On Sun, May 04, 2014 at 11:59:55PM +0100, Matt Caswell wrote:
> > As far as I understand if you want to have both -lssl -lcrypto you
> > should use "openssl" instead of "libssl"?
> >
> > Anyway, I think this makes perfect sense and if things break it's
> > easy enough to fix it.
>
> I'd be interested to hear what other people think about this. I have
> to say I was in two minds about it.
The OpenSSL documentation does not indicate which "-l" option provides
a particular function. Here are some of the more commonly used whose
"origin" is not necessarily obvious
* OPENSSL_malloc(), OPENSSL_free() are in libcrypto.
* The thread callbacks are in libcrypto.
* The tmp_dh and tmp_ecdh callbacks in SSL require applications
to use libcrypto to construct appropriate objects for the callback.
Without these, no server-side PFS support.
* ERR_get_error() is in libcrypto, needed for error reporting.
* OpenSSL_add_ssl_algorithms() is SSL_library_init from libssl,
users who want SHA2 in OpenSSL 0.9.8 are advised to also call:
OpenSSL_add_all_algorithms() from libcrypto.
* SSLeay() is from libcrypto, used to sanity check or log version of
either library at run-time. Provided by libcrypto.
* RAND_seed() is in libcrypto.
* SSL applications that perform certificate name checks (should be most),
need X509 interfaces from libcrypto. Even if one only logs the peer
subject name or computes the certificate digest, that's libcrypto.
Setting up automatic name checks in the new 1.0.2 API may still
require libcrypto.
I can dig up more reasons why few realistic applications can get
by with explicit linkage to libssl alone. Since even those that
only directly drag in symbols from libssl still ultimately depend
on libcrypto, the cost of explicitly including -lcrypto seems to
me to be outweighed by the benefit of making life easier for users
by always providing both.
What is the motivation to attempt to avoid "-lcrypto" here?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
