[
https://issues.apache.org/jira/browse/HADOOP-11216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14188789#comment-14188789
]
Colin Patrick McCabe commented on HADOOP-11216:
-----------------------------------------------
bq. set_find_shared_library_version is removed, then both shared library and
static library can be candidate, if there is no libcrypto.so (no suffix), but
libcrypto.a exists, then the static library will be used, it's not expected. I
have confirmed the behavior in my local environment. We should only find the
shared library with no suffix.
OK. We can prevent this by explicitly setting {{CMAKE_FIND_LIBRARY_SUFFIXES}}
to the shared suffix.
bq. This only check the header file, then there is potential issue: User
specify custom openssl and the version is enough new, so the header file passes
check, but there is no libcrypto.so, and bundle.openssl is set, then the old
openssl shared library in system path is bundled, that's not expected. So we
should also check the found openssl library is in the same location as the
found openssl header file.
I think it's going to be somewhat difficult to improve the version detection.
And this is only a problem in the case where we're bundling. As I already
mentioned, we're not going to bundle in the official Apache release, and no
reasonable Hadoop distribution is going to bundle. We simply cannot update
Hadoop every time an openssl vulnerability comes out. I just installed an
openssl update on this computer today, which really emphasizes that for me.
Why don't we file a follow-up JIRA to improve the version detection? It's
crucial that we get this JIRA in before the 2.6 release, since otherwise it
will be an incompatible change to look for .so rather than so.1.0.0.
> Improve Openssl library finding
> -------------------------------
>
> Key: HADOOP-11216
> URL: https://issues.apache.org/jira/browse/HADOOP-11216
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.6.0
> Reporter: Yi Liu
> Assignee: Colin Patrick McCabe
> Attachments: HADOOP-11216.003.patch, HADOOP-11216.004.patch
>
>
> When we compile Openssl 1.0.0\(x\) or 1.0.1\(x\) using default options, there
> will be {{libcrypto.so.1.0.0}} in output lib dir, so we expect this version
> suffix in cmake build file
> {code}
> SET(STORED_CMAKE_FIND_LIBRARY_SUFFIXES CMAKE_FIND_LIBRARY_SUFFIXES)
> set_find_shared_library_version("1.0.0")
> SET(OPENSSL_NAME "crypto")
> ....
> {code}
> If we don't bundle the crypto shared library in Hadoop distribution, then
> Hadoop will try to find crypto library in system path when running.
> But in real linux distribution, there may be no {{libcrypto.so.1.0.0}} or
> {{libcrypto.so}} even the system embedded openssl is 1.0.1\(x\). Then we
> need to make symbolic link.
> This JIRA is to improve the Openssl library finding.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
