Forum OpenACS Development: nsssl with local copy of ssl libraries

Collapse
1: nsssl with local copy of ssl libraries
Posted by Dave Bauer on 01/28/15 05:28 AM
I am installed naviserver on a Centos install that has an older openssl.

It has openssl compiled locally at /usr/local/ssl as well.

I modified the makefile to compile nsssl with the /usr/local/ssl version but its still linked to the /lib64/libssl.so so it doesn't actually work.

Here is my modified Makefile.

ifndef NAVISERVER
NAVISERVER = /usr/local/ns
endif

#
# Module name
#
MOD = nsssl.so
MODLIBS = -L/usr/local/ssl/lib -Wl,-rpath,/usr/local/ssl/lib
#
# Objects to build.
#
OBJS = nsssl.o
CFLAGS = -I/usr/local/ssl/include
MODLIBS += -lssl -lcrypto

include $(NAVISERVER)/include/Makefile.module

dhparams.h:
openssl dhparam -C -2 -noout 512 >> dhparams.h
openssl dhparam -C -2 -noout 1024 >> dhparams.h

nsssl.o: dhparams.h

Collapse
2: Re: nsssl with local copy of ssl libraries (response to 1)
Posted by Dave Bauer on 01/28/15 06:03 AM
It appears to be a problem with 32 and 64 bit libraries installed on the same machine.
Collapse
3: Re: nsssl with local copy of ssl libraries (response to 1)
Posted by Gustaf Neumann on 01/28/15 09:06 AM
I read between the lines, that the problem is solved. The detailed behavior what happens when someone is trying to link 64bit apps with 32bit libraries and vice versa depends on the OS and is typically not obvious.

From the experience with HeartBleed, i would NOT recommend to link against a local version of OpenSSL, but to use a distribution maintained version. The update frequency of OpenSSL is quite high. Keeping a locally maintained copy of OpenSSL up-to-date is constant work, keeping it not up-to-date is constant danger.