Date: Wed, 12 Feb 2003 20:08:20 -0800 From: "Lucky Green" <shamrock@cypherpunks.to> To: <postfix_tls@aet.tu-cottbus.de>, <ports@freebsd.org>, <openssl-users@openssl.org> Cc: "'Vivek Khera'" <khera@kcilink.com>, <freebsd-current@FreeBSD.ORG> Subject: OpenSSL 0.9.6/0.9.7 library version conflicts Message-ID: <003201c2d315$8d998e20$6601a8c0@VAIO650>
next in thread | raw e-mail | index | archive | help
I just spent a few days trying to determine why postfix with STARTTLS enabled is instantly dumping core on my new FreeBSD 5.0 machine. The problem was caused by a conflict between OpenSSL library versions 0.9.6 and 0.9.7, both of which are installed on the machine. The former as part of the FreeBSD base distribution, the latter as a Port. Unfortunately, the nature of the conflict, at least on my box, prevented any meaningful gdb back trace. If you are seeing unexplained core dumps with SSL-using applications and have both OpenSSL 0.9.6 and 0.9.7 installed, chances are you ran into this problem. Fix: no idea. Workaround: 1) Remove one of the two conflicting OpenSSL versions. This may be non-trivial; on FreeBSD, a Google search seems to indicate that replacing the OpenSSL version that ships with the OS may lead to other problems and/or unexpected behavior. 2) Convince your OS provider to upgrade to 0.9.7. 3) If you are a Port/Package/RPM maintainer, you may wish to implement a check for conflicting OpenSSL library versions. FYI, FreeBSD is not the only OS on which this problem has been found to exist. Debian Linux is experience the same problem. See a post to debian-devel-announce attached below. Thanks, --Lucky ----------------------------- From: Stephen Frost <sfrost@debian.org> To: debian-devel-announce@lists.debian.org Subject: OpenSSL 0.9.6/0.9.7, LDAP, SSH, friends Hey all, There are quite a few bugs that are probably because of the problem I'm about to describe (177868, 178061, 173821, probably others..) so it was felt that this might be something to make other developers aware of. Currently in Debian there are quite a few packages which still link against OpenSSL 0.9.6 (libldap2-tls, ssh-krb5, others). Newer packages are being linked against OpenSSL 0.9.7 (ssh, etc). The problem happens when these two end up getting linked into the same running program. An example of how this can happen is this: ssh starts up and brings in 0.9.7. A user connects and PAM is configured to use libpam-ldap. libpam-ldap loads and brings in libldap2-tls. libldap2-tls loads and brings in 0.9.6. After this point basically anything involving SSL is questionable at best and very likely to give you a segfault. Methods to detect this include: strace the binary and see if it's loading 0.9.6 and 0.9.7 set LD_DEBUG=3Dfiles and run the binary and watch the output gdb the program, run it and when it segfaults run: info sharedlibrary gdb worked best for me since it gives a nice short list without lots of other information you don't need. The specific library file I've seen is:=20 /usr/lib/i686/cmov/libcrypto.so.0.9.6 /usr/lib/i686/cmov/libcrypto.so.0.9.7 For the record I've heard of similar potential problems with libsasl7 vs. libsasl2 which involves things like sendmail, slapd, etc. I don't have an overall solution to this, though I've heard much about versioned symbols perhaps being an answer. I know that's been discussed on d-d some already though and don't know where that went. Trying to keep this short, just be on alert for these issues when you see bug reports come in about segfaults with these and related packages. Good luck, Stephen ----------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003201c2d315$8d998e20$6601a8c0>