我正在尝试在安装了旧OpenSSL版本的Linux机器中构建 OpenSSH 7.3p1 。
首先,我已经成功编译了 OpenSSL 1.0.2h 并安装在/opt/openssh-1.0.2h中,而不是安装在旧版OpenSSL版本的/usr中。
tar xzf openssl-1.0.2h.tar.gz
cd openssl-1.0.2h
./config --prefix=/opt/openssl-1.0.2h shared
make depend
make
make test
make install
然后我继续使用OpenSSH:
tar xzf openssh-7.3p1.tar.gz
cd openssh-7.3p1
./configure --prefix=/opt/openssh-7.3p1 --with-openssl=/opt/openssl-1.0.2h
但是configure脚本失败并显示以下错误消息:
checking OpenSSL header version... 0090802f (OpenSSL 0.9.8e-rhel5 01 Jul 2008)
checking OpenSSL library version... configure: error: OpenSSL >= 0.9.8f required (have "0090802f (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008)")
如果我使用--with-ssl-dir=/opt/openssl-1.0.2h/ssl
工具findssl.sh(在子目录contrib中找到)可以正确找到所有OpenSSL版本。其中的注释(评论)建议使用 CFLAGS 来指出所需的库 - 我引用:
# Now run findssl.sh. This should identify the headers and libraries
# present and their versions. You should be able to identify the
# libraries and headers used and adjust your CFLAGS or remove incorrect
# versions. The output will show OpenSSL's internal version identifier
# and should look something like:
然后我试了
./configure CFLAGS="-I/opt/openssl-1.0.2h/include" --prefix=/opt/openssh-7.3p1 --with-openssl=/opt/openssl-1.0.2h
这似乎有效,因为它找到了新的 OpenSSL 标题版本:
checking OpenSSL header version... 1000208f (OpenSSL 1.0.2h 3 May 2016)
checking OpenSSL library version... configure: error: OpenSSL >= 0.9.8f required (have "0090802f (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008)")
下一步是提供其他选项来查找库文件。但是,如果我添加LDFLAGS='-L/opt/openssl-1.0.2h/lib'或--with-ldflags='-L/opt/openssl-1.0.2h/lib',这就是我得到的:
checking OpenSSL header version... not found
configure: error: OpenSSL version header not found.
总之,我不知道如何使configure使用新的OpenSSL库。
更新1 :如果使用--with-ldflags='-L/opt/openssl-1.0.2h/ssl'而不是···openssl-1.0.2h/lib,则标题版本检查正常工作(请参阅上面的几行),但库版本检查仍然失败。< / p>
更新2 :我追踪了问题,发现它与共享库有关。在config.log文件中,我获得了源代码文件conftest.c和confdef.h以及用于构建可运行conftest的选项:
#include "confdefs.h"
#include <stdio.h>
#include <string.h>
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
#define DATA "conftest.ssllibver"
int
main ()
{
FILE *fd;
int rc;
fd = fopen(DATA,"w");
if (fd == NULL)
exit(1);
if ((rc = fprintf(fd, "%08lx (%s)\n", (unsigned long)SSLeay(),
SSLeay_version(SSLEAY_VERSION))) < 0)
exit(1);
exit(0);
}
此程序将OpenSSL版本作为文本存储在文件conftest.ssllibver中。出于调试目的,我将fprint(fd,转为print(以将数据打印到终端。
用于构建conftest程序的命令行是:
# gcc -o conftest -I/opt/openssl-1.0.2h/include -Wall \
-Wpointer-arith -Wsign-compare -Wformat-security -Wno-pointer-sign \
-fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset \
-fstack-protector-all -std=gnu99 -fPIE -Wl,-z,relro -Wl,-z,now \
-Wl,-z,noexecstack -fstack-protector-all -pie conftest.c \
-lcrypto -lrt -ldl -lutil -lz
# ldd conftest |grep libcrypto
libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b5fc6c3e000)
使用旧的OpenSSL库。
当-L/opt/openssl-1.0.2h/lib作为参数添加时,conftest无法运行,因为动态加载程序(ld.so)找不到libcrypto.so.1.0.0:
# ./conftest
./conftest: error while loading shared libraries: libcrypto.so.1.0.0: cannot open shared object file: No such file or directory
# ldd conftest | grep libcrypto
libcrypto.so.1.0.0 => not found
但是当我将LD_LIBRARY_PATH环境变量指向/opt/openssl-1.0.2h/lib时,动态加载程序会找到库文件libcrypto.so.1.0.0,因此可执行文件conftest正常工作 - 它使用新的OpenSSL库:
# export LD_LIBRARY_PATH=/opt/openssl-1.0.2h/lib
# ./conftest
1000208f (OpenSSL 1.0.2h 3 May 2016)
# ldd conftest
libcrypto.so.1.0.0 => /opt/openssl-1.0.2h/lib/libcrypto.so.1.0.0 (0x00002b450bf97000)
答案 0 :(得分:3)
导出 LD_LIBRARY_PATH 环境变量,该变量必须包含新OpenSSL库文件所在的目录,并运行configure脚本:< / p>
# export LD_LIBRARY_PATH=/opt/openssl-1.0.2h/lib
# ./configure CFLAGS="-I/opt/openssl-1.0.2h/include" \
--prefix=/opt/openssh-7.3p1 \
--with-ldflags="-L/opt/openssl-1.0.2h/lib"
这两个命令也可以只加入一个:
# LD_LIBRARY_PATH=/opt/openssl-1.0.2h/lib ./configure \
CFLAGS="-I/opt/openssl-1.0.2h/include" \
--prefix=/opt/openssh-7.3p1 \
--with-ldflags="-L/opt/openssl-1.0.2h/lib"
这就是结果:
OpenSSH has been configured with the following options:
User binaries: /opt/openssh-7.3p1/bin
System binaries: /opt/openssh-7.3p1/sbin
Configuration files: /opt/openssh-7.3p1/etc
Askpass program: /opt/openssh-7.3p1/libexec/ssh-askpass
Manual pages: /opt/openssh-7.3p1/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/opt/openssh-7.3p1/bin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support:
S/KEY support: no
MD5 password support: no
libedit support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: rlimit
Host: x86_64-unknown-linux-gnu
Compiler: gcc
Compiler flags: -I/opt/openssl-1.0.2h/include -Wall -Wpointer-arith -Wsign-compare \
-Wformat-security -Wno-pointer-sign -fno-strict-aliasing \
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all \
-std=gnu99 -fPIE
Preprocessor flags:
Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-all \
-L/opt/openssl-1.0.2h/lib -pie
Libraries: -lcrypto -lrt -ldl -lutil -lz -lcrypt -lresolv
强烈建议您在后续步骤LD_LIBRARY_PATH和make中使用 make install ;否则make install将失败,因为运行ssh-keygen命令以生成新的主机密钥,并且它将找不到新的OpenSSH库文件:
mkdir /opt/openssh-7.3p1/etc
./ssh-keygen: error while loading shared libraries: libcrypto.so.1.0.0: cannot open shared object file: No such file or directory
make: *** [host-key] Error 127
答案 1 :(得分:0)
也许你应该使用openssh配置脚本的--with-ssl-dir选项:
$ ./configure --help | grep with-ssl-dir
--with-ssl-dir=PATH Specify path to OpenSSL installation
--with-openssl选项只是一个布尔标志,用于启用或禁用openssl依赖项。
答案 2 :(得分:0)
除了the solution提供的@Jdamain之外,我还需要重新编译将--prefix和--openssldir设置为同一目录的openssl。