In Makefile.ssl I find the following: @if [ -n "$(SHARED_LIBS)" ]; then \ tmp="$(SHARED_LIBS)"; \ for i in $${tmp:-x}; \ do \ if [ -f "$$i" ]; then \ ( echo installing $$i; \ cp -f $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi \ done; \ ( here="`pwd`"; \ cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ make -f $$here/Makefile link-shared ); \ fi
Because the difference between 0.9.6b and 0.9.6c is NOT reflected in the library versions, doing an upgrade from 0.9.6b to 0.9.6c results in the library file being directly written into. This in turn causes programs that had that library mapped to fail. And sshd does so rather quickly. Normally this would not be an issue because normally, the version of the library source becomes the version of the library installed. In such cases, writing the upgraded library writes a whole new file and changing the symlinks does not impact currently mapped copies. Recompiling and forcibly reinstalling the very same version of most libraries could certainly be a problem. In the case of OpenSSL, it is a problem regardless. One fix is to name the library exactly the same as the source. That would result in files: libcrypto.so.0.9.6b (the old one) libcrypto.so.0.9.6c (newly created) and symlinks would then be: libcrypto.so.0.9.6 -> libcrypto.so.0.9.6c libcrypto.so.0 -> libcrypto.so.0.9.6 libcrypto.so -> libcrypto.so.0 With this method, the old version is not destroyed. One can change the symlink back to the old version in case of problems that might occur in the future. Another way to make sure the library installation does not clobber existing processes is: @if [ -n "$(SHARED_LIBS)" ]; then \ tmp="$(SHARED_LIBS)"; \ for i in $${tmp:-x}; \ do \ if [ -f "$$i" ]; then \ ( echo installing $$i; \ cp -f $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/tmp-$$i; \ chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/tmp-$$i; \ ln -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib/old-$$i; \ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/tmp-$$i \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi \ done; \ ( here="`pwd`"; \ cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ make -f $$here/Makefile link-shared ); \ fi This ensures not only saving the old library, but also makes the file switch atomic so that any active process trying to access the library file directly never sees a time window of none existing, and gets either the old one or the new one. This then allows cleanly restarting processes that use the new library files. In the case of SSH using shared libraries, it also keeps you from being locked out of remote machines (even if you had multiple instances of sshd on different ports, they all die with the current method). -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | [EMAIL PROTECTED] | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]