Symbol conflict between libgnutls-openssl and real openssl

Simon Josefsson simon at
Wed Aug 27 17:34:57 CEST 2008

Tomas Mraz <tmraz at> writes:

> Hello,

Hi Tomas!

> some symbols in libgnutls-openssl are not renamed from their originals
> in OpenSSL.

That is sort of the idea...  However, I understand the problems it can
cause as you describe.

> Unfortunately this causes conflicts when the application indirectly
> links to some library which then links to openssl. The situation can
> happen for example in case the system is configured to use ldap in the
> nsswitch.conf.
> The nss_ldap links to openldap libraries which is itself linked to the
> real OpenSSL libraries. Some symbols are then resolved from real OpenSSL
> and some from libgnutls-openssl which causes crashes because they are of
> course ABI incompatible.
> See:
> and
> The proposal is to use #defines in the public headers of
> gnutls/openssl.h to rename the symbols so they do not clash with real
> OpenSSL. It would of course require SONAME bump of libgnutls-openssl and
> rebuild of the dependent applications.
> What do you think about this proposal?

I like it.  gnutls/openssl.h should thus contain a set of #define's such

#define MD5_Init gnutls_openssl_MD5_Init

Fortunately we have never guaranteed binary level compatibility with
OpenSSL, so this change does not require any API changes in applications
that uses libgnutls-openssl, just a recompile.  It will indeed require a
SONAME bump, and currently both libgnutls and libgnutls-openssl share
the same SONAME version.  We have discussed before if and how these
versions can be separated.  I suspect we have to make a decision now.

Please send a patch for further discussions.


More information about the Gnutls-devel mailing list