Symbol conflict between libgnutls-openssl and real openssl
Simon Josefsson
simon at josefsson.org
Wed Aug 27 17:34:57 CEST 2008
Tomas Mraz <tmraz at redhat.com> writes:
> Hello,
Hi Tomas!
> some symbols in libgnutls-openssl are not renamed from their originals
> in OpenSSL.
That is sort of the idea... However, I understand the problems it can
cause as you describe.
> Unfortunately this causes conflicts when the application indirectly
> links to some library which then links to openssl. The situation can
> happen for example in case the system is configured to use ldap in the
> nsswitch.conf.
>
> The nss_ldap links to openldap libraries which is itself linked to the
> real OpenSSL libraries. Some symbols are then resolved from real OpenSSL
> and some from libgnutls-openssl which causes crashes because they are of
> course ABI incompatible.
>
> See:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=446860
> and
> https://bugzilla.redhat.com/show_bug.cgi?id=460310
>
> The proposal is to use #defines in the public headers of
> gnutls/openssl.h to rename the symbols so they do not clash with real
> OpenSSL. It would of course require SONAME bump of libgnutls-openssl and
> rebuild of the dependent applications.
>
> What do you think about this proposal?
I like it. gnutls/openssl.h should thus contain a set of #define's such
as:
#define MD5_Init gnutls_openssl_MD5_Init
Fortunately we have never guaranteed binary level compatibility with
OpenSSL, so this change does not require any API changes in applications
that uses libgnutls-openssl, just a recompile. It will indeed require a
SONAME bump, and currently both libgnutls and libgnutls-openssl share
the same SONAME version. We have discussed before if and how these
versions can be separated. I suspect we have to make a decision now.
Please send a patch for further discussions.
Thanks,
/Simon
More information about the Gnutls-devel
mailing list