How do I enable EVP functions in openssl?

linux openssl heartbleed-bug
Jerry Kaidor picture Jerry Kaidor · Apr 11, 2014 · Viewed 8.6k times · Source

I am trying to update my web server to the latest openssl with the heartbleed patch ( 1.0.1g ). I grabbed the tarball from openssl.org. Said the usual ./configure; make; make install. Had to say config shared to get it to make the .so file ( by default it only generates the .a ). Updated the link in /usr/lib64 to point to the new .so -

Now httpd fails to run with the following complaint:

/usr/sbin/httpd: symbol lookup error: /usr/lib64/libssl.so.1: undefined symbol: EVP_idea_cbc

nm -g | grep idea says: U EVP_idea_cbc

... so it knows about the symbol, but the symbol is undefined.

Openssl documentation says that they disable IDEA by default, because of a patent ( which apparently expired in 2012 ). They go into great detail on how to disable it, but not on how to enable it. Furthermore, they say it's disabled by default.

Apache httpd demands the symbol, and will not start without it.

I have tried saying "config shared enable-idea" and the config script is happy, but the symbol is still undefined after the build. I piped the build output into a file, and the crypto/idea files ARE being compiled.

EVERY symbol starting in EVP_* is undefined... They are also undefined in libssl.a... So maybe I'm barking up the wrong IDEA tree?

So my question becomes - how do I enable these EVP_* symbols?

Answer

Jerry Kaidor picture Jerry Kaidor · Apr 12, 2014

I resolved it. The problem was simple. These symbols are indeed undefined in libssl.so (or .a). They are actually defined in libcrypto.so. I wasn't getting the new libcrypto.so because....

...The new openssl tarball installs its outputs by default in /usr/local/ssl. This is configurable, but it really wants to install ALL the ssl stuff (including the libs) in /something/something/ssl. So you have /something/something/ssl/lib, /something/something/ssl/bin etc.

So when I said make install, it created /usr/local/ssl with all the good stuff in it. I made a symbolic link in /usr/lib64 from openssl.so.1.0.0 -> /usr/local/etc/ssl/lib/openssl.so.1.0.0. But I did not realize that I needed to do the same for libcrypto.so, so that still had the old stuff.

So I was using the new libssl.so, and an old libcrypto.so. Bad mojo.

Related questions

Using openssl to get the certificate from a server

I am trying to get the certificate of a remote server, which I can then use to add to my keystore and use within my java application. A senior dev (who is on holidays :( ) informed me I can run this: …

Read More
How to determine SSL cert expiration date from a PEM encoded certificate?

If I have the actual file and a Bash shell in Mac or Linux, how can I query the cert file for when it will expire? Not a web site, but actually the certificate file itself, assuming I have the …

Read More
How to compile .c file with OpenSSL includes?

I am trying to compile a small .c file that has the following includes: #include <openssl/ssl.h> #include <openssl/rsa.h> #include <openssl/x509.h> #include <openssl/evp.h> In the …

Read More