Some inconsistencies concerning OpenSSL include configuration in FRS 3

Arran Cudbard-Bell a.cudbardb at freeradius.org
Sat Jul 26 17:31:48 CEST 2014


On 26 Jul 2014, at 10:36, Dr. Andreas Rieke <rieke at isl.de> wrote:

> Hi,
> 
> due to the heartbleet bug, I want the FreeRADIUS server to use my own (new) OpenSSL library, and not the (old) system include/lib files. According to the main configuration utility (parameters for openssl include and lib directories) and accoring to Alan DeKok's email from May 16 (How to link to openssl if two versions of libssl are on the system, when building FreeRadius on Debian wheezy 7.4?) this should be possible:
> 
>> I use it that way every day.
> 
> However, this stopped working in my environment (CentOS) in the current 3.0.3 version of FRS; but let's start step by step with version 3.0.2. CentOS has own packages for development purposes, for example openssl-devel; to be sure that FreeRADIUS does not include the wrong header file, I have removed this package. Thus, FreeRADIUS will either take the correct file or report a missing file.
> 
> In version 3.0.2 of FRS, there are two options for the configure script for that purpose (--with-openssl-includes=DIR and --with-openssl-libraries=DIR) which work well. However, there are a few small inconsistencies concerning the modules:
> - The configure script for rlm_eap_pwd is not able to find openssl/ec.h although the file is present in the folder given by the with-openssl-includes parameter to the main configure script:
>> checking for openssl/ec.h... no
>> checking for openssl/ec.h in /usr/local/include... no
>> checking for openssl/ec.h in /opt/include... no
>> checking for OpenSSL support... yes
> - The configure script for rlm_otp reports inconsistencies:
>> checking openssl/des.h usability... yes
>> checking openssl/des.h presence... no
>> configure: WARNING: openssl/des.h: accepted by the compiler, rejected by the preprocessor!
>> configure: WARNING: openssl/des.h: proceeding with the compiler's result
>> checking for openssl/des.h... yes
> - The configure script for rlm_wimax is not able to find openssl/hmac.h although the file is present in the folder given by the with-openssl-includes parameter to the main configure script:
>> checking openssl/hmac.h usability... no
>> checking openssl/hmac.h presence... no
>> checking for openssl/hmac.h... no
>> configure: WARNING: silently not building rlm_wimax.
>> configure: WARNING: FAILURE: rlm_wimax requires:  openssl/hmac.h.
> However, most modules in 3.0.2 compile well, and ldd makes sure that the wanted libraries are linked. But several things change in version 3.0.3. First of all, the parameters of the main configuration script changed in the following way:
> --with-openssl-includes -> --with-openssl-include-dir
> --with-openssl-libraries -> --with-openssl-lib-dir

Yep, to make them consistent with every other library the server uses.

> Unfortunately, this parameter change has been done only for the main configuration script, but not for the modules. Concerning the modules, rlm_otp is the only module which offers configuration parameters for OpenSSL directories, and this module still uses the old parameter names in 3.0.3 and in the git version from today. There is an easy workaround for this problem: Simply pass both (old and new) parameters to the main configuration script!

rlm_otp doesn't need a configure script, it should have been using the results of the main configure script.
I've removed the rlm_otp configure script.

> However, there is another problem which causes the make process to fail; the problem occurs with rlm_always first:
>> CC /home/freeradius/freeradius-server-3.0.3/src/modules/rlm_always/rlm_always.c
>> In file included from /home/freeradius/freeradius-server-3.0.3/src/freeradius-devel/radiusd.h:59,
>>                 from /home/freeradius/freeradius-server-3.0.3/src/modules/rlm_always/rlm_always.c:27:
>> /home/freeradius/freeradius-server-3.0.3/src/freeradius-devel/tls.h:39:25: error: openssl/err.h: No such file or directory
>> /home/freeradius/freeradius-server-3.0.3/src/freeradius-devel/tls.h:41:30: error: openssl/engine.h: No such file or directory
>> /home/freeradius/freeradius-server-3.0.3/src/freeradius-devel/tls.h:43:25: error: openssl/ssl.h: No such file or directory
> I already tried to use an environment variable CPPFLAGS="-I /opt/openssl/include" for the main configure script, but that did not help. What else can I do to convice FreeRADIUS to use the correct OpenSSL system?

You'd set it in Make.inc.

With v3.0.x head

Works for me with v3.0.x...

./configure --with-openssl-lib-dir=/usr/local/opt/openssl/lib --with-openssl-include-dir=/usr/local/opt/openssl/include
...
checking OpenSSL library and header version consistency... library: 1000108f header: 1000108f... yes
...

LINK build/lib/libfreeradius-radius.la
CC /Users/arr2036/Documents/Repositories/freeradius-server-master/src/tests/rbmonkey.c
LINK build/bin/rbmonkey
CC /Users/arr2036/Documents/Repositories/freeradius-server-master/src/modules/rlm_always/rlm_always.c
LINK build/lib/rlm_always.la

shinyhead:freeradius-server-master arr2036$ otool -L ./build/lib/.libs/rlm_otp.dylib 
./build/lib/.libs/rlm_otp.dylib:
	/usr/local/lib/rlm_otp.dylib (compatibility version 1.0.0, current version 1.0.0)
	/System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryService (compatibility version 1.0.0, current version 1.0.0)
	/usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
	/usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
	/usr/local/lib/libtalloc.dylib (compatibility version 0.0.0, current version 0.0.0)
	/usr/lib/libpcre.0.dylib (compatibility version 1.0.0, current version 1.1.0)
	/usr/lib/libpcreposix.0.dylib (compatibility version 1.0.0, current version 1.0.0)
	/usr/lib/libresolv.9.dylib (compatibility version 1.0.0, current version 1.0.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140726/56ad8eb5/attachment.pgp>


More information about the Freeradius-Users mailing list