[
https://issues.apache.org/jira/browse/HADOOP-11216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14187679#comment-14187679
]
Colin Patrick McCabe commented on HADOOP-11216:
-----------------------------------------------
* This patch sets bundling to false by default, but doesn't remove the
openssl.prefix, openssl.include, openssl.library.
* It fixes a bug where {{STORED_CMAKE_FIND_LIBRARY_SUFFIXES}} was not being
correctly preserved.
* It adds a compile-time check that the openssl version we're compiling against
is not too old.
* We now link against {{libcrypto.so}} (no suffix). This avoids all the issues
with distro (and distro-version)-specific suffixes. The user can supply
openssl in a few different ways
** Installing the openssl-dev package for the distro, if the distro is new
enough. This will create a libcrypto.so (no suffix) symlink. We don't have to
play the suffix guessing game because devel packages always include a no-suffix
version.
** Bundling openssl. I don't anticipate that any major hadoop distribution
will do this. It would require us to update Hadoop each time an openssl
vulnerability was found. It also has some export control issues.
** Doing a custom install of openssl and creating a symlink from the Hadoop
library path to it. This should only be necessary on older distros that don't
have a new enough openssl version. This is also the case where we may need
openssl.suffix and the rest.
Take a look...
> Improve Openssl library finding
> -------------------------------
>
> Key: HADOOP-11216
> URL: https://issues.apache.org/jira/browse/HADOOP-11216
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.6.0
> Reporter: Yi Liu
> Assignee: Colin Patrick McCabe
> Attachments: HADOOP-11216.003.patch, HADOOP-11216.004.patch
>
>
> When we compile Openssl 1.0.0\(x\) or 1.0.1\(x\) using default options, there
> will be {{libcrypto.so.1.0.0}} in output lib dir, so we expect this version
> suffix in cmake build file
> {code}
> SET(STORED_CMAKE_FIND_LIBRARY_SUFFIXES CMAKE_FIND_LIBRARY_SUFFIXES)
> set_find_shared_library_version("1.0.0")
> SET(OPENSSL_NAME "crypto")
> ....
> {code}
> If we don't bundle the crypto shared library in Hadoop distribution, then
> Hadoop will try to find crypto library in system path when running.
> But in real linux distribution, there may be no {{libcrypto.so.1.0.0}} or
> {{libcrypto.so}} even the system embedded openssl is 1.0.1\(x\). Then we
> need to make symbolic link.
> This JIRA is to improve the Openssl library finding.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
