Re: haproxy 2.0.0 build openssl version mismatch?
bob On Wed, Jul 17, 2019, at 10:06 AM, Zakharychev, Bob wrote: > rpath is not the best solution here IMO - if the dependency is moved or > removed (or replaced with a wrong SO in the right path, maybe even > maliciously) from the system haproxy will still fail to load. I > personally simply statically link OpenSSL into the HAProxy executable, > which makes it portable and independent of OS SO configuration or > paths. In order to statically link OpenSSL, simply build it without > shared library support (no-shared) and then relink haproxy against it > with the same SSL_INC and SSL_LIB. > > If you still want to use rpath, I believe you can add it with ADDLIB variable: > > make TARGET=linux-glibc ... ADDLIB="-rpath /opt/prod/openssl111c/lib64" I don't build OpenSSL statically. It's part of a production stack I manage/distribute with paths to the stack's dynamic libs rpath'd/hardcoded. So, trying with the ADDLIB/ADDINC you suggest, make \ ... USE_OPENSSL=1 \ SSL_LIB="/opt/prod/openssl11c/lib64" \ SSL_INC="/opt/prod/openssl11c/include" \ ADDLIB="-L/opt/prod/openssl11c/lib64 -Wl,-rpath,/opt/prod/openssl11c/lib64" \ ADDINC="-I/opt/prod/openssl11c/include" \ ... does seem to work, /opt/prod/haproxy/sbin/haproxy -vv HA-Proxy version 2.0.0 2019/06/16 - https://haproxy.org/ ... Built with OpenSSL version : OpenSSL 1.1.1c 28 May 2019 Running on OpenSSL version : OpenSSL 1.1.1c 28 May 2019 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 ... ldd /opt/prod/haproxy/sbin/haproxy | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl11c/lib64/libssl.so.1.1 (0x7efedb62b000) libcrypto.so.1.1 => /opt/prod/openssl11c/lib64/libcrypto.so.1.1 (0x7efedb125000) not exactly a 'standard' approach to linking, but it solves the problem. thanks! hal
RE: haproxy 2.0.0 build openssl version mismatch?
rpath is not the best solution here IMO - if the dependency is moved or removed (or replaced with a wrong SO in the right path, maybe even maliciously) from the system haproxy will still fail to load. I personally simply statically link OpenSSL into the HAProxy executable, which makes it portable and independent of OS SO configuration or paths. In order to statically link OpenSSL, simply build it without shared library support (no-shared) and then relink haproxy against it with the same SSL_INC and SSL_LIB. If you still want to use rpath, I believe you can add it with ADDLIB variable: make TARGET=linux-glibc ... ADDLIB="-rpath /opt/prod/openssl111c/lib64" Bob -Original Message- From: hal...@xsmail.com Sent: Wednesday, July 17, 2019 12:32 PM To: Aleksandar Lazic Cc: Zakharychev, Bob ; haproxy@formilux.org Subject: Re: haproxy 2.0.0 build openssl version mismatch? On Wed, Jul 17, 2019, at 9:13 AM, Aleksandar Lazic wrote: > > Can you try to adopt your system to the openssl path as I in the dockerfile. > > https://gitlab.com/aleks001/haproxy20-centos/blob/master/Dockerfile#L3 > 7 > > ``` > echo "/opt/prod/openssl111c/lib64" > > /etc/ld.so.conf.d/openssl-111c.conf \ && ldconfig -v \ ``` ldconfig additions/changes are system-wide, and local environment specific -- and subject to end-user override. does haproxy simply support rpath -- which correctly solves the linking problem in the distributed package by hardcoding the specified/intended runtine path -- like most other packages? e.g., all rpath'd &/or config-managed build/installs, ldd `which nginx` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7f24ae9f6000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7f24ae4f) ldd `which php` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7f4c1533a000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7f4c14e34000) ldd `which mariadb` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7feb8998a000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7feb89484000) ldd `which named` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7f539d468000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7f539cf62000) ldd `which openvpn` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7fd1d891b000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7fd1d8415000) ldd `which curl` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7f5085647000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7f5085149000) etc etc none of which need ldconfig.
Re: haproxy 2.0.0 build openssl version mismatch?
On Wed, Jul 17, 2019, at 9:13 AM, Aleksandar Lazic wrote: > > Can you try to adopt your system to the openssl path as I in the dockerfile. > > https://gitlab.com/aleks001/haproxy20-centos/blob/master/Dockerfile#L37 > > ``` > echo "/opt/prod/openssl111c/lib64" > /etc/ld.so.conf.d/openssl-111c.conf \ > && ldconfig -v \ > ``` ldconfig additions/changes are system-wide, and local environment specific -- and subject to end-user override. does haproxy simply support rpath -- which correctly solves the linking problem in the distributed package by hardcoding the specified/intended runtine path -- like most other packages? e.g., all rpath'd &/or config-managed build/installs, ldd `which nginx` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7f24ae9f6000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7f24ae4f) ldd `which php` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7f4c1533a000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7f4c14e34000) ldd `which mariadb` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7feb8998a000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7feb89484000) ldd `which named` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7f539d468000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7f539cf62000) ldd `which openvpn` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7fd1d891b000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7fd1d8415000) ldd `which curl` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7f5085647000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7f5085149000) etc etc none of which need ldconfig.
Re: haproxy 2.0.0 build openssl version mismatch?
Can you try to adopt your system to the openssl path as I in the dockerfile. https://gitlab.com/aleks001/haproxy20-centos/blob/master/Dockerfile#L37 ``` echo "/opt/prod/openssl111c/lib64" > /etc/ld.so.conf.d/openssl-111c.conf \ && ldconfig -v \ ``` Regards Aleks Wed Jul 17 17:38:59 GMT+02:00 2019 hal...@xsmail.com: > bob > > On Wed, Jul 17, 2019, at 8:29 AM, Zakharychev, Bob wrote: > > you are using SSL_INC and SSL_LIB incorrectly: they should ONLY contain > > paths to corresponding include and library directories, not GCC > > options. So in your case they should look like this: > > > > SSL_LIB=/opt/prod/openssl111c/lib64 \ > > SSL_INC=/opt/prod/openssl111c/include \ > > > switching to > > make V=1 \ > TARGET=linux-glibc \ > USE_SYSTEMD=1 \ > USE_PCRE2=1 \ > USE_PCRE2_JIT=1 \ > USE_OPENSSL=1 \ > SSL_LIB=/opt/prod/openssl111c/lib64 \ > SSL_INC=/opt/prod/openssl111c/include \ > USE_THREAD=1 \ > USE_PTHREAD_PSHARED=1 \ > USE_TFO=1 \ > USE_NS=1 > > now, after build, > > /opt/prod/haproxy/sbin/haproxy -vv > /opt/prod/haproxy/sbin/haproxy: /usr/lib64/libssl.so.1.1: version > `OPENSSL_1_1_1' not found (required by /opt/prod/haproxy/sbin/haproxy) > /opt/prod/haproxy/sbin/haproxy: /usr/lib64/libcrypto.so.1.1: version > `OPENSSL_1_1_1' not found (required by /opt/prod/haproxy/sbin/haproxy) > > it completely ignores the specified paths, and incorrectly links the > distro-installed, system libs. > > hal > >
RE: haproxy 2.0.0 build openssl version mismatch?
Unless you statically link OpenSSL, haproxy will attempt to load default OS SOs on startup. Obviously, haproxy was compiled with OpenSSL 1.1.1c, but default SOs are not. You should add your OpenSSL 1.1.1c SO directory to, say, /etc/ld.so.conf.d/ossl111c.conf file (or whatever else you choose to name it as long as it's .conf) and run ldconfig to load the updated configuration. You can use "ldd haproxy" to verify SO dependencies and how they are resolved. Bob -Original Message- From: hal...@xsmail.com Sent: Wednesday, July 17, 2019 11:39 AM To: Zakharychev, Bob ; haproxy@formilux.org Subject: Re: haproxy 2.0.0 build openssl version mismatch? bob On Wed, Jul 17, 2019, at 8:29 AM, Zakharychev, Bob wrote: > you are using SSL_INC and SSL_LIB incorrectly: they should ONLY > contain paths to corresponding include and library directories, not > GCC options. So in your case they should look like this: > > SSL_LIB=/opt/prod/openssl111c/lib64 \ > SSL_INC=/opt/prod/openssl111c/include \ switching to make V=1 \ TARGET=linux-glibc \ USE_SYSTEMD=1 \ USE_PCRE2=1 \ USE_PCRE2_JIT=1 \ USE_OPENSSL=1 \ SSL_LIB=/opt/prod/openssl111c/lib64 \ SSL_INC=/opt/prod/openssl111c/include \ USE_THREAD=1 \ USE_PTHREAD_PSHARED=1 \ USE_TFO=1 \ USE_NS=1 now, after build, /opt/prod/haproxy/sbin/haproxy -vv /opt/prod/haproxy/sbin/haproxy: /usr/lib64/libssl.so.1.1: version `OPENSSL_1_1_1' not found (required by /opt/prod/haproxy/sbin/haproxy) /opt/prod/haproxy/sbin/haproxy: /usr/lib64/libcrypto.so.1.1: version `OPENSSL_1_1_1' not found (required by /opt/prod/haproxy/sbin/haproxy) it completely ignores the specified paths, and incorrectly links the distro-installed, system libs. hal
Re: haproxy 2.0.0 build openssl version mismatch?
bob On Wed, Jul 17, 2019, at 8:29 AM, Zakharychev, Bob wrote: > you are using SSL_INC and SSL_LIB incorrectly: they should ONLY contain > paths to corresponding include and library directories, not GCC > options. So in your case they should look like this: > > SSL_LIB=/opt/prod/openssl111c/lib64 \ > SSL_INC=/opt/prod/openssl111c/include \ switching to make V=1 \ TARGET=linux-glibc \ USE_SYSTEMD=1 \ USE_PCRE2=1 \ USE_PCRE2_JIT=1 \ USE_OPENSSL=1 \ SSL_LIB=/opt/prod/openssl111c/lib64 \ SSL_INC=/opt/prod/openssl111c/include \ USE_THREAD=1 \ USE_PTHREAD_PSHARED=1 \ USE_TFO=1 \ USE_NS=1 now, after build, /opt/prod/haproxy/sbin/haproxy -vv /opt/prod/haproxy/sbin/haproxy: /usr/lib64/libssl.so.1.1: version `OPENSSL_1_1_1' not found (required by /opt/prod/haproxy/sbin/haproxy) /opt/prod/haproxy/sbin/haproxy: /usr/lib64/libcrypto.so.1.1: version `OPENSSL_1_1_1' not found (required by /opt/prod/haproxy/sbin/haproxy) it completely ignores the specified paths, and incorrectly links the distro-installed, system libs. hal
RE: haproxy 2.0.0 build openssl version mismatch?
hal, you are using SSL_INC and SSL_LIB incorrectly: they should ONLY contain paths to corresponding include and library directories, not GCC options. So in your case they should look like this: SSL_LIB=/opt/prod/openssl111c/lib64 \ SSL_INC=/opt/prod/openssl111c/include \ Hth, Bob -Original Message- From: hal...@xsmail.com Sent: Wednesday, July 17, 2019 11:15 AM To: haproxy@formilux.org Subject: haproxy 2.0.0 build openssl version mismatch? I'm building haproxy 2.0.0, ... setting ssl flags to use that local instance, with rpath, haproxy build has no errors make V=1 \ TARGET=linux-glibc \ USE_SYSTEMD=1 \ USE_PCRE2=1 \ USE_PCRE2_JIT=1 \ USE_OPENSSL=1 \ SSL_LIB=" -L/opt/prod/openssl111c/lib64 -Wl,-rpath,/opt/prod/openssl111c/lib64" \ << wrong! SSL_INC=" -I/opt/prod/openssl111c/include" \ << wrong! USE_THREAD=1 \ USE_PTHREAD_PSHARED=1 \ USE_TFO=1 \ USE_NS=1 hal