<div>Hi everyone,</div><div><br></div><div>I am trying to enable symbol versioning with openssl because I think it would be a better solution to avoid in the future the current difficulties we are facing with the openssl migration.</div>
<div>However I have some difficulties to have it working and I am not yet sure it will effectively solves the problem.</div><div><br></div><div>I thought that, with symbol versoning, libraries and program linked with libssl0.9.8 or libssl1.0.0 would always be linked with the correct library even in runtime dual-linking situation, because the linked would detect that the one library wants the symbol from the 0.9.8 library only and the other one wants the same symbol but from the 1.0.0 library.</div>
<div><br></div><div>It doesn't seem to work exactly as I expected, I still some additional tests to do to understand but I would definitely welcome any light on this subject.</div><div><br></div><div><div>I compiled a version of openssl for Solaris >=10 x86 in my experimental repository for those who would like to try:</div>
<div>pkgutil -t <a href="http://buildfarm.opencsw.org/opencsw/experimental/yann">http://buildfarm.opencsw.org/opencsw/experimental/yann</a> -i libssl1_0_0 libssl_dev openssl_utils</div></div><div><br></div><div>Here are some information I've found:</div>
<div><a href="http://docs.oracle.com/cd/E23824_01/html/821-1602/solarisabi-6.html#solarisabi-8">http://docs.oracle.com/cd/E23824_01/html/821-1602/solarisabi-6.html#solarisabi-8</a></div><div><a href="http://docs.oracle.com/cd/E19082-01/819-0690/chapter5-84101/index.html">http://docs.oracle.com/cd/E19082-01/819-0690/chapter5-84101/index.html</a></div>
<div><br></div><div>Here is the details of the tests I've done.</div><div><br></div><div>- I first tried to test if a binary linked with the symbol versioned libssl would work with the unversioned one. I expected that it would'nt work.</div>
<div><br></div><div>To test that, I kept the openssl binary linked with the symbols versioned libssl and downgraded libssl to the unversioned one.</div><div>After that, ldd clearly showed that the installed library was lacking the good version of the library.</div>
<div><br></div><div># ldd /opt/csw/bin/openssl</div><div> libssl.so.1.0.0 => /opt/csw/lib/i386/libssl.so.1.0.0</div><div> libssl.so.1.0.0 (OPENSSL_1.0.1) => (version not found)</div><div> libcrypto.so.1.0.0 => /opt/csw/lib/i386/libcrypto.so.1.0.0</div>
<div> libcrypto.so.1.0.0 (OPENSSL_1.0.1) => (version not found)</div><div>[...]</div><div><br></div><div>but openssl still worked correctly !!</div><div><br></div><div>I was able to launch it, it works and with verbose linking information, I clearly saw that ld.so linked openssl with libssl, although it clearly noticed that it wanted the version OPENSSL_1.0.1 of the library.</div>
<div><br></div><div># LD_DEBUG=all LD_BIND_NOW=1 /opt/csw/bin/openssl </div><div>[...]</div><div><div>01133: version needed processing: file=/opt/csw/bin/openssl</div><div>01133: file version</div>
<div>01133: libssl.so.1.0.0 OPENSSL_1.0.1</div></div><div>[...]</div><div><div>01133: binding file=/opt/csw/bin/openssl to file=/opt/csw/lib/i386/libssl.so.1.0.0: symbol 'i2d_SSL_SESSION'</div>
</div><div>[...]</div><div><br></div><div>and the libssl definitely didn't have the OPENSSL_1.0.1 version</div><div><br></div><div># pvs -s /opt/csw/lib/libssl.so.1.0.0</div><div>(nothing)</div><div><br></div><div><br>
</div><div>- I tried then to test if binary linked with the unversioned library would work with the versioned one.</div><div><br></div><div>I installed openssl_utils from the unstable repository and installed the libssl1-0-0 package from my experimental repository.</div>
<div>Again openssl worked perfectly, and didn't complain at all, although libssl did implement the versioned symbols:</div><div><br></div><div># pvs -s /opt/csw/lib/libssl.so.1.0.0 </div><div>[...]</div><div><div> libssl.so.1.0.0:</div>
<div> _GLOBAL_OFFSET_TABLE_;</div><div> _etext;</div><div> _DYNAMIC;</div><div> _edata;</div><div> _end;</div><div> _PROCEDURE_LINKAGE_TABLE_;</div>
<div> OPENSSL_1.0.0:</div><div> SSL_get_shared_ciphers;</div><div> SSL_set_bio;</div></div><div>[...]</div><div><div> OPENSSL_1.0.1:</div><div> SSL_CTX_set_srp_client_pwd_callback;</div>
</div><div>[...]</div><div><br></div><div><br></div><div>That's less a problem here, because that would ease the migration to a libssl with symbol versioning and allow third binaries to use our libssl library even if they didn't compile against it.</div>
<div><br></div><div>But I still don't understand how this it is supposed to work and I am not quite sure it will prevent an library linked with libsslX to link with libsslX+1 at runtime.</div><div><br></div><div>It seems the linker consider that an unversioned symbol can be linked to any versioned one.</div>
<div><br></div><div>I will try to compile a libssl0.9.8 with symbol versioning to really test if this would help during a library migration.</div><div><br></div><div>Yann</div>