In Makefile.ssl I find the following:
@if [ -n "$(SHARED_LIBS)" ]; then \
tmp="$(SHARED_LIBS)"; \
for i in $${tmp:-x}; \
do \
if [ -f "$$i" ]; then \
( echo installing $$i; \
cp -f $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
fi \
done; \
( here="`pwd`"; \
cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
make -f $$here/Makefile link-shared ); \
fi
Because the difference between 0.9.6b and 0.9.6c is NOT reflected
in the library versions, doing an upgrade from 0.9.6b to 0.9.6c
results in the library file being directly written into. This in
turn causes programs that had that library mapped to fail. And
sshd does so rather quickly.
Normally this would not be an issue because normally, the version
of the library source becomes the version of the library installed.
In such cases, writing the upgraded library writes a whole new file
and changing the symlinks does not impact currently mapped copies.
Recompiling and forcibly reinstalling the very same version of most
libraries could certainly be a problem.
In the case of OpenSSL, it is a problem regardless.
One fix is to name the library exactly the same as the source.
That would result in files:
libcrypto.so.0.9.6b (the old one)
libcrypto.so.0.9.6c (newly created)
and symlinks would then be:
libcrypto.so.0.9.6 -> libcrypto.so.0.9.6c
libcrypto.so.0 -> libcrypto.so.0.9.6
libcrypto.so -> libcrypto.so.0
With this method, the old version is not destroyed. One can change
the symlink back to the old version in case of problems that might
occur in the future.
Another way to make sure the library installation does not clobber
existing processes is:
@if [ -n "$(SHARED_LIBS)" ]; then \
tmp="$(SHARED_LIBS)"; \
for i in $${tmp:-x}; \
do \
if [ -f "$$i" ]; then \
( echo installing $$i; \
cp -f $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/tmp-$$i; \
chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/tmp-$$i; \
ln -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i \
$(INSTALL_PREFIX)$(INSTALLTOP)/lib/old-$$i; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/tmp-$$i \
$(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
fi \
done; \
( here="`pwd`"; \
cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
make -f $$here/Makefile link-shared ); \
fi
This ensures not only saving the old library, but also makes the
file switch atomic so that any active process trying to access the
library file directly never sees a time window of none existing,
and gets either the old one or the new one. This then allows cleanly
restarting processes that use the new library files. In the case of
SSH using shared libraries, it also keeps you from being locked out
of remote machines (even if you had multiple instances of sshd on
different ports, they all die with the current method).
--
-----------------------------------------------------------------
| Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ |
| [EMAIL PROTECTED] | Texas, USA | http://phil.ipal.org/ |
-----------------------------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
