Some inconsistencies concerning OpenSSL include configuration in FRS 3
Dr. Andreas Rieke
rieke at isl.de
Sat Jul 26 16:36:47 CEST 2014
due to the heartbleet bug, I want the FreeRADIUS server to use my own (new) OpenSSL library, and not the (old) system include/lib files. According to the main configuration utility (parameters for openssl include and lib directories) and accoring to Alan DeKok's email from May 16 (How to link to openssl if two versions of libssl are on the system, when building FreeRadius on Debian wheezy 7.4?) this should be possible:
> I use it that way every day.
However, this stopped working in my environment (CentOS) in the current 3.0.3 version of FRS; but let's start step by step with version 3.0.2. CentOS has own packages for development purposes, for example openssl-devel; to be sure that FreeRADIUS does not include the wrong header file, I have removed this package. Thus, FreeRADIUS will either take the correct file or report a missing file.
In version 3.0.2 of FRS, there are two options for the configure script for that purpose (--with-openssl-includes=DIR and --with-openssl-libraries=DIR) which work well. However, there are a few small inconsistencies concerning the modules:
- The configure script for rlm_eap_pwd is not able to find openssl/ec.h although the file is present in the folder given by the with-openssl-includes parameter to the main configure script:
> checking for openssl/ec.h... no
> checking for openssl/ec.h in /usr/local/include... no
> checking for openssl/ec.h in /opt/include... no
> checking for OpenSSL support... yes
- The configure script for rlm_otp reports inconsistencies:
> checking openssl/des.h usability... yes
> checking openssl/des.h presence... no
> configure: WARNING: openssl/des.h: accepted by the compiler, rejected by the preprocessor!
> configure: WARNING: openssl/des.h: proceeding with the compiler's result
> checking for openssl/des.h... yes
- The configure script for rlm_wimax is not able to find openssl/hmac.h although the file is present in the folder given by the with-openssl-includes parameter to the main configure script:
> checking openssl/hmac.h usability... no
> checking openssl/hmac.h presence... no
> checking for openssl/hmac.h... no
> configure: WARNING: silently not building rlm_wimax.
> configure: WARNING: FAILURE: rlm_wimax requires: openssl/hmac.h.
However, most modules in 3.0.2 compile well, and ldd makes sure that the wanted libraries are linked. But several things change in version 3.0.3. First of all, the parameters of the main configuration script changed in the following way:
--with-openssl-includes -> --with-openssl-include-dir
--with-openssl-libraries -> --with-openssl-lib-dir
Unfortunately, this parameter change has been done only for the main configuration script, but not for the modules. Concerning the modules, rlm_otp is the only module which offers configuration parameters for OpenSSL directories, and this module still uses the old parameter names in 3.0.3 and in the git version from today. There is an easy workaround for this problem: Simply pass both (old and new) parameters to the main configuration script!
However, there is another problem which causes the make process to fail; the problem occurs with rlm_always first:
> CC /home/freeradius/freeradius-server-3.0.3/src/modules/rlm_always/rlm_always.c
> In file included from /home/freeradius/freeradius-server-3.0.3/src/freeradius-devel/radiusd.h:59,
> from /home/freeradius/freeradius-server-3.0.3/src/modules/rlm_always/rlm_always.c:27:
> /home/freeradius/freeradius-server-3.0.3/src/freeradius-devel/tls.h:39:25: error: openssl/err.h: No such file or directory
> /home/freeradius/freeradius-server-3.0.3/src/freeradius-devel/tls.h:41:30: error: openssl/engine.h: No such file or directory
> /home/freeradius/freeradius-server-3.0.3/src/freeradius-devel/tls.h:43:25: error: openssl/ssl.h: No such file or directory
I already tried to use an environment variable CPPFLAGS="-I /opt/openssl/include" for the main configure script, but that did not help. What else can I do to convice FreeRADIUS to use the correct OpenSSL system?
Thanks in advance,
More information about the Freeradius-Users