undefined reference to `SSL_set1_host'

[dragoonis]

Read the FAQ first: https://github.com/edenhill/librdkafka/wiki/FAQ

Description

undefined reference to `SSL_set1_host'

FYI, I've read this already, #2524

How to reproduce

Full details here: https://gist.github.com/dragoonis/7b265ae4856b06b7698e608c0b7a3da2

Run ./configure

IMPORTANT: Always try to reproduce the issue on the latest released version (see https://github.com/edenhill/librdkafka/releases), if it can't be reproduced on the latest version the issue has been fixed.

Same applies to latest version. Seems like an issue with my docker container env and not your library, so I need to understand how to make my host system give your library what it wants :-)

Dockerfile:

FROM alpine:3.8

RUN apk add --no-cache \
            build-base \
            openssh-client \
            openssl && \

       apk add --no-cache --virtual .build-deps \
            php7-dev \
            curl-dev \
            libressl-dev \
            make \
            autoconf \
            gcc

RUN /install/librdkafka.sh (the script posted on my gist)

Checklist

IMPORTANT: We will close issues where the checklist has not been completed.

Please provide the following information:

• librdkafka version (release number or git tag): `v1.3.0

[edenhill]

What's your libssl-dev/OpenSSL version?

[dragoonis]

Hey @edenhill, welcome to 2021 🥳

We're picking this up now and it's quite time sensitive now. Hopefully you're able to help us figure out the error listed above.

As for: libssl-dev/OpenSSL version?

# openssl version
OpenSSL 1.0.2u  20 Dec 2019

# apk info openssl
openssl-1.0.2u-r0 description:
Toolkit for SSL v2/v3 and TLS v1

This is our Dockerfile: https://gist.github.com/dragoonis/701d6953cd072f4f6417d619719c30bd

Does this help? Do you need more information?

I seen this issue: #2524 - and I noticed we're compiling with libressl-dev if we switch to openssl-dev how will this impact things?

I'm wondering why we're using libressl-dev in the first place, do you know why people commonly use libressl and not openssl?

[dragoonis]

Update, i tried moving from libressl-dev to openssl-dev but php7-curl package has a conflict:

#14 1.168 ERROR: unsatisfiable constraints:
#14 1.178   libressl-dev-2.7.5-r0:
#14 1.178     conflicts:
#14 1.178                openssl-dev-1.0.2u-r0[pc:libcrypto=2.7.5]#14 1.178                openssl-dev-1.0.2u-r0[pc:libssl=2.7.5]
#14 1.178                openssl-dev-1.0.2u-r0[pc:openssl=2.7.5]
#14 1.178     satisfies: curl-dev-7.61.1-r3[libressl-dev]
#14 1.178                libssh2-dev-1.9.0-r1[pc:libcrypto]
#14 1.178                libssh2-dev-1.9.0-r1[pc:libssl]
#14 1.178   openssl-dev-1.0.2u-r0:
#14 1.178     conflicts:
#14 1.178                libressl-dev-2.7.5-r0[pc:libcrypto=1.0.2u]
#14 1.178                libressl-dev-2.7.5-r0[pc:libssl=1.0.2u]

[edenhill]

If there's something missing in libressl (compared to OpenSSL) you will need to submit a PR with #ifdef guards.

[dragoonis]

Hi @edenhill,

We're not in a position to be modifying core SSL libraries. I noticed in #2524 the solution you mentioned was to come off of libressl. Is there another way? Right now we seem to be locked onto libressl due to the php-ext-curl dependency.

Please help, as this is now blocking us from natively using librdkafka, and instead we're using some Java library which pulls messages and invokes PHP CLI commands with the data via STDIN (it's weird).

Thanks

[edenhill]

I mean to create a PR on librdkafka to support libressl, e.g., something like this:
https://github.com/edenhill/librdkafka/blob/master/src/rdkafka_ssl.c#L1365

[dragoonis]

Sure, I can give it a try, with some direction from you along the way.

https://github.com/edenhill/librdkafka/blob/cb69d2a8486344252e0fcaa1f959c4ab2d8afff3/src/rdkafka_ssl.c#L455-L473

Here's the code which sets the value, I think what we need to do here is SKIP the call to SSL_set1_host. If that's correct (please confirm), then we just need to skip it.

As per your link to: https://github.com/edenhill/librdkafka/blob/master/src/rdkafka_ssl.c#L1365

#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(LIBRESSL_VERSION_NUMBER)

We could wrap the code so it looks like this:

#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
         if (!SSL_set1_host(rktrans->rktrans_ssl, name)) 
                 goto fail; 

Is this what you had in mind? If not please be more specific on what the if should look like. Thanks!

[edenhill]

Yep, that looks okay.

[dragoonis]

@edenhill am I branching from master ? Just want to confirm. I will go ahead now and do it anyway.

[edenhill]

yes

[edenhill]

Please also verify that it builds and runs correctly with only libressl installed, not openssl-dev.

[dragoonis]

👍