Re: AW: Can't Compile httpd 2.2.11 linked statically with ssl and zlib

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2008-12-19 at 10:56 +0100, xPostings wrote:
> > > compiled zlib:
> > > ./configure
> > > make
> > > make install
> >
> > What's your prefix here?  It'd probably default to /usr/local
> 
> default prefix is /usr/local (compiled library will be in /usr/local/lib and include files are in /usr/local/include)
> 
> > > compiled openssl 0.9.8i:
> > > ./config no-zlib shared
> > > make
> > > make install
> >
> > Again, what's the prefix?  And, specifying 'shared' will build the
> > *.so libraries which are then picked up by the Apache build system.
> 
> default prefix is /usr/local/ssl
> If I do not use "shared" the ./configure of apache fails. To compile mod_ssl statically into httpd can't be done without having compiled the shared libs of openssl.
> 
> > >
> > > compiled apache httpd:
> > > ./buildconf
> > > ./configure --prefix=/usr/local/apache2.2.11 \
> > > --enable-static-support \
> > > --with-mpm=worker \
> > > --enable-mods-shared=all \
> > > --enable-so \
> > > --enable-deflate=static \
> > > --with-z=/usr/local/lib \
> >
> > Usually, you point to the top of the zlib installation which
> > would be /
> > usr/local, under which the compiler finds the include/headers
> > and the
> > linker finds the lib/libraries.
> 
> You're right, that was a mistake, I recompiled with --with-z=/usr/local, but the result is the same.
> 
> 
> > > --enable-ssl=static \
> > > --with-ssl=/usr/local/ssl \
> >
> > This must match your prefix above, or the default.
> 
> that's correct.
> 
> >
> > > --enable-rewrite=static \
> > > --enable-auth-basic=static \
> > > --enable-authn-file=static \
> > > --enable-authz-user=static \
> > > --enable-authz-groupfile=static \
> > > --enable-authz-host=static \
> > > --enable-expires=static \
> > > --enable-headers=static
> > >
> > > If I look to the depencies with ldd there is a dynamically linked
> > > libz and libssl:
> > >
> > >        linux-gate.so.1 =>  (0xffffe000)
> > >        libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8
> > > (0xb7eb9000)
> > >        libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8
> > > (0xb7d7e000)
> >
> > That's your system installation of openssl 0.9.8*.  Two things may
> > have happened:
> >
> > 1) You linked against the .so shared libraries in your installation,
> > but at runtime you're picking up the system copy.  It seems that
> > embedding the hard path to the shared libraries in the
> > calling binary
> > doesn't work too well on Linnicks.  This can be remedied by adding /
> > usr/local/ssl/lib (or whatever, see the discussion on prefix
> > above) to
> > the LD_LIBRARY_PATH environment variable when you start
> > Apache.  This
> > can be done in the script that starts the server, or on the command
> > line for testing.
> 
> We do use the compiled versions of httpd on other machines (production), that's the reason we do not wan't to have dynamic linked binaries. It was never necessary to modify LD_LIBRARY_PATH before because everything httpd needs (zlib and ssl) should be compiled into httpd.
> 
> >
> > 2) The System openssl was found in favor of yours when configuring.
> > This should not happen.  Study your ./configure output where
> > it tries
> > to find the proper openssl library and see what exactly happens there.
> 
> 
> The output of ./configure seems to be correct:
> 
> checking for SSL/TLS toolkit base... /usr/local/ssl
>   adding "-I/usr/local/ssl/include" to CPPFLAGS
>   adding "-I/usr/local/ssl/include" to INCLUDES
>   adding "-L/usr/local/ssl/lib" to LDFLAGS
> checking for OpenSSL version... checking openssl/opensslv.h usability... yes
> checking openssl/opensslv.h presence... yes
> checking for openssl/opensslv.h... yes
> checking openssl/ssl.h usability... yes
> checking openssl/ssl.h presence... yes
> checking for openssl/ssl.h... yes
> OK
>   forcing SSL_LIBS to "-lssl -lcrypto  -lrt -lcrypt  -lpthread -ldl"
>   adding "-lssl" to LIBS
>   adding "-lcrypto" to LIBS
>   adding "-lrt" to LIBS
>   adding "-lcrypt" to LIBS
>   adding "-lpthread" to LIBS
>   adding "-ldl" to LIBS
> checking openssl/engine.h usability... yes
> checking openssl/engine.h presence... yes
> checking for openssl/engine.h... yes
> checking for SSLeay_version... yes
> checking for SSL_CTX_new... yes
> checking for ENGINE_init... yes
> checking for ENGINE_load_builtin_engines... yes
> checking for SSL_set_cert_store... no
>   forcing MOD_SSL_LDADD to "$(SSL_LIBS)"
> checking whether Distcache is required... no (default)
> checking whether to enable mod_ssl... yes
>   adding "-I$(top_srcdir)/modules/ssl" to INCLUDES
> 
> >
> > >
> > >        libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7d59000)
> > >        libaprutil-1.so.0 => /usr/local/apache2.2.11/lib/
> > > libaprutil-1.so.0 (0xb7d3d000)
> > >        libexpat.so.0 => /usr/local/apache2.2.11/lib/libexpat.so.0
> > > (0xb7d21000)
> > >        libapr-1.so.0 => /usr/local/apache2.2.11/lib/libapr-1.so.0
> > > (0xb7cfc000)
> > >        librt.so.1 => /lib/tls/i686/cmov/librt.so.1 (0xb7cf3000)
> > >        libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1
> > (0xb7cc4000)
> > >        libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0
> > > (0xb7cb2000)
> > >        libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7cae000)
> > >        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7b7d000)
> > >        libz.so.1 => /usr/lib/libz.so.1 (0xb7b69000)
> >
> > Again, that's the system copy.  Same story, plus it may not
> > have found
> > yours because your parameter was off.  Again, see your ./configure
> > output.
> 
> Output seems to be correct:
> checking whether to enable mod_deflate... checking dependencies
>   adding "-I/usr/local/include" to INCLUDES
>   adding "-L/usr/local/lib" to LDFLAGS
>   adding "-lz" to LIBS
> checking for zlib library... found
>   forcing MOD_DEFLATE_LDADD to "-lz"
>   removed "-lz" from LIBS
> checking whether to enable mod_deflate... yes
> 
> >
> > >
> > >        /lib/ld-linux.so.2 (0xb7efe000)
> > >
> > > What's going wrong? libssl and libz shouldn't be linked
> > dynamically.
> > > With httpd 2.2.3 and the same configuration I haven't had these
> > > problems. ldd from the old 2.2.3 shows following depencies:
> > >
> > >        linux-gate.so.1 =>  (0xffffe000)
> > >        libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7edf000)
> > >        libaprutil-1.so.0 => /usr/local/apache2.2.3/lib/
> > > libaprutil-1.so.0 (0xb7ec9000)
> > >        libexpat.so.0 => /usr/local/apache2.2.3/lib/libexpat.so.0
> > > (0xb7eac000)
> > >        libapr-1.so.0 => /usr/local/apache2.2.3/lib/libapr-1.so.0
> > > (0xb7e8a000)
> > >        librt.so.1 => /lib/tls/i686/cmov/librt.so.1 (0xb7e81000)
> > >        libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1
> > (0xb7e53000)
> > >        libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0
> > > (0xb7e40000)
> > >        libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7e3c000)
> > >        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7d0b000)
> > >        /lib/ld-linux.so.2 (0xb7f0a000)
> >
> > No openssl libraries linked to this one.  Are you sure they weren't
> > just linked into mod_ssl.so?
> 
> I'm pretty sure, in this case there's no mod_ssl.so because it's compiled into httpd,
> 
> cheers
> mike
> 
configure just builds up the list of locations where to find libraries
that have the features it needs. So, you tell it SSL is
in /usr/local/ssl, it goes away and looks there and says "you're right,
theres SSL libraries there, adding /usr/local/ssl/lib to
LDPATH, /usr/local/ssl/include to CFLAGS". 
When it comes to build/link the components though, it has no idea that
it is supposed to be using the SSL libraries from /usr/local/ssl, just
that it has a list of folders which it CAN use. It searches them in
order, looking for a library that works in the manner required. Once the
linker has found a suitable library, it links it in.

Your problem is that your system SSL libraries are picked up before your
custom built ones are found. A simple way to fix this is to modify the
makefile rules for those modules, to remove the dynamic linking
statements and add some dirty static linking.

Eg, I just grabbed 2.2.11, ran 
  ./configure \
  --prefix=/tmp/foobar \
  --enable-so \
  --enable-mods-shared="ssl deflate"
built and installed it. This gave me an httpd binary and module files
linked like so (this is FreeBSD, so YMMV):
bin/httpd:
	libm.so.5 => /lib/libm.so.5 (0x280f3000)
	libaprutil-1.so.3 => /usr/local/lib/libaprutil-1.so.3 (0x28108000)
	libdb-4.2.so.2 => /usr/local/lib/libdb-4.2.so.2 (0x28124000)
	libexpat.so.6 => /usr/local/lib/libexpat.so.6 (0x281f8000)
	libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x28218000)
	libapr-1.so.3 => /usr/local/lib/libapr-1.so.3 (0x2830d000)
	libcrypt.so.4 => /lib/libcrypt.so.4 (0x28331000)
	libthr.so.3 => /lib/libthr.so.3 (0x2834a000)
	libc.so.7 => /lib/libc.so.7 (0x2835d000)
modules/mod_deflate.so:
	libz.so.4 => /lib/libz.so.4 (0x28187000)
	libc.so.7 => /lib/libc.so.7 (0x28080000)
modules/mod_ssl.so:
	libssl.so.5 => /usr/lib/libssl.so.5 (0x281ac000)
	libcrypto.so.5 => /lib/libcrypto.so.5 (0x281ed000)
	libcrypt.so.4 => /lib/libcrypt.so.4 (0x28347000)
	libthr.so.3 => /lib/libthr.so.3 (0x28360000)
	libc.so.7 => /lib/libc.so.7 (0x28080000)

I dont want to use dynamic libz in mod_deflate, and I dont want to use
dynamic libssl in mod_ssl. I therefore edit (from apache top build
directory) build/config_vars.mk and make these changes:

--- build/config_vars.mk.orig	
+++ build/config_vars.mk	
@@ -50,5 +50,5 @@
 MOD_INCLUDE_LDADD =
 MOD_FILTER_LDADD =
-MOD_DEFLATE_LDADD = -lz
+MOD_DEFLATE_LDADD = /usr/lib/libz.a
 MOD_LOG_CONFIG_LDADD =
 MOD_ENV_LDADD =
@@ -60,5 +60,5 @@
 MOD_PROXY_AJP_LDADD =
 MOD_PROXY_BALANCER_LDADD =
-SSL_LIBS = -lssl -lcrypto -lcrypt -lpthread
+SSL_LIBS = /usr/lib/libssl.a -lcrypto -lcrypt -lpthread
 MOD_SSL_LDADD = $(SSL_LIBS) -export-symbols-regex ssl_module
 MPM_NAME = prefork

and clean, rebuild and reinstall (make clean all && make install). You
should get warnings about this not being portable - and it isnt. These
binaries probably wont run on differently setup boxes. This then gives
me the modules built like so:
bin/httpd:
	libm.so.5 => /lib/libm.so.5 (0x280f3000)
	libaprutil-1.so.3 => /usr/local/lib/libaprutil-1.so.3 (0x28108000)
	libdb-4.2.so.2 => /usr/local/lib/libdb-4.2.so.2 (0x28124000)
	libexpat.so.6 => /usr/local/lib/libexpat.so.6 (0x281f8000)
	libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x28218000)
	libapr-1.so.3 => /usr/local/lib/libapr-1.so.3 (0x2830d000)
	libcrypt.so.4 => /lib/libcrypt.so.4 (0x28331000)
	libthr.so.3 => /lib/libthr.so.3 (0x2834a000)
	libc.so.7 => /lib/libc.so.7 (0x2835d000)
modules/mod_deflate.so:
	libc.so.7 => /lib/libc.so.7 (0x28080000)
modules/mod_ssl.so:
	libcrypto.so.5 => /lib/libcrypto.so.5 (0x281e2000)
	libcrypt.so.4 => /lib/libcrypt.so.4 (0x2833c000)
	libthr.so.3 => /lib/libthr.so.3 (0x28355000)
	libc.so.7 => /lib/libc.so.7 (0x28080000)

HTH

Tom


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux