On Mon, Nov 09, 2015 at 22:23:12 -0600, Austin English wrote: > On Mon, Nov 9, 2015 at 5:35 PM, Darren Tucker <dtucker@xxxxxxxxxx> wrote: > > On Tue, Nov 10, 2015 at 9:22 AM, Austin English <austinenglish@xxxxxxxxx> wrote: > >> Howdy, > >> > >> I'm attempting to compile openssh-7.1p1 using libressl-2.2.4 for the > >> ssl implementation. Unfortunately, this fails to work (tested on > >> Debian Unstable and Gentoo): > > [...] > >> conftest.c:225:4: warning: implicit declaration of function 'exit' > >> [-Wimplicit-function-declaration] > >> exit(1); > >> ^ > > > > These things are noise. I'll fix them, but they're not the cause of > > your problem. > > Sure, just wanted to be complete. > > >> ./conftest: error while loading shared libraries: libcrypto.so.35: > >> cannot open shared object file: No such file or directory > > > > This is the problem: configure is telling the linker to link against > > libcrypto in the libressl directory but you have not told the runtime > > linker to look there for shared libraries, so your binaries (in this > > case, the configure test) fail at runtime. > > > > To fix this you probably want to either: > > - add /opt/libressl-2.2.4/lib to /etc/ld.conf or /etc/ld.conf.d/ and > > run ldconfig > > - remove the .so files from /opt/libressl-2.2.4/lib so that the > > linker will pick up the static libcrypto. > > I tried removing the .so's, but openssh then falls back to the system > openssl instead of the specified ssl. The .a's are present (I also > tried explicitly building libressl with --enable-shared, but that made > no difference). This is actually an old issue that predates LibreSSL. The static library is not compiled with -fPIC, so it it unusable by OpenSSH when the build-hardening options are enabled. If you rebuild LibreSSL with CLFAGS=-fPIC and also supply --disable-shared to ./configure, OpenSSH should be able to build. Alternatively, you could disable the build hardening in OpenSSH, but that seems like a step backwards. > > >> doing: > >> export LD_LIBRARY_PATH=/opt/libressl-2.2.4 > >> > >> Works around this issue, and allows OpenSSH to compile (though some > >> tests fail that don't with openssl-1.0.2d. > > > > That'll help anything that inherits the environment, but anything that > > sanitizes its environment (eg sudo) will fail, and the resulting > > binaries won't work without the environment variable. > > Another alternative would be to pass -Wl,-R/opt/libressl-2.2.4/lib to the compiler to embed the search path in the headers of the executables. You could add --with-ldflags=-Wl,-R/opt/libressl-2.2.4/lib to the configure options to OpenSSH. It might be nice if this option was added automatically be configure, but I don't know if it's sufficiently portable to be worthwhile. -- Iain Morgan > > -- > > Darren Tucker (dtucker at zip.com.au) > > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > > Good judgement comes with experience. Unfortunately, the experience > > usually comes from bad judgement. > > > > -- > -Austin > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- Iain Morgan _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev