libgnutls-openssl and real openssl conflict

Andrew Bartlett abartlet at samba.org
Tue Aug 26 23:34:06 UTC 2008 

On Tue, 2008-08-26 at 20:31 +0200, Hans de Goede wrote:
> Robert Relyea wrote:
> > Hans de Goede wrote:
> >> Nils Philippsen wrote:
> >>> On Tue, 2008-08-26 at 08:39 +1000, Andrew Bartlett wrote:
> >>>> On Mon, 2008-08-25 at 20:04 +0200, Hans de Goede wrote:
> >>>>> Hi All,
> >>>>>
> >>>>> The story begins here:
> >>>>> https://bugzilla.redhat.com/show_bug.cgi?id=446860
> >>>>>
> >>>>> The problem is, or I believe it to be, that when an application 
> >>>>> uses libgnutls-openssl (meant for easy use of porting openssl 
> >>>>> programs to gnutls) for example because of the openssl license 
> >>>>> issues, and then a library uses the real openssl (for example glibc 
> >>>>> through nss_ldap) then in the nss_ldap example, the layer dlopen's 
> >>>>> nss_ldap starts using the openssl symbols from gnutls instead of 
> >>>>> those from openssl, but they are not ABI compatible -> boom.
> >>>>>
> >>>>> Luckily the list of libgnutls-openssl users seems small:
> >>>>>
> >>>>> [hans at localhost src]$ repoquery -q --whatrequires 
> >>>>> 'libgnutls-openssl.so.26()(64bit)'
> >>>>> mcabber-0:0.9.7-1.fc10.x86_64
> >>>>> gnutls-0:2.4.1-1.fc10.x86_64
> >>>>> gnutls-devel-0:2.4.1-1.fc10.x86_64
> >>>>> zoneminder-0:1.23.3-1.fc10.x86_64
> >>>>> gkrellm-0:2.3.1-4.fc10.x86_64
> >>>>>
> >>>>> So only 3 programs are affected, given that the same may happen 
> >>>>> when any used library uses the real openssl and the application or 
> >>>>> any other library uses gnutls-openssl, I would like to suggest the 
> >>>>> removal of libgnutls-openssl from Fedora, as long as we have this 
> >>>>> openssl libraries mess (which we unfortunately do) we should make 
> >>>>> sure that the various ssl libraries do not have symbol clashes, as 
> >>>>> changes are that through a mix of libraries an application may be 
> >>>>> using 2 (or even 3) different ssl libs.
> >>>>>
> >>>>> So whats your 2 cents on this?
> >>>> How does the NSS (Mozilla SSL) OpenSSL wrapper avoid this problem?
> >>>
> >>> Completely uninformed guess: by using macros or other techniques to add
> >>> a prefix to the symbols that end up in the binary?
> >>>
> >>
> >> I didn't know nss has an openssl compatibility sub lib too, I just 
> >> checked and it doesn't do any symbol magic, iow it has the same 
> >> problems as the gnutls openssl compatibility sublib.
> > Some of the symbols are renamed, but not enough of them. I think 
> > nsscompatossl has not run into the problem because it hasn't had cases 
> > where it was linked with openssl apps.
> 
> I hate to bring you bad news, but as nss_ldap, which is a glibc plugin used on 
> any site which uses ldap, uses openssl any application can be linked to openssl 
> (through /etc/nssswitch.conf).
> 
> So we do have an issue here, it does seem we are lucky sofar (just as with 
> gnutls) because sofar only slrn seems to use libnss_compat_ossl.

Isn't this what symbol versions are meant to solve? (and has solved for
example having Heimdal and MIT kerberos on Debian, for many years).

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20080827/54f408fc/attachment.sig>

More information about the fedora-devel-list mailing list