow) -lcrypto
in some cases when OpenSSL is compiled with zlib support.  This causes problems
during configure and actual compilation.

Removing the two lines that remove -lz from LIBS and set MOD_DEFLATE_LDADD
almost fixed the configure problems, but is probably suboptimal.  I don't know
what side effects this might have on other systems.

One additional fix is that SSL_LIBS, when it has -lcrypto should have had -lz
following that if it is necessary.  It took me a bit of investigation as I wrote
this to discover that SSL_LIBS was set by including build/config_vars.mk -- I
manually fixed the support/Makefile which, in my case, was the only place that
was erroring out after that.

It'd be great if someone more knowledgable could make the corrections necessary
to the configure script so this'll build flawlessly for everyone with a recent
OpenSSL compiled with zlib.
Comment 5 Joe Orton 2006-11-27 02:17:15 UTC
Ah, thanks, that is basically the correct analysis.  The configure script should
be attempting to link against libcrypto using -lz too.
Comment 6 Dave 2007-05-10 11:05:39 UTC
I got the same error. But maybe with different cause.
After looking at the Apache2.2.3 config.log, I guess I had a mismatched C 
compiler when building openssl and Apache.
When building the openssl, I configured it to use ANSIC C, like this
env CC='/opt/ansic/bin/cc -Ae +DAportable +z' ./configure \
--with-ssl=/http/apache2/srclib/openssl/hp .........
The openssl config script however ignore this ANSIC C if detects a gcc is 
installed. So I wasn't aware it was using gcc.
So my workaround is either modify the openssl config script to ignore gcc or 
uninstall/rename gcc from the machine. I then passed this error.
Comment 7 Dave 2007-05-10 11:10:31 UTC
Oops I forgot this bug is for Solaris. I had this issue on my HP-UX 11.11. So 
my workaround may not apply to you.

(In reply to comment #6)
> I got the same error. But maybe with different cause.
> After looking at the Apache2.2.3 config.log, I guess I had a mismatched C 
> compiler when building openssl and Apache.
> When building the openssl, I configured it to use ANSIC C, like this
> env CC='/opt/ansic/bin/cc -Ae +DAportable +z' ./configure \
> --with-ssl=/http/apache2/srclib/openssl/hp .........
> The openssl config script however ignore this ANSIC C if detects a gcc is 
> installed. So I wasn't aware it was using gcc.
> So my workaround is either modify the openssl config script to ignore gcc or 
> uninstall/rename gcc from the machine. I then passed this error.