I am trying to update my web server to the latest openssl with the heartbleed patch ( 1.0.1g ). I grabbed the tarball from openssl.org. Said the usual ./configure; make; make install
.
Had to say config shared
to get it to make the .so file ( by default it only generates the .a ). Updated the link in /usr/lib64 to point to the new .so -
Now httpd fails to run with the following complaint:
/usr/sbin/httpd: symbol lookup error: /usr/lib64/libssl.so.1: undefined symbol: EVP_idea_cbc
nm -g | grep idea
says: U EVP_idea_cbc
... so it knows about the symbol, but the symbol is undefined.
Openssl documentation says that they disable IDEA by default, because of a patent ( which apparently expired in 2012 ). They go into great detail on how to disable it, but not on how to enable it. Furthermore, they say it's disabled by default.
Apache httpd demands the symbol, and will not start without it.
I have tried saying "config shared enable-idea" and the config script is happy, but the symbol is still undefined after the build. I piped the build output into a file, and the crypto/idea files ARE being compiled.
EVERY symbol starting in EVP_*
is undefined... They are also undefined in libssl.a
... So maybe I'm barking up the wrong IDEA tree?
So my question becomes - how do I enable these EVP_*
symbols?
I resolved it. The problem was simple. These symbols are indeed undefined in libssl.so
(or .a
). They are actually defined in libcrypto.so
. I wasn't getting the new libcrypto.so
because....
...The new openssl tarball installs its outputs by default in /usr/local/ssl
. This is configurable, but it really wants to install ALL the ssl stuff (including the libs) in /something/something/ssl
. So you have /something/something/ssl/lib
, /something/something/ssl/bin
etc.
So when I said make install
, it created /usr/local/ssl
with all the good stuff in it. I
made a symbolic link in /usr/lib64 from openssl.so.1.0.0 -> /usr/local/etc/ssl/lib/openssl.so.1.0.0.
But I did not realize that I needed to do the same for libcrypto.so
, so that still had the old stuff.
So I was using the new libssl.so
, and an old libcrypto.so
. Bad mojo.