Mailing-List: contact modules-dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: modules-dev@httpd.apache.org
Received-SPF: pass (athena.apache.org: domain of rainer.jung@kippdata.de
 designates 195.227.30.149 as permitted sender)
Message-ID: <52B4228E.6080909@kippdata.de>
Date: Fri, 20 Dec 2013 11:57:18 +0100
From: Rainer Jung <rainer.jung@kippdata.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: modules-dev@httpd.apache.org
Subject: Re: problem with different version of openssl in Apache and apache
 module
References: <1387481387726-5010925.post@n6.nabble.com>
 <E413A31B-608C-449E-9975-BF36517884D5@alex.org.uk>
In-Reply-To: <E413A31B-608C-449E-9975-BF36517884D5@alex.org.uk>
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit

On 20.12.2013 10:51, Alex Bligh wrote:
> 
> On 19 Dec 2013, at 19:29, Hong wrote:
> 
>> I wrote an Apache module that call functions in openssl library to sign the
>> messages. The module is dynamic linked to openssl library 1.0.1d when I
>> built it. It works fine when it is loaded into the Apache that was also
>> built with the same version of openssl. But if Apache was built with openssl
>> 0.9.8x, segfault occurred. Is there anything I can do for my built so it
>> also works in the Apache which was built with older version of openssl?
> 
> Static link to openssl?

That often doesn't help, because the runtime linker by default searches
symbols in load order. So if mod_ssl was linked against OpenSSL 0.9.8
and mod_xyz was linked against 1.0.1 and mod_ssl gets loaded before
mod_xyz, then OpenSSL 0.9.8 gets also loaded before (either as a shared
lib or as statically linked into mod_ssl). Now when later the runtime
linker needs to resolve an OpenSSL symbol (e.g. function name) because
it is used in mod_xyz it will first look in OpenSSL 0.9.8 for the symbol
and only if not found there in 1.0.1.

AFAIK there's no really good solution. Some platforms support symbolic
linking (ld -Bsymbolic), which changes the search order for the runtime
linker. With symbolic linking the runtime linker first looks into the
dependencies of the component needing a symbol before searching through
everything in load order. That means symbols needed by mod_xyz would
indeed be searched in OpenSSL 1.0.1 first and in OpenSSL 0.9.8 only as a
fallback. Note that this isn't the same as a symbolic file system link.
There's a couple of negative side effects though.

Another solution should be possible using a linker script but to
implement that you would need to do quite a bit of work integrating the
linker script into the OpenSSL build.

All of this is somehow fragile. It should be more robust to support
different combinations with different builds.

As pointers have a look at:

https://sourceware.org/binutils/docs-2.24/ld/Options.html#Options

(short description of ld -Bsymbolic)

http://www.akkadia.org/drepper/dsohowto.pdf

(search for "symbolic", detailed explanations)

http://www.macieira.org/blog/2012/01/sorry-state-of-dynamic-libraries-on-linux/

http://software.intel.com/en-us/articles/performance-tools-for-software-developers-bsymbolic-can-cause-dangerous-side-effects

http://docs.oracle.com/cd/E19683-01/817-3677/817-3677.pdf

Mostly about Solaris but nevertheless full of interesting stuff.

Regards,

Rainer