'[Bug 54121] security certificate not stored "forever"'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-bugs-dist
Subject:    [Bug 54121] security certificate not stored "forever"
From:       Leon Bottou <leon () bottou ! org>
Date:       2003-03-11 18:49:59
[Download RAW message or body]

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
     
http://bugs.kde.org/show_bug.cgi?id=54121     




------- Additional Comments From leon@bottou.org  2003-03-11 19:49 -------
Subject: Re:  security certificate not stored "forever"

> I have now two versions of libkio.so.4.1.0 compiled from the same
> source below kdelibs/kio.  One has the bug and the other does not.

Bingo.

The difference is that the mandrake binary was compiled
with the include files for openssl-0.9.7 and mine was compiled
with the include files for openssl-0.9.6b.

Yet the file  kio/kssl/openssl.cc prefers loading libssl.so.0.9.6
even though kssl might be compiled with the 0.9.7 include files.
These versions of openssl are *not* binary compatible.

The openssl code tries the following library names
1) "libssl.so"
       This is the development library.  It gets installed when
       the libssl0-devel package is installed (rare on end user machines).
       When installed it most likely corresponds to the include files installed 
       on this machine, but not necessarily to those installed 
       on the machine where kssl was compiled.  
2) "libssl.so.0"
       On my machine this comes with libssl0-devel and links to libssl.so.0.9.6.
3) "libssl.so.0.9.6" "libssl.so.0.9.6b" "libssl.so.0.9.6c"
      This is the 0.9.6 version of the library.
      Of course things will go wrong if kssl was compiled for 0.9.7.

My system has both /usr/lib/libssl.so.0.9.6 and /usr/lib/libssl.so.0.9.7
for compatibility purposes I guess.  The development files are those for 0.9.6.
But the mandrake binaries were compiled with the development files for 0.9.7.

I think openssl.cc should include <openssl/opensslv.h> to find out the version 
number of the include files used for compiling kssl.  The macros are documented
in the include file.  The macro SHLIB_VERSION_XXX are particularly relevant.
The code should first try to load the exact version used for compiling.
Only then should it try unversionned library names such as "libssl.so".
Same for libcrypto I guess.

- L.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic