Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Feb 2003 20:08:20 -0800
From:      "Lucky Green" <shamrock@cypherpunks.to>
To:        <postfix_tls@aet.tu-cottbus.de>, <ports@freebsd.org>, <openssl-users@openssl.org>
Cc:        "'Vivek Khera'" <khera@kcilink.com>, <freebsd-current@FreeBSD.ORG>
Subject:   OpenSSL 0.9.6/0.9.7 library version conflicts
Message-ID:  <003201c2d315$8d998e20$6601a8c0@VAIO650>

next in thread | raw e-mail | index | archive | help
I just spent a few days trying to determine why postfix with STARTTLS
enabled is instantly dumping core on my new FreeBSD 5.0 machine.

The problem was caused by a conflict between OpenSSL library versions
0.9.6 and 0.9.7, both of which are installed on the machine. The former
as part of the FreeBSD base distribution, the latter as a Port.

Unfortunately, the nature of the conflict, at least on my box, prevented
any meaningful gdb back trace.

If you are seeing unexplained core dumps with SSL-using applications and
have both OpenSSL 0.9.6 and 0.9.7 installed, chances are you ran into
this problem.

Fix:
no idea.

Workaround:
1) Remove one of the two conflicting OpenSSL versions. This may be
non-trivial; on FreeBSD, a Google search seems to indicate that
replacing the OpenSSL version that ships with the OS may lead to other
problems and/or unexpected behavior.

2) Convince your OS provider to upgrade to 0.9.7.

3) If you are a Port/Package/RPM maintainer, you may wish to implement a
check for conflicting OpenSSL library versions.

FYI, FreeBSD is not the only OS on which this problem has been found to
exist. Debian Linux is experience the same problem. See a post to
debian-devel-announce attached below.

Thanks,
--Lucky

-----------------------------
From: Stephen Frost <sfrost@debian.org>
To: debian-devel-announce@lists.debian.org
Subject: OpenSSL 0.9.6/0.9.7, LDAP, SSH, friends
Hey all,

  There are quite a few bugs that are probably because of the problem
  I'm about to describe (177868, 178061, 173821, probably others..) so
  it was felt that this might be something to make other developers
  aware of.

  Currently in Debian there are quite a few packages which still link
  against OpenSSL 0.9.6 (libldap2-tls, ssh-krb5, others).  Newer
  packages are being linked against OpenSSL 0.9.7 (ssh, etc).  The
  problem happens when these two end up getting linked into the same
  running program.  An example of how this can happen is this:

  ssh starts up and brings in 0.9.7.
  A user connects and PAM is configured to use libpam-ldap.
  libpam-ldap loads and brings in libldap2-tls.
  libldap2-tls loads and brings in 0.9.6.

  After this point basically anything involving SSL is questionable at
  best and very likely to give you a segfault.

  Methods to detect this include:
  strace the binary and see if it's loading 0.9.6 and 0.9.7
  set LD_DEBUG=3Dfiles and run the binary and watch the output
  gdb the program, run it and when it segfaults run:
  info sharedlibrary

  gdb worked best for me since it gives a nice short list without lots
  of other information you don't need.  The specific library file I've
  seen is:=20
  /usr/lib/i686/cmov/libcrypto.so.0.9.6
  /usr/lib/i686/cmov/libcrypto.so.0.9.7

  For the record I've heard of similar potential problems with libsasl7
  vs. libsasl2 which involves things like sendmail, slapd, etc.

  I don't have an overall solution to this, though I've heard much about
  versioned symbols perhaps being an answer.  I know that's been
  discussed on d-d some already though and don't know where that went.

  Trying to keep this short, just be on alert for these issues when you
  see bug reports come in about segfaults with these and related
  packages.


	Good luck,

  		Stephen
-----------------------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003201c2d315$8d998e20$6601a8c0>