openssh 6.5p1 configure and ssl location/shared

Karl Berry karl at freefriends.org
Mon Feb 10 11:36:20 EST 2014


    I think it's probably more likely to do with the -fPIE option - this
    requires that the libraries linked be position independent too.

The fact is that when I used --without-hardening, the link succeeded
without any other changes.  I don't believe any -fPIC option is being
used anywhere in my scenario.

    I'd recommend rebuilding OpenSSL with -fPIC instead, 

There are various reasons why I don't want to do that, but that's
irrelevant.  The point is that linking with a static libssl always
worked before; hence I thought it worth mentioning.  If it's not going
to be supported (I hope you won't go that route, of course), then it
should bomb out intentionally, not just because some random test
happened to fail.

Another possibility would be to avoid the relro option unless the
library is dynamic, or make it a separate configure option, or
whatever.  I believe that is the one that's the issue, and the others
are fine.

    there are many security benefits to the hardening options we enable.

I know.

Best,
Karl


More information about the openssh-unix-dev mailing list