[ntp:hackers] Dynamic ssl and crypto libraries

Brian Utterback brian.utterback at sun.com
Tue Oct 25 08:30:32 PDT 2005


Danny Mayer wrote:
> Brian Utterback wrote:
> 
>>Harlan Stenn wrote:
>>
>>
>>>Folks,
>>>
>>>https://ntp.isc.org/bugs/show_bug.cgi?id=517 contains a patch to use the
>>>dynamic crypto and ssl libraries that are shipped with Solaris.  The
>>>static libraries are not shipped.
>>>
>>>I'm tempted to look for dynamic or static libraries on all platforms,
>>>and before I do this I thought I'd ask to see if there are any reasons
>>>we should *not* look for dynamic libraries by default.
>>>
>>>One reason that leaps to my mind is that if somebody upgrades the
>>>dynamic libraries without saving the older versions and there is an API
>>>change, we're gonna have to abort.  If we use a static library we won't
>>>have this problem.
>>
>>
>>And if a serious bug is discovered in the static libraries, then you
>>will have to rebuild. It is the classic dynamic vs. static library
>>debate. If the dynamic libraries are properly versioned and maintained,
>>then dynamic libraries are by far the best choice. If you are getting
>>them out of someplace like /usr/local where you depend on the competence
>>of the local system admin, then static is possibly better.
>>
>>One might be inclined to use dynamic by default, and use static if
>>the "with-openssl-libdir" is used, but that is only true if you have
>>configured all of the places that each distribution delivers openssl
>>and not configured /usr/local and any other popular but local spot.
>>This is not true for Solaris, for instance, which delivers openssl in
>>/usr/sfw/lib and /use/sfw/include. I would be happy if those were added
>>to the searched directories, by the way.
> 
> 
> So did something change on Solaris that static worked before and now
> doesn't?
> 
> Danny
> 

I don't think so. I have not been testing the crypto stuff yet, so
it probably never was built with OPENSSL defined for me. The bug
that Dave introduced when crypto_update was called without the
OPENSSL ifdef just made it squawk and that's when I noticed it.

Also, there was a period when I did build it pointing to a static
version of openssl that was used during Solaris 10 build process,
but was removed once openssl became a Solaris deliverable.

-- 
blu

"Having them stolen may become our distribution model..."
Nicolas Negroponte on the Hundred Dollar Laptop.
----------------------------------------------------------------------
Brian Utterback - OP/N1 RPE, Sun Microsystems, Inc.
Ph:877-259-7345, Em:brian.utterback-at-ess-you-enn-dot-kom


More information about the hackers mailing list