-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
error compiling curl with my own openssl version #1420
Comments
Ref: #1035
Are you sure, did you ls? -ldl is needed by -lssl in your case. The pkg-config for openssl needs the --static flag to return -ldl as part of the --libs output. curl configure script does not use
That should compile and not show any dynamic libs. Take away the
If you have dynamic openssl in a non standard location and you want curl to use that version then you could add an rpath. LDFLAGS="-Wl,-rpath,/usr/local/ssl/lib" ./configure --with-ssl=/usr/local/ssl If you have static openssl you should be able to just build it, I think maybe some dynamic libs are found in the path first which is causing this problem. That could be an issue if say your zlib lib location /usr/lib64 also contains dynamic openssl libs, since zlib is detected before openssl and therefore -L/usr/lib64 comes before -L/usr/local/ssl/lib. |
On second thought that -ldl test may not be correct for OpenSSL 1.1.0 because it tests for |
It does - when building. You need to make sure that those are then also used when you run curl/libcurl as the build process does not set a fixed search path. You must set that appropriately yourself with |
Disclaimer: I'm a developer myself and I know build systems, the autotools suite, the internals of a compiler and a linker. I believe you missed a few critical pointers in my post, but maybe I just crammed to much info in a single post. This was my mistake, so let's forget about libcurl (dynamic library) for now and circle back later (or I can also create another ticket).
Yes I am sure. openssl prior to version 1.1.0 only builds a shared library, if explicitly set during
The config.log output shows that it is testing This means the build process is broken. Here is the problem: It does not use my libraries for the test at all, because This is also the reason why
Finally, a working curl executable. However, as you can see from the version info, it's using the wrong openssl:
It says So, let's summarize: I used a configure option to specify my openssl release, which results in an error during compilation of curl. After manual intervention the binary could be built, but it uses the wrong openssl release. I am sorry to say, but the build process is broken. Last but not least, I still owe you the result of your test:
ldd still shows the 2 system's openssl libraries. But this was to be expected, because your compile command is wrong. It must look like this:
|
Oops I meant
I see. I don't know what we could do to make things better for you, short of moving the zlib detection after OpenSSL. But say we did that, then anyone who has the reverse situation may be affected, and the wrong zlib could be included. Also I think some other libs depend on zlib, and OpenSSL may be one of them depending on how it's built. So maybe it is right to be searched for first. Try doing it manually like |
My guess this is because the linker then already had found and used your shared one in your default paths and that worked fine to link without -ldl... |
I use my static OpenSSL library for Apache httpd, PHP, dovecot, sendmail, OpenSSH, and other projects.
It did not work. Same error as before. |
Be it as it may, but it also means it is still broken. I specified the ssl directory. I do not care what a broken process found. If I tell configure to use my ssl for a package, I can excpect the package to use my ssl. If it doesn't, something is broken. Also, please note that setting a LD_LIBRARY_PATH or using and rpath linker flag will not work. I am using a static OpenSSL library, and as you can see from my previous comment, it works just great for all other projects that I compile manually on my server. |
That may be but what exactly do you want us to do here. You have two OpenSSLs and the library path for the one you don't want is used before the one you do.
I'll check on this, it may be because the zlib ldpath is prepended instead of appended for some reason. |
Everybody, who uses their own openssl, also has the system's ssl libraries in the system's library location. (Most people use their own ssl, because the system's ssl is way too old. Still there are a few dependencies that do not allow you to just replace the openssl that comes with the system.) What I could ascertain so far is that curl seems to exclusively use dynamic libraries and it doesn't care about the location someone specifies at all. So I still don't understand what your ssl options do or are supposed to do. If they are supposed to change the ssl curl is using, it is not working. Everybody can use a LD_LIBRARY_PATH hack after the fact, but if one uses a configure option, one shouldn't have to do that. Furthermore, this hack won't work for static libraries. So what I want is rather simple and should be obvious: I want curl to use the OpenSSL I specified. |
Many, sure, but far from "everybody". Remember that curl builds and runs on virtually any operating system you can think of. Many do not ship openssl as a system library.
We don't impose people "this hack", but we don't build libcurl to use hard-coded paths to shared libraries.
Fixing so that you load the right shared library at run-time is not a hack. But as @jay described before: the configure script really sets it out to fix shared builds, as hunting dependencies for static builds is a really tough job we've just not tried to keep up with. When building statically, the easiest way is to simply provide the extra deps as "LIBS=blablabla ./configure" |
This comment is quite long, so please bear with me.
This is true, but when it comes to Linux I have disagree. Every Linux distro (even Linux from Scratch and Gentoo variants) have their own openssl packages. That's because a lot of other packages rely on them. Openssl is an integral part of every Linux distro and it is almost impossible to replace them, except for updates created by the distro packagers (and they won't do upgrades from 1.0.1 to 1.0.2). The only chance you have is to use a newer version in parallel.
This is fine, unless people specify their own OpenSSL, in which case you have to hard-code the path to their libs, because you want curl to use the libs they specified. Otherwise the configure options to specify your own openssl is of no use.
The point is you don't have to hunt for dependencies with static libraries, because you know what is needed. I will explain this a bit further down (in the separate section).
As you can see from my previous comments, I tried that and it didn't work.
Unfortunately it didn't work. Here's the new config.log. Maybe I'm ignorant, or biased when it comes to standards as a former IBM employee for almost 2 decades, but this is how a package should deal with dependencies and 3rd party libs: I will use curl/libcurl and openssl as an example. There are 2 options, when it comes to 3rd party libs: static and dynamic staticIf your package creates a shared object / dynamic library (libcurl), the static openssl libraries must be linked to that shared object (hint: The same is true for the binary (curl). The binary must not reference a dynamic openssl library (which was never specified in the configure option), but include the static openssl libraries. In this case you have a valid curl/libcurl package that uses the specified openssl (3rd party libs). dynamicThis is more straight forward than dealing with static libs, but it still requires you to reference the libraries which were specified in the configure option. As a builder you define what to use, thus the binay and shared object must reference (hard-coded paths) the libraries that are supposed to be used. Otherwise curl and libcurl will use libraries you have never specified nor wanted to be used. Again, in this case you have a valid curl/libcurl package that uses the specified openssl libraries. I really would like your input on this. Doesn't this make sense? There are no drawbacks in this approach. Everything will still be contained and in perfect working order. |
Thank you for the lecture. I think this will be much more productive if we instead work on fixing the bugs we see and improve the scripts to work better where we see room for improvement. You're help and assistance in doing that is appreciated. Now, what I haven't worked out in your config.log and that seems to be the reason why the openssl lib detection finds the "wrong" library is this exact snippet:
Where does the |
I thought I should mention it, because curl's build process ignores all of these guidelines.
That is also why I wanted your opinion on what I wrote because I thought an objective discussion would be productive.
I checked my entire system and I do not know where it comes from. It is the standard lib directory on Fedora, Redhat and CentOS, but I did not specify it in an env variable nor is it set system wide. But I think the autotools are responsible and did that in an earlier step. When configure checks for a library and it is found, the directory of the library is added to LDFLAGS or CPPFLAGS. I have to look into it, but there are ways to adjust the behaviour. |
No it doesn't. It did make you sound like a smartass because the configure script is the collected result of twenty years of tweaking and working on dozens of operating systems with dozens of third party libraries with numerous compilers and literally millions of build combinations and you come here with sweeping generalizations and talk, while actually making a working configure script that actually does what everyone wants everywhere is tricky. We can't ignore the edge cases and we can't ignore that everything isn't Linux. We can't ignore that linking with shared vs static libraries is often transparent and that building with static libs is icky. Nobody wants the configure script to be complicated or hard to command, but it is very hard to prevent it from becoming so. So again, I ask you to instead select specific issues you think is wrong and suggest improvements on those. One by one preferably.
Still something does, which effectively breaks configure's ability to detect openssl if it also exists in /usr/lib64 ... For this case at least, a possible fix might be to prepend the OpenSSL --- a/configure.ac
+++ b/configure.ac
@@ -1504,11 +1504,11 @@ if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then
fi
fi
dnl finally, set flags to use SSL
CPPFLAGS="$CPPFLAGS $SSL_CPPFLAGS"
- LDFLAGS="$LDFLAGS $SSL_LDFLAGS"
+ LDFLAGS="$SSL_LDFLAGS $LDFLAGS"
AC_CHECK_LIB(crypto, HMAC_Update,[
HAVECRYPTO="yes"
LIBS="-lcrypto $LIBS"
],[ |
@bagder I think we should consider always appending to LDFLAGS and never prepending, so that the user's LDFLAGS that they set beforehand will take precedence. As I mentioned earlier it could be zlib pkg-config is returning -L/usr/lib64. This should be fairly simple to check, I think the problem here, if we have any problem, is that we prepend to LDFLAGS and CPPFLAGS in some cases, and that stops the user's LDFLAGS from coming first and taking precedence. Which would best be solved by this, I think diff --git a/configure.ac b/configure.ac
index b492a29..0637cd0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -898,8 +898,8 @@ else
if test "$PKGCONFIG" != "no" ; then
LIBS="`$PKGCONFIG --libs-only-l zlib` $LIBS"
- LDFLAGS="`$PKGCONFIG --libs-only-L zlib` $LDFLAGS"
- CPPFLAGS="`$PKGCONFIG --cflags-only-I zlib` $CPPFLAGS"
+ LDFLAGS="$LDFLAGS `$PKGCONFIG --libs-only-L zlib`"
+ CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags-only-I zlib`"
OPT_ZLIB=""
HAVE_LIBZ="1"
fi If we changed all CPP/LDFLAGS like that then in a case like this the user can specify their own LDFLAGS on the command line to force their libdir order. |
We actually know that isn't the case. If we check @tessus' config.log, we can see that there are several compile commands run after the zlib checks and they don't use that -L option so it is something later. The snippet I showed above (just after the LDAP libraries check) is the first occurance of it but I haven't figured out which particular logic that sets it. |
I disagree. You're forgetting configure compile commands that don't link (eg testing for a header) don't include LDFLAGS. So it could be zlib. I don't know what else it could be except something in acinclude, but there's no mention of LDFLAGS there. |
sorry for my late response. I've been very busy today and won't be able to run the tests now, but I will test both of your patches tomorrow (Friday). |
Oh yes, thank you. You're right of course. So it can indeed be the pkg-config for zlib. @tessus could try |
Here are the results: @bagder's patch: nope, see config.patch2.log original configure.ac with
|
Right, my patch won't work alone since your zlib pkg-config probably messes up things and we know only My patch (#1427) plus |
Oh, or alternatively you could try this without my patch:
|
the version and ldd output is the same as in #1420 (comment) |
- Change prepends to appends because user's LDFLAGS and CPPFLAGS should always override ours. Bug: curl#1420 Reported-by: Helmut K. C. Tessarek
- Change prepends to appends because user's LDFLAGS and CPPFLAGS should always come first so they're searched before ours. Bug: #1420 Reported-by: Helmut K. C. Tessarek
Yes, it does.
I also did a
Ok, I can try to disable building a shared curl lib. In that case curl should be linked against the static one, right? But this only solves part of the issue, I think. One question: if I want my static openssl libraries be used, shouldn't the static openssl libraries be included in the dynamic libcurl? I mean, let's say I didn't have any dynamic openssl libraries on the system, how would a dynamic libcurl (which is built by default) make use of openssl?
Isn't the rpath only used for dynamic libraries? |
I see what you are saying:
Still my question remains: if I wanted my static openssl libraries be used, shouldn't the static openssl libraries be included in the dynamic libcurl? I mean, let's say I didn't have any dynamic openssl libraries on the system, how would a dynamic libcurl (which is built by default) make use of openssl? |
Your CPPFLAGS should be CPPFLAGS=-I/usr/local/ssl/include
Your
Yes, that's correct. I built a shared libcurl with static OpenSSL 1.0.2 in Ubuntu 16 x64 and do not have the same problem that you do, ie my system openssl was not used. I wonder if because you have libssh2 if that's using your dynamic system OpenSSL and that's why you see it in ldd. Try running |
hmm, libssl also needs the system's libcrypto...
|
sorry, clicked the wrong button |
forget my previous comment that libssl also needs the system's libcrypto |
Your output shows shared libcrypto and libssl are not direct dependencies of libcurl. libssh2 is using shared libcrypto. If you go through the |
It seems this has been largely a ghost chase lately and libcurl does indeed link with the correct openssl. A reminder that |
@tessus do you have any more information on this? |
it seems that libssh wants to use libcrypto. I've been trying to get rid of this dependency, but is seems more complicated than I thought. |
libssh2 can be built with different backends as well, and one of them is openssl/libcrypto indeed. |
just tried to do the same thing with 7.54.0 and I get this during config:
with 8b03436 both show 1.0.2. |
(This git hash above marks the time when jay or you asked me to try from git master.) |
Since 338f427 (added after 7.54) what you specify in CPPFLAGS and LDFLAGS should always come first. You could report the pkg-config adding -Lsyspath problem to Fedora but I think your OS is EOL (if judging by the fc20 it's Fedora 20). FWIW Fedora 25 doesn't have this problem. |
The reason why I wanted to compile curl myself is because my OS is EOL and it's using ancient openssl and curl versions. I'm at a loss here. Apparently I can only get it working when using a package from a recent distro. Not really what I expected, but I guess I will have to live with it. I know, it's not your fault. I'm just very disappointed. |
I don't understand how you can't compile curl properly though. The changes already made should allow you to compile it the way you want. As mentioned you'll have to use LIBS/LDFLAGS/CPPFLAGS and I'd guess in your case with static openssl in /usr/local/ssl and curl install dest /usr/local it's going to look like this:
From your more recent output I see that libcurl does not directly depend on old dynamic OpenSSL, so it's some other library. If you need to build a revision earlier than 338f427 (eg 7.54) then you can cherry pick that commit. |
Yep, it works with 8b03436 but not with git master. So you must have reverted something in between. |
I think you misunderstood my earlier comment. It was workig at some point. That was with commit 8b03436. Then I was still using this commit for all the following tests. Now I tried the same with git master, and it is not working anymore. So whatever you changed to make it work, is now gone, otherwise it would still work.... |
Ah, I did. You've got me stumped. Check your master pointer, see if it's in sync with upstream/master, and that you run ./buildconf after checkout. There have only been two changes to configure since then, 4da846a and 6c7f1f7 but I don't see how they could affect this. |
I actually used the 7.54.0 distribution tarball from https://curl.haxx.se/download/curl-7.54.0.tar.gz |
I have two directories. one is the tarball 7.54.0 and the other is the above commit point. and if I run the same command I in the 7.54.0 dir, I get this:
in the other directory, I get this:
|
I'll try to check the config.log and try to figure out what's happening. but I'm a bit tired today. I'll do it tomorrow. |
maybe you can re-open this issue until we have resolved this? |
As far as I can tell this is resolved, if you can demonstrate there is still an issue that is reproducible in a commit later than 338f427 then we can reopen. |
I did this
./config -fPIC
./configure --with-ssl=/usr/local/ssl
see config.logmake abended:
I changed the order of the library paths and added -ldl:
This worked.
However, as you can see the curl output still reports the wrong openssl version:
The curl binary is static, so I have no idea which libraries were really linked.
Checking the shared library:
As you can see, the shared library references my system's openssl libraries and not the ones which I specified in the configure option.
configure found my openssl libraries, but I can also see another issue here:
checking OpenSSL linking without -ldl
->result: yes
This can't be true, because I only have static openssl libraries in
/usr/local/ssl/lib
.I also tried to create and use shared openssl libraries, but this changed nothing in regards to curl. The same error occurs and still only the system's openssl libs are referenced.
I expected the following
curl/libcurl version
curl-7.53.1 - https://curl.haxx.se/download/curl-7.53.1.tar.gz
operating system
Linux 3.16.3-200.fc20.x86_64 #1 SMP Wed Sep 17 22:34:21 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered: