How to link to openssl if two versions of libssl are on the system, when building FreeRadius on Debian wheezy 7.4?
Hi. This is what I have: I have from Debian wheezy repository : OpenSSL 1.0.1*e* as a binary package. Already installed on the normal location /usr/lib. => Heartbleed bug. I did build from tar.gz file, OpenSSL 1.0.1*g *and installed it on /usr/local/ . This is the default --prefix in the ./config of OpenSSL I built freeradius using the following configure command : ./configure --with-openssl-includes=/usr/local/ssl --with-openssl-libraries=/usr/local/ssl/lib and without the allow_vulnerable_openssl = yes I still get freeradius want to run on OpenSSL 1.0.1e instead of 1.0.1g , and of course it will refuse, then, to run beacause of the heartbleed bug. Also, I did tell ldconfig in /etc/ld.so.conf about the path "/usr/local/ssl/lib" just to make freeradius use OpenSSL 1.0.1g , I still get it from /usr/lib instead.. So how should I exactly link it to 1.0.1g?
Rani Ahmed wrote:
I did build from tar.gz file, OpenSSL 1.0.1*g *and installed it on /usr/local/ . This is the default --prefix in the ./config of OpenSSL I built freeradius using the following configure command :
./configure --with-openssl-includes=/usr/local/ssl --with-openssl-libraries=/usr/local/ssl/lib
That should generally work.
Also, I did tell ldconfig in /etc/ld.so.conf about the path "/usr/local/ssl/lib" just to make freeradius use OpenSSL 1.0.1g , I still get it from /usr/lib instead..
So how should I exactly link it to 1.0.1g?
In version 2.2, you don't. Sorry. The reason is libtool. We use libtool as a cross-platform linker. However... it decides randomly to re-write link targets, based on it's own bizarre ideas about what to do. In version 3, we've gotten rid of libtool. As a result, your scenario works there. I use it that way every day. Alan DeKok.
thank you all for this quick response.. i'll try to move to version 3 On Fri, May 16, 2014 at 4:03 PM, Alan DeKok <aland@deployingradius.com>wrote:
Rani Ahmed wrote:
I did build from tar.gz file, OpenSSL 1.0.1*g *and installed it on /usr/local/ . This is the default --prefix in the ./config of OpenSSL I built freeradius using the following configure command :
./configure --with-openssl-includes=/usr/local/ssl --with-openssl-libraries=/usr/local/ssl/lib
That should generally work.
Also, I did tell ldconfig in /etc/ld.so.conf about the path "/usr/local/ssl/lib" just to make freeradius use OpenSSL 1.0.1g , I still get it from /usr/lib instead..
So how should I exactly link it to 1.0.1g?
In version 2.2, you don't. Sorry. The reason is libtool. We use libtool as a cross-platform linker. However... it decides randomly to re-write link targets, based on it's own bizarre ideas about what to do.
In version 3, we've gotten rid of libtool. As a result, your scenario works there. I use it that way every day.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, May 16, 2014 at 03:52:36PM +0300, Rani Ahmed wrote:
I have from Debian wheezy repository : OpenSSL 1.0.1*e* as a binary package. Already installed on the normal location /usr/lib. => Heartbleed bug.
Debian's openssl 1.0.1e packaged has been patched, so it's not vulnerable if you're up-to-date with the latest package. They, like other distributions, annoyingly don't update the version number. So you have to set
allow_vulnerable_openssl = yes
If you build FR from source as a package, this is all sorted for you - the allow_vulnerable_openssl is automatically set, because the built backage will depend on the correct (patched) version of openssl. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 16 May 2014, at 14:24, Matthew Newton <mcn4@LEICESTER.AC.UK> wrote:
On Fri, May 16, 2014 at 03:52:36PM +0300, Rani Ahmed wrote:
I have from Debian wheezy repository : OpenSSL 1.0.1*e* as a binary package. Already installed on the normal location /usr/lib. => Heartbleed bug.
Debian's openssl 1.0.1e packaged has been patched, so it's not vulnerable if you're up-to-date with the latest package.
They, like other distributions, annoyingly don't update the version number. So you have to set
allow_vulnerable_openssl = yes
If you build FR from source as a package, this is all sorted for you - the allow_vulnerable_openssl is automatically set, because the built backage will depend on the correct (patched) version of openssl.
No, this had to be removed because it broke ubuntu builds. -Arran
On Fri, May 16, 2014 at 02:45:24PM +0100, Arran Cudbard-Bell wrote:
On 16 May 2014, at 14:24, Matthew Newton <mcn4@LEICESTER.AC.UK> wrote:
On Fri, May 16, 2014 at 03:52:36PM +0300, Rani Ahmed wrote:
I have from Debian wheezy repository : OpenSSL 1.0.1*e* as a binary package. Already installed on the normal location /usr/lib. => Heartbleed bug.
Debian's openssl 1.0.1e packaged has been patched, so it's not vulnerable if you're up-to-date with the latest package.
They, like other distributions, annoyingly don't update the version number. So you have to set
allow_vulnerable_openssl = yes
If you build FR from source as a package, this is all sorted for you - the allow_vulnerable_openssl is automatically set, because the built backage will depend on the correct (patched) version of openssl.
No, this had to be removed because it broke ubuntu builds.
Why? It's not as if anyone uses Ubuntu for anything serious. ;) First statement still stands, though. Distro version numbers are stupidly confusing, and not at all helpful in this situation. As long as the packages are up-to-date, whatever the version stated, the system is probably not vulnerable anyway - check distro package release notes/changelog. Cheers Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Matthew Newton -
Rani Ahmed