Hello, * Erik Melkersson ([EMAIL PROTECTED]) wrote: > Geoff Thorpe wrote: > >... The kind of linker > >error you report usually suggests the code was compiled against one > >openssl version's headers, but is trying to link against a different > >openssl version's libraries.... > > Yes, I tried to compile it against different openssl-version and didn't > make clean in betweend (dumb fault by me)
Ah, that would've helped :-) > After cleaning and compiling again we get some other errors. > undefined reference to OPENSSL_free, RAND_egd and RAND_status (se below > for complete data) Erm ... > In order to make apache compile we > - changed OPENSSL_free to CRYPTO_free in a #define in the modules/ssl/ > headers file. (As that is done in openssl anyway) > - commented out the 3+3 lines where RAND_egd and RAND_status are used in > modules/ssl/ssl_engine_rand.c None of this should be required if you are compiling against a matching set of openssl headers and libraries. I suggest for your own benefit that you get to the bottom of the problem rather than using the tricks you have - it is known (and in fact reiterated time after time by myself and other openssl developers) that no binary compatibility should be assumed from one openssl release to the next until at least version 1.0. So if you've had to hack to get past the linker stage, and you're so far lucky enough to have the basic functionality "ok" at run-time without any noticable explosions, you could still be sitting on a behavioural time-bomb. BTW: What you've done w.r.t. RAND_*** functions could cause your server to either (a) fail handshakes with certain client browsers due to PRNG problems, or worse (b) appear to negotiate fine with everyone despite using insecure parameters. Which of those risks is greater rather depends on how you've hacked apache2's code, but either way it shouldn't be required if your build environment (and openssl installation) is ok. > Now we can compile and use it over ssl even though commenting out non > working code is propably a bad thing to do. It is, and it could bite you in unknown ways later on. I'd recommend figuring out why you had to do the things you did to get apache working - it should be very straightforward and require no such hacking. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
