Summary: | databases/mariadb103-client: fails to link against security/openssl111 | ||
---|---|---|---|
Product: | Ports & Packages | Reporter: | Ralf van der Enden <tremere> |
Component: | Individual Port(s) | Assignee: | Bernard Spil <brnrd> |
Status: | Closed Overcome By Events | ||
Severity: | Affects Some People | CC: | tommyhp2 |
Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(brnrd) |
Version: | Latest | ||
Hardware: | Any | ||
OS: | Any |
Description
Ralf van der Enden
2019-02-06 10:47:38 UTC
Looks like detection in cmake is OK
> -- Found OpenSSL: /usr/local/lib/libcrypto.so (found version "1.1.1a")
> -- OPENSSL_INCLUDE_DIR = /usr/local/include
> -- OPENSSL_SSL_LIBRARY = /usr/local/lib/libssl.so
> -- OPENSSL_CRYPTO_LIBRARY = /usr/local/lib/libcrypto.so
> -- OPENSSL_VERSION = 1.1.1a
> -- SSL_LIBRARIES = /usr/local/lib/libssl.so;/usr/local/lib/libcrypto.so
Somewhere/-how it is mixing base and ports SSL versions.
I've run the exact same build again on FreeBSD 12.0-RELEASE and it works fine there. So this is only an issue on 11.2-RELEASE. I think this issues exists across all mariadb10{2,3,4}-client. 10.2 - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228636 I have also the same inconsistency with 10.4 on 12.1-RELEASE-p3 r359156M. ===> Applying FreeBSD patches for mariadb104-client-10.4.12 /usr/bin/sed -i.bak 's|/usr/bin/env python||' /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/CMakeLists.txt /usr/bin/sed -i.bak 's|%%PREFIX%%|/usr/local|g' /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/mysys/my_default.c /usr/bin/sed -i.bak 's|%%LOCALBASE%%|/usr/local|g' /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/scripts/mysql_config.sh /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/storage/tokudb/PerconaFT/cmake_modules/TokuThirdParty.cmake /bin/mv /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/storage/mroonga/version /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/storage/mroonga/version_txt ===> mariadb104-client-10.4.12 depends on executable: bison - found ===> mariadb104-client-10.4.12 depends on file: /usr/local/bin/cmake - found ===> mariadb104-client-10.4.12 depends on file: /usr/local/lib/libcrypto.so.11 - found ===> mariadb104-client-10.4.12 depends on file: /usr/local/lib/libkrb5support.so - found ===> mariadb104-client-10.4.12 depends on shared library: libiconv.so - found (/usr/local/lib/libiconv.so) ===> mariadb104-client-10.4.12 depends on shared library: libedit.so.0 - found (/usr/local/lib/libedit.so.0) ===> mariadb104-client-10.4.12 depends on shared library: libreadline.so.8 - found (/usr/local/lib/libreadline.so.8) ===> Configuring for mariadb104-client-10.4.12 ===> FreeBSD 10 autotools fix applied to /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/storage/tokudb/PerconaFT/third_party/xz-4.999.9beta/m4/libtool.m4 ===> FreeBSD 10 autotools fix applied to /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/storage/tokudb/PerconaFT/third_party/xz-4.999.9beta/configure ===> FreeBSD 10 autotools fix applied to /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/storage/tokudb/PerconaFT/third_party/xz-4.999.9beta/build-aux/config.rpath ===> Performing in-source build /bin/mkdir -p /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12 < ... snip ... > -- Found OpenSSL: /usr/local/lib/libcrypto.so (found version "1.1.1e") -- OPENSSL_INCLUDE_DIR = /usr/local/include -- OPENSSL_SSL_LIBRARY = /usr/local/lib/libssl.so -- OPENSSL_CRYPTO_LIBRARY = /usr/local/lib/libcrypto.so -- OPENSSL_VERSION = 1.1.1e -- SSL_LIBRARIES = /usr/local/lib/libssl.so;/usr/local/lib/libcrypto.so -------------------------------------------------------------------------- My OPTIONS in make.conf # grep -e '^OPTIONS' make.conf OPTIONS_UNSET+=GSSAPI_BASE GSSAPI_NONE KRB_BASE HEIMDAL_BASE OPTIONS_UNSET+=X11 DOXYGEN TESTS TEST DTRACE OPTIONS_UNSET+=DOCS MANPAGES EXAMPLES NLS OPTIONS_SET+=GSSAPI_MIT KRB_MIT CPU_OPTS My DEFAULT_VERSIONS in make.conf: # grep DEFAULT make.conf | grep ssl DEFAULT_VERSIONS+=mysql=10.4m pgsql=12 samba=4.10 ssl=openssl ------------------------------------------------------------------------ # /usr/local/bin/mariadb_config Copyright 2011-2019 MariaDB Corporation AB Get compiler flags for using the MariaDB Connector/C. Usage: /usr/local/bin/mariadb_config [OPTIONS] --cflags [-I/usr/local/include/mysql -I/usr/local/include/mysql/mysql -I/usr/local/include] --include [-I/usr/local/include/mysql -I/usr/local/include/mysql/mysql -I/usr/local/include] --libs [-L/usr/local/lib/mysql/ -lmariadb -L/usr/local/lib] --libs_r [-L/usr/local/lib/mysql/ -lmariadb -L/usr/local/lib] --libs_sys [-lz -lm -liconv -lssl -lcrypto -liconv] --version [10.4.12] --cc_version [3.1.7] --socket [/tmp/mysql.sock] --port [3306] --plugindir [/usr/local/lib/mysql/plugin] --tlsinfo [OpenSSL 1.1.1e] --------------------------------------------------------------------------- # readelf -a /usr/local/lib/mysql/libmariadb.so | grep 'SSL_init' 000000054408 005700000007 R_X86_64_JUMP_SLOT 0000000000000000 OPENSSL_init_ssl + 0 87: 0000000000000000 0 FUNC GLOBAL DEFAULT UND OPENSSL_init_ssl@OPENSSL_1_1_0 (7) --------------------------------------------------------------------------- # readelf -a /usr/local/lib/mysql/libmariadbclient.a | grep 'SSL_init' 00000000003e 001a00000004 R_X86_64_PLT32 0000000000000000 OPENSSL_init_ssl + fffffffffffffffc 26: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND OPENSSL_init_ssl --------------------------------------------------------------------------- /usr/bin/openssl version OpenSSL 1.1.1d-freebsd 10 Sep 2019 # /usr/local/bin/openssl version OpenSSL 1.1.1e 17 Mar 2020 --------------------------------------------------------------------------- I'm curious because of this that causes the client to fail when connecting with --ssl-verify-server-cert. Here's the relevent section in Makefile for 10.3 and 10.4: CMAKE_ARGS+= -DINSTALL_DOCDIR="share/doc/mysql" \ -DINSTALL_DOCREADMEDIR="share/doc/mysql" \ -DINSTALL_INCLUDEDIR="include/mysql" \ -DINSTALL_INFODIR="info" \ -DINSTALL_LIBDIR="lib/mysql" \ -DINSTALL_MANDIR="man" \ -DINSTALL_MYSQLDATADIR="/var/db/mysql" \ -DINSTALL_MYSQLSHAREDIR="share/mysql" \ -DINSTALL_MYSQLTESTDIR= \ -DINSTALL_PLUGINDIR="lib/mysql/plugin" \ -DINSTALL_SBINDIR="libexec" \ -DINSTALL_SCRIPTDIR="bin" \ -DINSTALL_SHAREDIR="share" \ -DINSTALL_SQLBENCHDIR= \ -DINSTALL_SUPPORTFILESDIR="share/mysql" \ -DDEFAULT_SYSCONFDIR="${PREFIX}/etc" \ -DWITH_SSL="${OPENSSLBASE}" \ -DCURSES_CURSES_LIBRARY="/usr/lib/libcurses.so" \ -DCURSES_FORM_LIBRARY="/usr/lib/libform.so" \ -DCURSES_CURSES_LIBRARY="/usr/lib/libncurses.so" \ -DKRB5_CONFIG="${KRB5CONFIG}" \ -DCURSES_NCURSES_LIBRARY="${NCURSESLIB}/libncurses.so" \ -DCOMPILATION_COMMENT="FreeBSD Ports" \ -DCMAKE_PREFIX_PATH=${PREFIX} \ GSSAPI_BASE_USES= gssapi GSSAPI_HEIMDAL_USES= gssapi:heimdal GSSAPI_MIT_USES= gssapi:mit GSSAPI_NONE_CMAKE_ON= -DPLUGIN_AUTH_GSSAPI_CLIENT=OFF .if defined(WITH_OPENSSL_PORT) GSSAPI_BASE_IGNORE= BASE_GSSAPI is not compatible with OpenSSL from ports. Use other GSSAPI options or OpenSSL from base system .endif From the above config in the Makefile, I think it's supposed to linked against base's OpenSSL. But on 12.1, the version differences is negligble for base vs port. So I'm curious as to where the libmariadb finds version 1.1.0? I've asked about the '--ssl-verify-server-cert' error on the official MariaDB's Q&A: https://mariadb.com/kb/en/securing-connections-for-client-and-server/ and was confirmed that 'mysql' client linked to the libmariadbclient. I've check with the current version 3.1.7 of the mariadb-connector-c. It's the same. /wrkdirs/usr/ports/databases # readelf -a mariadb-connector-c/work/stage/usr/local/lib/mariadb/libmariadbclient.a | grep SSL_init 00000000005f 001d00000004 R_X86_64_PLT32 0000000000000000 OPENSSL_init_ssl + fffffffffffffffc 29: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND OPENSSL_init_ssl /wrkdirs/usr/ports/databases # readelf -a mariadb-connector-c/work/stage/usr/local/lib/mariadb/libmariadb.so | grep SSL_init 00000006f210 005a00000007 R_X86_64_JUMP_SLOT 0000000000000000 OPENSSL_init_ssl + 0 90: 0000000000000000 0 FUNC GLOBAL DEFAULT UND OPENSSL_init_ssl@OPENSSL_1_1_0 (7) the libmariadbclient is not linking to the OpenSSL correctly. This is causing mariadb-connector-odbc (v3.1.6) to fail too because of the dependent mariadb-connector-c (v3.1.7) not linked properly: # isql openldap root test ld-elf.so.1: /usr/local/lib/libmaodbc.so: Undefined symbol "OPENSSL_init_ssl" I think I may have found it. Detection during configure works fine. When it's actually configuring that is failing and defaulting to the bundled SSL: extra/wolfssl/wolfssl/cyassl/openssl extra/wolfssl/wolfssl/wolfssl/openssl |