[PATCH 1/1] Just warn if linked libssl is more recent

Tue Jun 17 09:43:57 CEST 2014

Arran Cudbard-Bell <a.cudbardb at freeradius.org> on Tue, 2014/06/17 08:31:
> 
> On 17 Jun 2014, at 07:12, Christian Hesse <list at eworm.de> wrote:
> 
> > From: Christian Hesse <mail at eworm.de>
> > 
> > Even if dynamic linking is just fine, radiusd fails after ever openssl
> > update. (Distribution toolkits do not detect this, so distribution
> > packages break on a regular basis.)
> > This changes behavior so that it still fails on library downgrade, but
> > just warns if openssl library has been upgraded.
> 
> The point of adding the check, was because even minor versions of libssl
> had changes which broke ABI compatibility.
> 
> I'm not sure how your suggestion helps? If there's any change in libssl
> version it could cause ABI incompatibility, it doesn't matter if it's
> an upgrade or downgrade.

I had thought this is to fetch cases where libssl version changes and
introduces any (possibly old) security vulnerabilities.

In theory ABI should stay compatible with minor updates. And major updates
should break if dynamic linking breaks.
Or did that happen when system toolchain (gcc and friends) was updated?

Still the question is whether freeradius should break on ABI incompatibility
change (which should still give a warning with my patch) or break on *every*
openssl update, regardless of whether or not ABI changed.

Searching for "freeradius libssl version mismatch" gives a lot of matches, so
looks like this is a real issue.
-- 
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Chris           get my mail address:    */=0;b=c[a++];)
putchar(b-1/(/*               gcc -o sig sig.c && ./sig    */b/42*2-3)*42);}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140617/4a92b404/attachment.pgp>