Jdamian Jdamian - 3 months ago 41
Linux Question

OpenSSH 7.3p1 building: configure only finds an old version of OpenSSL libraries

I'm trying to build OpenSSH 7.3p1 in a Linux box which has got installed an old OpenSSL version.

First of all I have successfully compiled OpenSSL 1.0.2h and installed in

/opt/openssh-1.0.2h
, not in
/usr
where resides the old OpenSSL version.

tar xzf openssl-1.0.2h.tar.gz
cd openssl-1.0.2h
./config --prefix=/opt/openssl-1.0.2h shared
make depend
make
make test
make install


Then I proceed with OpenSSH:

tar xzf openssh-7.3p1.tar.gz
cd openssh-7.3p1
./configure --prefix=/opt/openssh-7.3p1 --with-openssl=/opt/openssl-1.0.2h


But the
configure
scripts fails with the following error message:

checking OpenSSL header version... 0090802f (OpenSSL 0.9.8e-rhel5 01 Jul 2008)
checking OpenSSL library version... configure: error: OpenSSL >= 0.9.8f required (have "0090802f (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008)")


The same message is displayed if I use
--with-ssl-dir=/opt/openssl-1.0.2h/ssl


The tool
findssl.sh
(found in the subdirectory
contrib
) can find properly all OpenSSL versions. And its notes inside (comments) suggest to use CFLAGS to point out the desired library -- I quote:

# Now run findssl.sh. This should identify the headers and libraries
# present and their versions. You should be able to identify the
# libraries and headers used and adjust your CFLAGS or remove incorrect
# versions. The output will show OpenSSL's internal version identifier
# and should look something like:


Then I tried

./configure CFLAGS="-I/opt/openssl-1.0.2h/include" --prefix=/opt/openssh-7.3p1 --with-openssl=/opt/openssl-1.0.2h


This appears to work because it finds the new OpenSSL header version:

checking OpenSSL header version... 1000208f (OpenSSL 1.0.2h 3 May 2016)
checking OpenSSL library version... configure: error: OpenSSL >= 0.9.8f required (have "0090802f (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008)")


Next step would be to supply additional options to locate the library files. But if I add
LDFLAGS='-L/opt/openssl-1.0.2h/lib'
or
--with-ldflags='-L/opt/openssl-1.0.2h/lib'
, this is what I get:

checking OpenSSL header version... not found
configure: error: OpenSSL version header not found.


In summary, I do not know how to make
configure
use the new OpenSSL libraries
.

update 1: if
--with-ldflags='-L/opt/openssl-1.0.2h/ssl'
is used instead of
···openssl-1.0.2h/lib
then header version check works properly (see a few lines above), library version check still fails though.

update 2: I traced the problem and found it is related to shared libraries. From the
config.log
file I got the source code files
conftest.c
and
confdef.h
and the options used to build the runnable
conftest
:

#include "confdefs.h"
#include <stdio.h>
#include <string.h>
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
#define DATA "conftest.ssllibver"

int
main ()
{

FILE *fd;
int rc;

fd = fopen(DATA,"w");
if (fd == NULL)
exit(1);

if ((rc = fprintf(fd, "%08lx (%s)\n", (unsigned long)SSLeay(),
SSLeay_version(SSLEAY_VERSION))) < 0)
exit(1);

exit(0);
}


This program stores the OpenSSL version as text in the file
conftest.ssllibver
. For debugging purposes I turned
fprint(fd,
into
print(
to print the data into the terminal.

The command line used to build the
conftest
program is:

# gcc -o conftest -I/opt/openssl-1.0.2h/include -Wall \
-Wpointer-arith -Wsign-compare -Wformat-security -Wno-pointer-sign \
-fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset \
-fstack-protector-all -std=gnu99 -fPIE -Wl,-z,relro -Wl,-z,now \
-Wl,-z,noexecstack -fstack-protector-all -pie conftest.c \
-lcrypto -lrt -ldl -lutil -lz

# ldd conftest |grep libcrypto
libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b5fc6c3e000)


Uses the old OpenSSL library.

When
-L/opt/openssl-1.0.2h/lib
is added as an argument,
conftest
cannot run because the dynamic loader (
ld.so
) cannot find
libcrypto.so.1.0.0
:

# ./conftest
./conftest: error while loading shared libraries: libcrypto.so.1.0.0: cannot open shared object file: No such file or directory
# ldd conftest | grep libcrypto
libcrypto.so.1.0.0 => not found


But when I make the
LD_LIBRARY_PATH
environment variable point to
/opt/openssl-1.0.2h/lib
, the dynamic loader finds the library file
libcrypto.so.1.0.0
and thus the executable
conftest
works properly -- it uses the new OpenSSL library:

# export LD_LIBRARY_PATH=/opt/openssl-1.0.2h/lib
# ./conftest
1000208f (OpenSSL 1.0.2h 3 May 2016)
# ldd conftest
libcrypto.so.1.0.0 => /opt/openssl-1.0.2h/lib/libcrypto.so.1.0.0 (0x00002b450bf97000)

Answer

Export the LD_LIBRARY_PATH environment variable, which must hold the directory where new OpenSSL library files are, and run the configure script:

# export LD_LIBRARY_PATH=/opt/openssl-1.0.2h/lib
# ./configure CFLAGS="-I/opt/openssl-1.0.2h/include" \
--prefix=/opt/openssh-7.3p1 \
--with-ldflags="-L/opt/openssl-1.0.2h/lib"

Both commands can also be joined in just one:

# LD_LIBRARY_PATH=/opt/openssl-1.0.2h/lib ./configure \
CFLAGS="-I/opt/openssl-1.0.2h/include" \
--prefix=/opt/openssh-7.3p1 \
--with-ldflags="-L/opt/openssl-1.0.2h/lib"