Re: [stunnel-users] Linux FIPS compile libary question

--===============2069812815==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="k4f25fnPtRuIRUb3"
Content-Disposition: inline


--k4f25fnPtRuIRUb3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Apr 10, 2008 at 01:30:22PM -0400, Joe Kemp wrote:
> I guess the question is what will the linker do with a shared libssl
> in /lib and a static one in /usr/local/sslfips/lib. I ran the
> libtool with a -v. It gave tons of output and only had references
> to the library in /usr/local/sslfips.
>=20
> So I am going to assume I am seeing the dependencies of other
> libraries used by stunnel. For instance libldap needs openssl and
> uses the shared version. It's a little nerve-wracking ensuring FIPS
> compliance.

That sounds ... ugly. If your shared libraries can pull in a copy of
libssl.so, you run the risk that some symbols might be resolved at run
time against that copy, instead of against the static copy "inside"
the executable. Unless you were to link with -Bsymbolic, which is an
advanced option invented with no other purpose than to trip inocent
students of c linkage.

For this kind of stuff, I'd advice you to compile an stunnel with as
few external libraries as you can get away with, and relink *all*
those libraries to use your static libssl. Even better, get static
libraries for them all and link against that.

> Is there a way to see just what the stunnel layer
> depends on? Ldd -v gave me more info but I am assuming it is still
> showing all levels of dependencies (stunnel's, libldap's, libsasl2,
> etc.).

objdump -x /usr/bin/stunnel |grep NEEDED
gives you the list of sonames embedded in the executable. ldd tells
you how the dynamic linker will resolve them to actual .so files.

--k4f25fnPtRuIRUb3
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH/odHAZmDGK3JvCgRAsGxAJ9rca1o+wSjRWlA/1cn3ZcFxHMe/gCfQOHo
O2uBuX0m5kzi4W5CPhzYmWo=
=mImO
-----END PGP SIGNATURE-----

--k4f25fnPtRuIRUb3--

--===============2069812815==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users

--===============2069812815==--