Re: HAProxy 1.8 built with rpath'd openssl links ok; but `haproxy -vv` reports "Built with" and "Running on" conflict

Fri, 22 Jun 2018 17:05:24 -0700 

fyi,

all the ssl 'magic' for haproxy appears to be in

        src/ssl_sock.c

which references

         *Acknowledgement:
         *   We'd like to specially thank the Stud project authors for a very 
clean
         *   and well documented code which helped us understand how the 
OpenSSL API
         *   ought to be used in non-blocking mode. This is one difficult part 
which
         *   is not easy to get from the OpenSSL doc, and reading the Stud code 
made
         *   it much more obvious than the examples in the OpenSSL package. 
Keep up
         *   the good works, guys !
         *
         *   Stud is an extremely efficient and scalable SSL/TLS proxy which 
combines
         *   particularly well with haproxy. For more info about this project, 
visit :
         *       https://github.com/bumptech/stud

stud's not been updated in years, and per

        https://github.com/bumptech/stud

                Stud is now officially abandonware, thanks for playing.
                Recommended alternative: https://github.com/varnish/hitch

Stud's exemplar usage of the OpenSSL api is likely not the best reference for 
modern openssl api usage.

Taking a look, instead, at the usage approach taken by recommended 'hitch',

        git clone https://github.com/varnish/hitch.git
        cd hitch

their much-simpler, openssl 1.1.0-ready implementation code is in,

        ./src/hssl_locks.c

which notes, correctly

        /*
         * OpenSSL 1.1 has a new threading implementation that no longer
         * requires the application to set its own locking callbacks.
         */

and avoids reference to, and use of, the previously mentioned deprecated 
symbols (cref: https://www.openssl.org/news/openssl-1.1.0-notes.html)

it builds/installs

        ./bootstrap
        ./configure \
        --prefix=/usr/local/hitch \
        SSL_CFLAGS="-I/usr/local/openssl/include" \
        SSL_LIBS="-L/usr/local/openssl11/lib64 
-Wl,-rpath,/usr/local/openssl11/lib64 -lssl" \
        CRYPTO_CFLAGS="-I/usr/local/openssl/include" \
        CRYPTO_LIBS="-L/usr/local/openssl11/lib64 
-Wl,-rpath,/usr/local/openssl11/lib64 -lcrypto"
        make -j4
        make install

with no errors,

        ldd /usr/local/hitch/sbin/hitch | egrep "ssl|crypto"
                libssl.so.1.1 => /usr/local/openssl11/lib64/libssl.so.1.1 
(0x00007f8c27cb6000)
                libcrypto.so.1.1 => /usr/local/openssl11/lib64/libcrypto.so.1.1 
(0x00007f8c2780d000)

        /usr/local/hitch/sbin/hitch --version
                hitch 1.4.8

particularly with tls1.3-capable openssl 1.1.1 "ComingSoon(tm)", might be worth 
a review

Reply via email to