Call for testing: OpenSSH 9.7

Darren Tucker dtucker at dtucker.net
Thu Mar 7 09:58:38 AEDT 2024 

On Thu, Mar 07, 2024 at 09:39:31AM +1100, Darren Tucker wrote:
> On Thu, 7 Mar 2024 at 02:19, Damien Miller <djm at mindrot.org> wrote:
> > On Tue, 5 Mar 2024, The Doctor wrote:
> > > Showstopper problem!
> > >
> > > I want configure to work with /usr/local/bin/openssl and not /usr/bin/openssl
[...]
> I changed it to better support OpenSSL directories in non-default paths:
> https://github.com/openssh/openssh-portable/commit/26cab41c05
> 
> Just reversing the search path order will cause other problems,
> though, since there is no guarantee the bin/openssl in a non-default
> location is functional (eg if its libraries are not in the system
> default runtime linker path and it's built without -rpath, which it's
> usually not).

Please try this patch.  Note that you will need to run "autoreconf" to
rebuild configure before rerunning it.  I think it covers all of the
cases correctly:

$ which openssl
/usr/bin/openssl

$ ./configure | grep bin/openssl && grep OPENSSL_BIN Makefile
checking for openssl... /usr/bin/openssl
	OPENSSL_BIN='/usr/bin/openssl' \

$ ./configure --with-ssl-dir=/usr/local | grep
bin/openssl && grep OPENSSL_BIN Makefile
checking for openssl... /usr/local/bin/openssl
	OPENSSL_BIN='/usr/local/bin/openssl' \

$ ./configure --with-ssl-dir=/opt/openssl/3.3.0-dev --with-rpath=-Wl,-rpath, | grep bin/openssl && grep OPENSSL_BIN Makefile
checking for openssl... /usr/bin/openssl
	OPENSSL_BIN='/usr/bin/openssl' \

$ /opt/openssl/3.3.0-dev/bin/openssl version
/opt/openssl/3.3.0-dev/bin/openssl: /lib64/libssl.so.3: version
`OPENSSL_3.2.0' not found (required by /opt/openssl/3.3.0-dev/bin/openssl)

$ make ssh >/dev/null && ./ssh -V
OpenSSH_9.6p1, OpenSSL 3.3.0-dev

diff --git a/configure.ac b/configure.ac
index fda092830..1aba65c00 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2735,7 +2735,15 @@ AC_ARG_WITH([ssl-dir],
 			else
 				CPPFLAGS="-I${withval} ${CPPFLAGS}"
 			fi
-			openssl_bin_PATH="${PATH}${PATH_SEPARATOR}${withval}/bin${PATH_SEPARATOR}${withval}/apps"
+			dnl Ensure specified openssl binary works, eg it can
+			dnl find its runtime libraries, before trying to use.
+			if test -x "${withval}/bin/openssl" && \
+			    "${withval}/bin/openssl" version >/dev/null 2>&1; then
+				openssl_bin_PATH="${withval}/bin${PATH_SEPARATOR}${PATH}"
+			elif test -x "${withval}/apps/openssl" && \
+			    "${withval}/apps/openssl" version >/dev/null 2>&1; then
+				openssl_bin_PATH="${withval}/apps${PATH_SEPARATOR}${PATH}"
+			fi
 		fi
 	]
 )

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list