Re: HAProxy 1.8 built with rpath'd openssl links ok; but `haproxy -vv` reports "Built with" and "Running on" conflict

Thu, 21 Jun 2018 22:51:02 -0700 

Hello,

On Thu, Jun 21, 2018 at 06:26:18PM -0700, PGNet Dev wrote:
> I'm building haproxy 1.8.0 from tarball source.

Well, first please ensure you're building latest fixes and not and old
version otherwise you'll expose yourself to all these known and now fixed
bugs :

    http://www.haproxy.org/bugs/bugs-1.8.0.html

> I'm linking against a specific, local build of openssl v1.1.0
> 
> Explicitly specifying SSL_INC & SSL_LIB with rpath,
> 
>       make \
>        TARGET=linux2628 \
>        USE_SYSTEMD=1 \
>        USE_PCRE2=1 USE_PCRE2_JIT=1 \
>        USE_OPENSSL=1 \
>         SSL_INC=" -I/usr/local/openssl11/include" \
>         SSL_LIB=" -L/usr/local/openssl11/lib64 
> -Wl,-rpath,/usr/local/openssl11/lib64" \
>         ADDLIB="-ldl -lssl -lcrypto"
>       make install
> 
> it builds/installs with no error
> 
>       which haproxy
>               /usr/local/sbin/haproxy
> 
> and the linked libs are as intended,
> 
>       ldd /usr/local/sbin/haproxy | egrep "ssl|crypto"
>               libssl.so.1.1 => /usr/local/openssl11/lib64/libssl.so.1.1 
> (0x00007f071de04000)
>               libcrypto.so.1.1 => /usr/local/openssl11/lib64/libcrypto.so.1.1 
> (0x00007f071d969000)
> 
> but checking haproxy version,
> 
>       haproxy -vv
>               HA-Proxy version 1.8.0 2017/11/26
>               Copyright 2000-2017 Willy Tarreau <[email protected]>
> 
>               Build options :
>                 TARGET  = linux2628
>               ...
>                 OPTIONS = USE_OPENSSL=1 USE_SYSTEMD=1 USE_PCRE2=1 
> USE_PCRE2_JIT=1
>               ...
>               Built with OpenSSL version : OpenSSL 1.1.0h-fips  27 Mar 2018
>               Running on OpenSSL version : OpenSSL 1.1.0h  27 Mar 2018
>               OpenSSL library supports TLS extensions : yes
>               OpenSSL library supports SNI : yes
>               OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
>               ...
> 
> references the wrong "Built with" OpenSSL version, namely the system 
> installed version,
> 
>       /usr/bin/openssl version
>               OpenSSL 1.1.0h-fips  27 Mar 2018
> 
> instead of my specified build
> 
>       /usr/local/openssl11/bin/openssl version
>               OpenSSL 1.1.0h  27 Mar 2018
> 
> As the ldd linked libs look ok, I suspect this is just an artifact of the 
> version check making (incorrect) assumptions about runtime bin path ...
> 
> *IS* it just an artifact?  Or is it an indication of improper linking/use?

I agree these ones look odd. I could easily understand that "-fips" would
not be reported, but here seeing it really makes me think it's running with
the system's lib instead. Just looking at the code, the "built with" version
comes from a macro : OPENSSL_VERSION_TEXT. So it was found at build time in
ssl.h or some such files. Thus I suspect that despite your SSL_INC path it
found the other one.

One possible cause could be pcre-config reporting -I/usr and causing -I/usr/inc
to be included before the SSL_INC path. A quick test could consist in building
without PCRE to validate or invalidate that assumption. If it fixes it, please
retry with "PCREDIR=" so that it doesn't try to set PCRE_INC/PCRE_LIB.

Regards,
Willy

Reply via email to