Bug 235552

Summary: databases/mariadb103-client: fails to link against security/openssl111
Product: Ports & Packages Reporter: Ralf van der Enden <tremere>
Component: Individual Port(s)Assignee: Bernard Spil <brnrd>
Status: Closed Overcome By Events    
Severity: Affects Some People CC: tommyhp2
Priority: --- Flags: bugzilla: maintainer-feedback? (brnrd)
Version: Latest   
Hardware: Any   
OS: Any   

Description Ralf van der Enden 2019-02-06 10:47:38 UTC 
While testing another port with security/openssl111 using poudriere (using a set via -z) I ran into a linking issue.

Poudriere buildlog: https://pkg.cainites.net/data/freebsd_11x64-system-openssl111/2019-02-04_14h14m15s/logs/errors/mariadb103-client-10.3.12.log
Comment 1 Bernard Spil freebsd_committer freebsd_triage 2019-02-06 12:31:42 UTC 
Looks like detection in cmake is OK

> -- Found OpenSSL: /usr/local/lib/libcrypto.so (found version "1.1.1a")  
> -- OPENSSL_INCLUDE_DIR = /usr/local/include
> -- OPENSSL_SSL_LIBRARY = /usr/local/lib/libssl.so
> -- OPENSSL_CRYPTO_LIBRARY = /usr/local/lib/libcrypto.so
> -- OPENSSL_VERSION = 1.1.1a
> -- SSL_LIBRARIES = /usr/local/lib/libssl.so;/usr/local/lib/libcrypto.so

Somewhere/-how it is mixing base and ports SSL versions.
Comment 2 Ralf van der Enden 2019-02-06 21:08:03 UTC 
I've run the exact same build again on FreeBSD 12.0-RELEASE and it works fine there. So this is only an issue on 11.2-RELEASE.
Comment 3 Tommy P 2020-03-23 02:21:58 UTC 
I think this issues exists across all mariadb10{2,3,4}-client.

10.2 - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228636

I have also the same inconsistency with 10.4 on 12.1-RELEASE-p3 r359156M.

===>  Applying FreeBSD patches for mariadb104-client-10.4.12
/usr/bin/sed -i.bak 's|/usr/bin/env python||' /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/CMakeLists.txt
/usr/bin/sed -i.bak 's|%%PREFIX%%|/usr/local|g' /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/mysys/my_default.c
/usr/bin/sed -i.bak 's|%%LOCALBASE%%|/usr/local|g' /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/scripts/mysql_config.sh  /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/storage/tokudb/PerconaFT/cmake_modules/TokuThirdParty.cmake
/bin/mv /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/storage/mroonga/version /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/storage/mroonga/version_txt
===>   mariadb104-client-10.4.12 depends on executable: bison - found
===>   mariadb104-client-10.4.12 depends on file: /usr/local/bin/cmake - found
===>   mariadb104-client-10.4.12 depends on file: /usr/local/lib/libcrypto.so.11 - found
===>   mariadb104-client-10.4.12 depends on file: /usr/local/lib/libkrb5support.so - found
===>   mariadb104-client-10.4.12 depends on shared library: libiconv.so - found (/usr/local/lib/libiconv.so)
===>   mariadb104-client-10.4.12 depends on shared library: libedit.so.0 - found (/usr/local/lib/libedit.so.0)
===>   mariadb104-client-10.4.12 depends on shared library: libreadline.so.8 - found (/usr/local/lib/libreadline.so.8)
===>  Configuring for mariadb104-client-10.4.12
===>   FreeBSD 10 autotools fix applied to /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/storage/tokudb/PerconaFT/third_party/xz-4.999.9beta/m4/libtool.m4
===>   FreeBSD 10 autotools fix applied to /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/storage/tokudb/PerconaFT/third_party/xz-4.999.9beta/configure
===>   FreeBSD 10 autotools fix applied to /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12/storage/tokudb/PerconaFT/third_party/xz-4.999.9beta/build-aux/config.rpath
===>  Performing in-source build
/bin/mkdir -p /wrkdirs/usr/ports/databases/mariadb104-client/work/mariadb-10.4.12

< ... snip ... >

-- Found OpenSSL: /usr/local/lib/libcrypto.so (found version "1.1.1e")
-- OPENSSL_INCLUDE_DIR = /usr/local/include
-- OPENSSL_SSL_LIBRARY = /usr/local/lib/libssl.so
-- OPENSSL_CRYPTO_LIBRARY = /usr/local/lib/libcrypto.so
-- OPENSSL_VERSION = 1.1.1e
-- SSL_LIBRARIES = /usr/local/lib/libssl.so;/usr/local/lib/libcrypto.so

--------------------------------------------------------------------------

My OPTIONS in make.conf

# grep -e '^OPTIONS' make.conf
OPTIONS_UNSET+=GSSAPI_BASE GSSAPI_NONE KRB_BASE HEIMDAL_BASE
OPTIONS_UNSET+=X11 DOXYGEN TESTS TEST DTRACE
OPTIONS_UNSET+=DOCS MANPAGES EXAMPLES NLS
OPTIONS_SET+=GSSAPI_MIT KRB_MIT CPU_OPTS

My DEFAULT_VERSIONS in make.conf:

# grep DEFAULT make.conf | grep ssl
DEFAULT_VERSIONS+=mysql=10.4m pgsql=12 samba=4.10 ssl=openssl

------------------------------------------------------------------------

# /usr/local/bin/mariadb_config
Copyright 2011-2019 MariaDB Corporation AB
Get compiler flags for using the MariaDB Connector/C.
Usage: /usr/local/bin/mariadb_config [OPTIONS]
  --cflags        [-I/usr/local/include/mysql -I/usr/local/include/mysql/mysql -I/usr/local/include]
  --include       [-I/usr/local/include/mysql -I/usr/local/include/mysql/mysql -I/usr/local/include]
  --libs          [-L/usr/local/lib/mysql/ -lmariadb -L/usr/local/lib]
  --libs_r        [-L/usr/local/lib/mysql/ -lmariadb -L/usr/local/lib]
  --libs_sys      [-lz -lm -liconv -lssl -lcrypto -liconv]
  --version       [10.4.12]
  --cc_version    [3.1.7]
  --socket        [/tmp/mysql.sock]
  --port          [3306]
  --plugindir     [/usr/local/lib/mysql/plugin]
  --tlsinfo       [OpenSSL 1.1.1e]

---------------------------------------------------------------------------

# readelf -a /usr/local/lib/mysql/libmariadb.so | grep 'SSL_init'
000000054408 005700000007 R_X86_64_JUMP_SLOT  0000000000000000 OPENSSL_init_ssl + 0
    87: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND OPENSSL_init_ssl@OPENSSL_1_1_0 (7)

---------------------------------------------------------------------------

# readelf -a /usr/local/lib/mysql/libmariadbclient.a | grep 'SSL_init'
00000000003e 001a00000004 R_X86_64_PLT32      0000000000000000 OPENSSL_init_ssl + fffffffffffffffc
    26: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND OPENSSL_init_ssl

---------------------------------------------------------------------------

/usr/bin/openssl version
OpenSSL 1.1.1d-freebsd  10 Sep 2019

# /usr/local/bin/openssl version
OpenSSL 1.1.1e  17 Mar 2020

---------------------------------------------------------------------------

I'm curious because of this that causes the client to fail when connecting with --ssl-verify-server-cert.  Here's the relevent section in Makefile for 10.3 and 10.4:

CMAKE_ARGS+=    -DINSTALL_DOCDIR="share/doc/mysql" \
                -DINSTALL_DOCREADMEDIR="share/doc/mysql" \
                -DINSTALL_INCLUDEDIR="include/mysql" \
                -DINSTALL_INFODIR="info" \
                -DINSTALL_LIBDIR="lib/mysql" \
                -DINSTALL_MANDIR="man" \
                -DINSTALL_MYSQLDATADIR="/var/db/mysql" \
                -DINSTALL_MYSQLSHAREDIR="share/mysql" \
                -DINSTALL_MYSQLTESTDIR= \
                -DINSTALL_PLUGINDIR="lib/mysql/plugin" \
                -DINSTALL_SBINDIR="libexec" \
                -DINSTALL_SCRIPTDIR="bin" \
                -DINSTALL_SHAREDIR="share" \
                -DINSTALL_SQLBENCHDIR= \
                -DINSTALL_SUPPORTFILESDIR="share/mysql" \
                -DDEFAULT_SYSCONFDIR="${PREFIX}/etc" \
                -DWITH_SSL="${OPENSSLBASE}" \
                -DCURSES_CURSES_LIBRARY="/usr/lib/libcurses.so" \
                -DCURSES_FORM_LIBRARY="/usr/lib/libform.so" \
                -DCURSES_CURSES_LIBRARY="/usr/lib/libncurses.so" \
                -DKRB5_CONFIG="${KRB5CONFIG}" \
                -DCURSES_NCURSES_LIBRARY="${NCURSESLIB}/libncurses.so" \
                -DCOMPILATION_COMMENT="FreeBSD Ports" \
                -DCMAKE_PREFIX_PATH=${PREFIX} \

GSSAPI_BASE_USES=       gssapi
GSSAPI_HEIMDAL_USES=    gssapi:heimdal
GSSAPI_MIT_USES=        gssapi:mit
GSSAPI_NONE_CMAKE_ON=   -DPLUGIN_AUTH_GSSAPI_CLIENT=OFF

.if defined(WITH_OPENSSL_PORT)
GSSAPI_BASE_IGNORE=     BASE_GSSAPI is not compatible with OpenSSL from ports. Use other GSSAPI options or OpenSSL from base system
.endif

From the above config in the Makefile, I think it's supposed to linked against base's OpenSSL.  But on 12.1, the version differences is negligble for base vs port.  So I'm curious as to where the libmariadb finds version 1.1.0?
Comment 4 Tommy P 2020-03-24 17:11:58 UTC 
I've asked about the '--ssl-verify-server-cert' error on the official MariaDB's Q&A:

https://mariadb.com/kb/en/securing-connections-for-client-and-server/

and was confirmed that 'mysql' client linked to the libmariadbclient.
Comment 5 Tommy P 2020-03-24 21:44:21 UTC 
I've check with the current version 3.1.7 of the mariadb-connector-c.  It's the same.

/wrkdirs/usr/ports/databases # readelf -a mariadb-connector-c/work/stage/usr/local/lib/mariadb/libmariadbclient.a | grep SSL_init
00000000005f 001d00000004 R_X86_64_PLT32      0000000000000000 OPENSSL_init_ssl + fffffffffffffffc
    29: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND OPENSSL_init_ssl

/wrkdirs/usr/ports/databases # readelf -a mariadb-connector-c/work/stage/usr/local/lib/mariadb/libmariadb.so | grep SSL_init
00000006f210 005a00000007 R_X86_64_JUMP_SLOT  0000000000000000 OPENSSL_init_ssl + 0
    90: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND OPENSSL_init_ssl@OPENSSL_1_1_0 (7)

the libmariadbclient is not linking to the OpenSSL correctly.
Comment 6 Tommy P 2020-03-24 21:52:01 UTC 
This is causing mariadb-connector-odbc (v3.1.6) to fail too because of the dependent mariadb-connector-c (v3.1.7) not linked properly:

# isql openldap root test
ld-elf.so.1: /usr/local/lib/libmaodbc.so: Undefined symbol "OPENSSL_init_ssl"
Comment 7 Tommy P 2020-03-24 23:06:26 UTC 
I think I may have found it.  Detection during configure works fine.  When it's actually configuring that is failing and defaulting to the bundled SSL:

extra/wolfssl/wolfssl/cyassl/openssl
extra/wolfssl/wolfssl/wolfssl/openssl