[stunnel-users] Linux FIPS compile libary question

Luis Rodrigo Gallardo Cruz rodrigo at nul-unu.com
Thu Apr 10 23:31:51 CEST 2008

On Thu, Apr 10, 2008 at 01:30:22PM -0400, Joe Kemp wrote:
> I guess the question is what will the linker do with a shared libssl
> in /lib and a static one in /usr/local/sslfips/lib.  I ran the
> libtool with a -v.  It gave tons of output and only had references
> to the library in /usr/local/sslfips.
> So I am going to assume I am seeing the dependencies of other
> libraries used by stunnel.  For instance libldap needs openssl and
> uses the shared version.  It's a little nerve-wracking ensuring FIPS
> compliance.

That sounds ... ugly. If your shared libraries can pull in a copy of
libssl.so, you run the risk that some symbols might be resolved at run
time against that copy, instead of against the static copy "inside"
the executable. Unless you were to link with -Bsymbolic, which is an
advanced option invented with no other purpose than to trip inocent
students of c linkage.

For this kind of stuff, I'd advice you to compile an stunnel with as
few external libraries as you can get away with, and relink *all*
those libraries to use your static libssl. Even better, get static
libraries for them all and link against that.

> Is there a way to see just what the stunnel layer
> depends on?  Ldd -v gave me more info but I am assuming it is still
> showing all levels of dependencies (stunnel's, libldap's, libsasl2,
> etc.).

 objdump -x /usr/bin/stunnel |grep NEEDED
gives you the list of sonames embedded in the executable. ldd tells
you how the dynamic linker will resolve them to actual .so files.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20080410/b0c3192a/attachment.sig>

More information about the stunnel-users mailing list