Return-Path: X-Original-To: apmail-httpd-modules-dev-archive@minotaur.apache.org Delivered-To: apmail-httpd-modules-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 87FF410120 for ; Fri, 20 Dec 2013 13:35:30 +0000 (UTC) Received: (qmail 93064 invoked by uid 500); 20 Dec 2013 13:35:08 -0000 Delivered-To: apmail-httpd-modules-dev-archive@httpd.apache.org Received: (qmail 92967 invoked by uid 500); 20 Dec 2013 13:35:00 -0000 Mailing-List: contact modules-dev-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: modules-dev@httpd.apache.org Delivered-To: mailing list modules-dev@httpd.apache.org Received: (qmail 92941 invoked by uid 99); 20 Dec 2013 13:34:52 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Dec 2013 13:34:52 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of jmarantz@google.com designates 209.85.219.41 as permitted sender) Received: from [209.85.219.41] (HELO mail-oa0-f41.google.com) (209.85.219.41) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Dec 2013 13:34:45 +0000 Received: by mail-oa0-f41.google.com with SMTP id j17so2857954oag.0 for ; Fri, 20 Dec 2013 05:34:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=aj6XETOE6J5kI3HrTLk0pcEfjcqkrcMUDuMYvMp+X/Y=; b=gnDhUuK613xYK5dayATeAnz0si6oAuNH0VuDv1ci/4c5uBiGARNYRQpr0s1U2w57Yp OLwbsUa4VEaJjfXKh8OKI6a5Dt6jm/TaOFqxPwlgKMJAsl9oiBVATXbFdU8kyJ57TT5G pShlmVH1qor7KAxXBOqKzTWJDLo0TNM3PLTn8zEnn6GD9K9Ewg3EsOKshMWIlEULQlVy n9lA4o/ZBhFP10gAT9WAowFerMW+ZMaNEJlt/5QDwQyMI2oMkM0rI4Dhha2dGoGgUZmW 5UYHuzvj7wQLwtZVR48f+x0fybPjFNs4F8UGECVjWYRUw404G+tKGbmcxIWoLXRTkNC8 AoMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=aj6XETOE6J5kI3HrTLk0pcEfjcqkrcMUDuMYvMp+X/Y=; b=CVi594iubRrEPOvchv0QnjbIX+rxd1lgN3BSJ3/Z2uZjDjmck18AYKiRO5UAAqTs5I H64KwMGgNcOLt1t46DDe+l2+Z+YJNtw+df38L7Hy35bxDkWjBoVV2VYSRI40uKBwm9f6 GoeLss7lqUmaYY+wj2i1Wul9WY1xNkFpQO94w5zDc4aThujmI8Vv8z6V+qGjfvPJRzL5 7MBcURMaV77LgBXAu8aVVo6Av5QwcOz9qfpJ1wG8v8p2x+yck1xDSdtYiZ4dpEkdIlou q7EgLFmDpqoPuQBVC/9Stb9aVPmnozJeYVbtkT2WC2S1sFfSKHl3SL5PA2dbSTiWQ7BK Assg== X-Gm-Message-State: ALoCoQkv3ned40JV29QbSVU78IqugqD89WhmnOf/ZM7Zg2rlLez00fTWpNbFofrqMcO8LZR2d3jGxv5AyhHw5gQZndWRsUz86V1oIBCvEHJP/3zFuYoo+GtkeWMpnLXmG+yH/NPcqcnNX2x6asWRfEYdGwX1ooRvC6zkPy5TfnbzHiYZ5aRwt0zLaxN4q10kTlbLvmDgwZhAUJLUKpAHjsDUb8WJZcnnkg== X-Received: by 10.182.146.104 with SMTP id tb8mr6234000obb.54.1387546464215; Fri, 20 Dec 2013 05:34:24 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.166.67 with HTTP; Fri, 20 Dec 2013 05:34:04 -0800 (PST) In-Reply-To: <52B4228E.6080909@kippdata.de> References: <1387481387726-5010925.post@n6.nabble.com> <52B4228E.6080909@kippdata.de> From: Joshua Marantz Date: Fri, 20 Dec 2013 08:34:04 -0500 Message-ID: Subject: Re: problem with different version of openssl in Apache and apache module To: "modules-dev@httpd.apache.org" Content-Type: multipart/alternative; boundary=f46d04451a391c05ac04edf75632 X-Virus-Checked: Checked by ClamAV on apache.org --f46d04451a391c05ac04edf75632 Content-Type: text/plain; charset=UTF-8 We faced this exact issue (openssl clashes with other linked-in versions) in mod_pagespeed and ngx_pagespeed, its nginx equivalent. We solved this problem in our Apache module because we linked mod_pagespeed.so hiding all the symbols other than the module entry-point into Apache. Here's the link command: g++ -shared -pthread -Wl,-z,noexecstack -fPIC \ -Wl,--version-script=build/mod_pagespeed.map \ -Wl,-soname=libmod_pagespeed.so \ -o out/Debug/obj.target/net/instaweb/libmod_pagespeed.so \ -Wl,--start-group \ object file list ..... \ -Wl,--end-group -lrt Where mod_pagespeed.map contains: { /* Make sure we don't export anything unneeded */ global: pagespeed_module; local: *; }; In nginx we didn't have such a clean solution, since nginx just uses a flat link of .o files. Our resolution is in this script: https://code.google.com/p/modpagespeed/source/browse/trunk/src/net/instaweb/automatic/rename_c_symbols.sh. This script is specific to our purpose but it might contain enough ideas that you could hack it to meet yours. This script is applied to a ".a" file that includes the definition and use of a version of openssl. It simply renames all the C symbols in the .a, leaving the C++ ones intact, and this works for us because the .a in question has a C++ interface. You could hack the script to just rename the openssl symbols and your use of them, and you can extract the list of openssl symbols by grepping the output of "nm libopenssl.a", following some of the patterns in our rename_c_symbols.sh script. -Josh On Fri, Dec 20, 2013 at 5:57 AM, Rainer Jung wrote: > On 20.12.2013 10:51, Alex Bligh wrote: > > > > On 19 Dec 2013, at 19:29, Hong wrote: > > > >> I wrote an Apache module that call functions in openssl library to sign > the > >> messages. The module is dynamic linked to openssl library 1.0.1d when I > >> built it. It works fine when it is loaded into the Apache that was also > >> built with the same version of openssl. But if Apache was built with > openssl > >> 0.9.8x, segfault occurred. Is there anything I can do for my built so it > >> also works in the Apache which was built with older version of openssl? > > > > Static link to openssl? > > That often doesn't help, because the runtime linker by default searches > symbols in load order. So if mod_ssl was linked against OpenSSL 0.9.8 > and mod_xyz was linked against 1.0.1 and mod_ssl gets loaded before > mod_xyz, then OpenSSL 0.9.8 gets also loaded before (either as a shared > lib or as statically linked into mod_ssl). Now when later the runtime > linker needs to resolve an OpenSSL symbol (e.g. function name) because > it is used in mod_xyz it will first look in OpenSSL 0.9.8 for the symbol > and only if not found there in 1.0.1. > > AFAIK there's no really good solution. Some platforms support symbolic > linking (ld -Bsymbolic), which changes the search order for the runtime > linker. With symbolic linking the runtime linker first looks into the > dependencies of the component needing a symbol before searching through > everything in load order. That means symbols needed by mod_xyz would > indeed be searched in OpenSSL 1.0.1 first and in OpenSSL 0.9.8 only as a > fallback. Note that this isn't the same as a symbolic file system link. > There's a couple of negative side effects though. > > Another solution should be possible using a linker script but to > implement that you would need to do quite a bit of work integrating the > linker script into the OpenSSL build. > > All of this is somehow fragile. It should be more robust to support > different combinations with different builds. > > As pointers have a look at: > > https://sourceware.org/binutils/docs-2.24/ld/Options.html#Options > > (short description of ld -Bsymbolic) > > http://www.akkadia.org/drepper/dsohowto.pdf > > (search for "symbolic", detailed explanations) > > > http://www.macieira.org/blog/2012/01/sorry-state-of-dynamic-libraries-on-linux/ > > > http://software.intel.com/en-us/articles/performance-tools-for-software-developers-bsymbolic-can-cause-dangerous-side-effects > > http://docs.oracle.com/cd/E19683-01/817-3677/817-3677.pdf > > Mostly about Solaris but nevertheless full of interesting stuff. > > Regards, > > Rainer > --f46d04451a391c05ac04edf75632--