[ntp:hackers] Dynamic ssl and crypto libraries

David L. Mills mills at udel.edu
Tue Oct 25 10:10:12 PDT 2005


Brian,

I don't feel so bad about that stupid bug, but it woke everybody up. All 
the machines here have local copies of ssh and ssl. Our department 
machines have butchered ssh because, as the staff says, hostbased mode 
doesn't work with ex-box sources. I can confirm it does work with those 
machines, but does not work ex-box in FreeBSD.

Dave

Brian Utterback wrote:

> Danny Mayer wrote:
>
>> Brian Utterback wrote:
>>
>>> Harlan Stenn wrote:
>>>
>>>
>>>> Folks,
>>>>
>>>> https://ntp.isc.org/bugs/show_bug.cgi?id=517 contains a patch to 
>>>> use the
>>>> dynamic crypto and ssl libraries that are shipped with Solaris.  The
>>>> static libraries are not shipped.
>>>>
>>>> I'm tempted to look for dynamic or static libraries on all platforms,
>>>> and before I do this I thought I'd ask to see if there are any reasons
>>>> we should *not* look for dynamic libraries by default.
>>>>
>>>> One reason that leaps to my mind is that if somebody upgrades the
>>>> dynamic libraries without saving the older versions and there is an 
>>>> API
>>>> change, we're gonna have to abort.  If we use a static library we 
>>>> won't
>>>> have this problem.
>>>
>>>
>>>
>>> And if a serious bug is discovered in the static libraries, then you
>>> will have to rebuild. It is the classic dynamic vs. static library
>>> debate. If the dynamic libraries are properly versioned and maintained,
>>> then dynamic libraries are by far the best choice. If you are getting
>>> them out of someplace like /usr/local where you depend on the 
>>> competence
>>> of the local system admin, then static is possibly better.
>>>
>>> One might be inclined to use dynamic by default, and use static if
>>> the "with-openssl-libdir" is used, but that is only true if you have
>>> configured all of the places that each distribution delivers openssl
>>> and not configured /usr/local and any other popular but local spot.
>>> This is not true for Solaris, for instance, which delivers openssl in
>>> /usr/sfw/lib and /use/sfw/include. I would be happy if those were added
>>> to the searched directories, by the way.
>>
>>
>>
>> So did something change on Solaris that static worked before and now
>> doesn't?
>>
>> Danny
>>
>
> I don't think so. I have not been testing the crypto stuff yet, so
> it probably never was built with OPENSSL defined for me. The bug
> that Dave introduced when crypto_update was called without the
> OPENSSL ifdef just made it squawk and that's when I noticed it.
>
> Also, there was a period when I did build it pointing to a static
> version of openssl that was used during Solaris 10 build process,
> but was removed once openssl became a Solaris deliverable.
>



More information about the hackers mailing list