Re: A new workaround for bug 3816: ssl_crtd crash with OpenSSL v...

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 15 May 2013 03:35:01 +1200

On 15/05/2013 2:09 a.m., Tsantilas Christos wrote:
> On 05/14/2013 03:00 PM, Amos Jeffries wrote:
>> On 14/05/2013 11:13 p.m., Tsantilas Christos wrote:
>>> On 05/14/2013 12:52 PM, Amos Jeffries wrote:
>>> Currently, after squid build, the system admin have to update the ld.so
>>> configuration or set LD_LIBRARY_PATH to load the correct openSSL
>>> libraries.
>> That is what I mean. If they have to do that then we are not setting
>> CPPFLAGS quite right. They should only have to build --with-openssl=X to
>> use the X library installation. Nothing else special.
>>
>>> This is also for Kerveros, LDAP libraries, XML libraries, and expat
>>> libraries. Probably this is requires a separate patch fixing all of
>>> these...
>> Yes I think we are missing a while pile of potential -Wl,-rpath=X
>> settings which our ./configure.ac should be adding when relevant.
> For squid binaries we have not to use the (dangerous) -Wl,-rpath=X
> option to compiler but just pass the "-rpath X" to libtool. The libtool
> knows how to handle this parameter.

For my education: What is so dangerous about it that you know of?

I find documentation that indicates the -L options get turned into
-rpath entries by the compiler, BUT for some compilers when -rpath is
specified explicitly the -L are all ignored. That -L auto-conversion
could be why it has been working for years without anyone noticing the
absence of -rpath in our builds.
  ie the problem showing up for you in that ./conftest may be just a
problem specific for your platform?

I also find documentation hinting that when rpath in a binary is *empty*
it might cause security vulnerabilities due to the search patterns. But
that would mean what we are looking at is resolving danger, not adding it.

> The scheme we need to follow is the following:
> - In configure.ac script we need to store the library directory. For
> example for openSSL library path:
> SSLLIBDIR="$with_openssl/lib"
> AC_SUBST(SSLLIBDIR)
>
> - In Makefile.am set the _LDFLAGS parameter, for binaries. For example
> for squid:
> squid_LDFLAGS = -export-dynamic -dlopen force -rpath $(SSLLIBDIR)

You will want to work around the automake conditional
USE_LOADABLE_MODULES when appending to squid_LDFLAGS, but yes that is
probably better than going through the compiler.

Amos
Received on Tue May 14 2013 - 15:35:10 MDT

This archive was generated by hypermail 2.2.0 : Tue May 14 2013 - 12:00:09 MDT