The system openssl 1.1.1 package on RHEL is heavily patched and
includes some APIs backported from later upstream versions (3.0.x). You
cannot replace it by pristine OpenSSL build. You would have to apply
the patches from the openssl srpm package over the 1.1.1w version
however you will probably encounter conflicts so it will not be a
trivial task to do so.
Unfortunately I do not know how to avoid this libk5crypto.so.3
dependency when linking your application. IMO it should be possible to
avoid it - try to find which library you're explicitly linking to is
pulling it in.
Tomas Mraz, OpenSSL
On Fri, 2023-12-29 at 21:56 +0000, Fox, Shawn D (US) via openssl-users
wrote:
>
>
>
> I have built openssl v1.1.1w from source on the RHEL8 OS using the
> GCC12 toolset. The command to configure looks like this and then
> gmake install used to build and install.
> ./config --prefix=/data/${USER}/repos/tp/openssl-1.1.1w-
> install/release
>
> /data/${USER}/repos/tp/openssl-1.1.1w is the directory containing the
> extracted source and configuration files.
>
> So that worked fine and binaries were produced. However, when I try
> to build my own applications specifying
> /data/${USER}/repos/tp/openssl-1.1.1w-install/release/lib as the
> location of the libraries then I am seeing linker errors such as:
>
> /opt/rh/gcc-toolset-12/root/usr/libexec/gcc/x86_64-redhat-
> linux/12/ld: /lib64/libk5crypto.so.3: undefined reference to
> `EVP_KDF_CTX_free@OPENSSL_1_1_1b'
>
> So far web searches haven’t turned up much info that helps me but one
> thread did indicate that the problem is due to using a downstream
> build of openssl on RHEL8 since red hat backports security fixes into
> an older version that they distribute.
>
> I found some articles about libk5crypto which seems to be something
> related to Kerberos. I’ve no idea how that factors into my
> application build since I don’t believe it has a dependency on that.
> However I have noticed that my build of libcrypto has fewer symbols
> then the libcrypto installed to RHEL8. Take a look at this.
>
> objdump -TC /lib64/libcrypto.so |grep EVP_KDF
> 00000000001725d0 g DF .text 00000000000000f0 OPENSSL_1_1_1b
> EVP_KDF_ctrl
> 00000000001726c0 g DF .text 000000000000008e OPENSSL_1_1_1b
> EVP_KDF_ctrl_str
> 0000000000172570 g DF .text 0000000000000021 OPENSSL_1_1_1b
> EVP_KDF_reset
> 0000000000172750 g DF .text 0000000000000030 OPENSSL_1_1_1b
> EVP_KDF_size
> 00000000001725a0 g DF .text 0000000000000023 OPENSSL_1_1_1b
> EVP_KDF_vctrl
> 0000000000172450 g DF .text 0000000000000111 OPENSSL_1_1_1b
> EVP_KDF_CTX_new_id
> 0000000000172410 g DF .text 0000000000000031 OPENSSL_1_1_1b
> EVP_KDF_CTX_free
> 0000000000172780 g DF .text 0000000000000023 OPENSSL_1_1_1b
> EVP_KDF_derive
>
> /data/${USER}/repos/tp/openssl-1.1.1w-install/release/lib
>
> objdump -TC libcrypto.so | grep EVP_KDF
> <no symbols found>
>
> I searched the CHANGE notes for SSL 1.1.1w and the INSTALL file for
> configure instructions but I do not see any reason why these symbols
> are not being produced in my build. My guess is that during linking
> something must have transitive dependency on libk5crypto which
> requires the symbols in question which do not exist in my custom
> build of libcrypto. How can I build libcrypto so that it has these
> EVP* symbols?
>
> Thanks,
> Shawn Fox
>
--
Tomáš Mráz, OpenSSL
