OpenSSH-7.1p1 fails configure check with LibreSSL-2.2.4
austinenglish at gmail.com
Wed Nov 11 11:13:02 AEDT 2015
On Tue, Nov 10, 2015 at 2:19 PM, Iain Morgan <imorgan at nas.nasa.gov> wrote:
> On Mon, Nov 09, 2015 at 22:23:12 -0600, Austin English wrote:
>> On Mon, Nov 9, 2015 at 5:35 PM, Darren Tucker <dtucker at zip.com.au> wrote:
>> > On Tue, Nov 10, 2015 at 9:22 AM, Austin English <austinenglish at gmail.com> wrote:
>> >> Howdy,
>> >> I'm attempting to compile openssh-7.1p1 using libressl-2.2.4 for the
>> >> ssl implementation. Unfortunately, this fails to work (tested on
>> >> Debian Unstable and Gentoo):
>> > [...]
>> >> conftest.c:225:4: warning: implicit declaration of function 'exit'
>> >> [-Wimplicit-function-declaration]
>> >> exit(1);
>> >> ^
>> > These things are noise. I'll fix them, but they're not the cause of
>> > your problem.
>> Sure, just wanted to be complete.
>> >> ./conftest: error while loading shared libraries: libcrypto.so.35:
>> >> cannot open shared object file: No such file or directory
>> > This is the problem: configure is telling the linker to link against
>> > libcrypto in the libressl directory but you have not told the runtime
>> > linker to look there for shared libraries, so your binaries (in this
>> > case, the configure test) fail at runtime.
>> > To fix this you probably want to either:
>> > - add /opt/libressl-2.2.4/lib to /etc/ld.conf or /etc/ld.conf.d/ and
>> > run ldconfig
>> > - remove the .so files from /opt/libressl-2.2.4/lib so that the
>> > linker will pick up the static libcrypto.
>> I tried removing the .so's, but openssh then falls back to the system
>> openssl instead of the specified ssl. The .a's are present (I also
>> tried explicitly building libressl with --enable-shared, but that made
>> no difference).
> This is actually an old issue that predates LibreSSL. The static library
> is not compiled with -fPIC, so it it unusable by OpenSSH when the
> build-hardening options are enabled. If you rebuild LibreSSL with
> CLFAGS=-fPIC and also supply --disable-shared to ./configure, OpenSSH
> should be able to build. Alternatively, you could disable the build
> hardening in OpenSSH, but that seems like a step backwards.
This does work, thanks for the tip!
>> >> doing:
>> >> export LD_LIBRARY_PATH=/opt/libressl-2.2.4
>> >> Works around this issue, and allows OpenSSH to compile (though some
>> >> tests fail that don't with openssl-1.0.2d.
>> > That'll help anything that inherits the environment, but anything that
>> > sanitizes its environment (eg sudo) will fail, and the resulting
>> > binaries won't work without the environment variable.
> Another alternative would be to pass -Wl,-R/opt/libressl-2.2.4/lib to
> the compiler to embed the search path in the headers of the executables.
> You could add --with-ldflags=-Wl,-R/opt/libressl-2.2.4/lib to the
> configure options to OpenSSH.
> It might be nice if this option was added automatically be configure,
> but I don't know if it's sufficiently portable to be worthwhile.
Yes, it would. OpenSSH(p) runs on more platforms than I'm familiar
with, so I can't say :)
> Iain Morgan
>> > --
>> > Darren Tucker (dtucker at zip.com.au)
>> > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
>> > Good judgement comes with experience. Unfortunately, the experience
>> > usually comes from bad judgement.
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
> Iain Morgan
More information about the openssh-unix-dev