Hi Willy. It worked, thanks a lot. Output + build commands are below.
On 2013-09-29 13:35, Willy Tarreau wrote:
Hi Julien,
On Fri, Sep 27, 2013 at 11:08:11AM +0200, Julien Vehent wrote:
Hi everyone,
I'm attempting to build HEAD with a statically compiled openssl, and get
the following error:
$ make TARGET=linux2628 USE_STATIC_PCRE=1 USE_OPENSSL=1
ADDINC=-I/tmp/staticlibssl/include ADDLIB="-L/tmp/staticlibssl/lib -ldl"
[....]
gcc -g -o haproxy src/haproxy.o src/sessionhash.o src/base64.o
src/protocol.o src/uri_auth.o src/standard.o src/buffer.o src/log.o
src/task.o src/chunk.o src/channel.o src/listener.o src/time.o src/fd.o
src/pipe.o src/regex.o src/cfgparse.o src/server.o src/checks.o
src/queue.o src/frontend.o src/proxy.o src/peers.o src/arg.o
src/stick_table.o src/proto_uxst.o src/connection.o src/proto_http.o
src/raw_sock.o src/appsession.o src/backend.o src/lb_chash.o
src/lb_fwlc.o src/lb_fwrr.o src/lb_map.o src/lb_fas.o
src/stream_interface.o src/dumpstats.o src/proto_tcp.o src/session.o
src/hdr_idx.o src/ev_select.o src/signal.o src/acl.o src/sample.o
src/memory.o src/freq_ctr.o src/auth.o src/compression.o src/payload.o
src/ev_poll.o src/ev_epoll.o src/ssl_sock.o src/shctx.o ebtree/ebtree.o
ebtree/eb32tree.o ebtree/eb64tree.o ebtree/ebmbtree.o ebtree/ebsttree.o
ebtree/ebimtree.o ebtree/ebistree.o -lcrypt -lssl -lcrypto -L/usr/lib
-Wl,-Bstatic -lpcreposix -lpcre -Wl,-Bdynamic -L/tmp/staticlibssl/lib
-ldl
src/ssl_sock.o: In function `smp_fetch_ssl_fc_npn':
/home/julien/haproxy_openssl/haproxy/src/ssl_sock.c:2447: undefined
reference to `SSL_get0_next_proto_negotiated'
src/ssl_sock.o: In function `ssl_sock_prepare_srv_ctx':
/home/julien/haproxy_openssl/haproxy/src/ssl_sock.c:959: undefined
reference to `TLSv1_2_client_method'
/home/julien/haproxy_openssl/haproxy/src/ssl_sock.c:955: undefined
reference to `TLSv1_1_client_method'
src/ssl_sock.o: In function `ssl_sock_prepare_ctx':
/home/julien/haproxy_openssl/haproxy/src/ssl_sock.c:739: undefined
reference to `SSL_CTX_set_next_protos_advertised_cb'
/home/julien/haproxy_openssl/haproxy/src/ssl_sock.c:691: undefined
reference to `TLSv1_2_server_method'
/home/julien/haproxy_openssl/haproxy/src/ssl_sock.c:687: undefined
reference to `TLSv1_1_server_method'
collect2: ld returned 1 exit status
make: *** [haproxy] Erreur 1
$ uname -r
2.6.32-bpo.4-amd64
OpenSSL was build with the commands below, and the produced openssl
binary works fine.
$ ./config --prefix=/tmp/staticlibssl/ no-shared
enable-ec_nistp_64_gcc_128
$ make depend && make && make install_sw
$ /tmp/staticlibssl/bin/openssl version
OpenSSL 1.1.0-dev xx XXX xxxx
Any idea what could be missing here? Is the system openssl lib
conflicting with the statically compiled one?
Yes, and I have fixed this two weeks ago. The problem is that the "ADDINC"
and "ADDLIB" variables are not suited for passing single-component paths
since they suffix everything. Look what it results in your build log :
-lcrypt -lssl -lcrypto -L/usr/lib -Wl,-Bstatic -lpcreposix \
-lpcre -Wl,-Bdynamic -L/tmp/staticlibssl/lib -ldl
As you can see, -lssl and -lcrypto are looked up in your system path.
Since commit 9a05945bd0, you now have an explicit set of SSL_INC/SSL_LIB
variables, just like with PCRE, that you can point to your openssl
location. I'm using this to build with a static openssl version, as
this time it's safe, as you can see below :
# in the usual path, use SSL_INC=/path/to/inc and SSL_LIB=/path/to/lib.
BUILD_OPTIONS += $(call ignore_implicit,USE_OPENSSL)
OPTIONS_CFLAGS += -DUSE_OPENSSL $(if $(SSL_INC),-I$(SSL_INC))
OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto
If you have a recent enough haproxy snapshot, simply make these two
variables point to the proper location and it will be OK.
Best regards,
Willy
--- Build script ---------
#!/usr/bin/env bash
export STATICLIBSSL="/tmp/staticlibssl"
#-- Build static openssl
cd openssl-1.0.1e
rm -rf "$STATICLIBSSL"
mkdir "$STATICLIBSSL"
make clean
./config --prefix=$STATICLIBSSL no-shared enable-ec_nistp_64_gcc_128
make depend
make
make install_sw
#-- Build static haproxy
cd haproxy
git pull
make clean
make TARGET=linux2628 USE_STATIC_PCRE=1 USE_OPENSSL=1
SSL_INC=$STATICLIBSSL/include SSL_LIB="$STATICLIBSSL/lib -ldl"
--- Compiled bin ---------
$ ./haproxy -vv
HA-Proxy version 1.5-dev19-68 2013/09/23
Copyright 2000-2013 Willy Tarreau <[email protected]>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing
OPTIONS = USE_OPENSSL=1 USE_STATIC_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built without zlib support (USE_ZLIB not set)
Compression algorithms supported : identity
Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.02 2010-03-19
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
---
Julien Vehent
http://jve.linuxwall.info
