[Kea-users] Help - Making HTTPS Call from Kea Hook Library

Thu Jun 15 17:57:25 UTC 2017

Gokulakrishnan Gopalakrishnan writes:
> ...
> for making HTTPS Call using boost. While starting the server, I'm getting
> error loading user_chk lib (*undefined Symbol: SSL_library_unit*).

=> the cryptolink library uses either the Botan or the OpenSSL crypto
backend (it was initially Botan only but I added OpenSSL to provide
an alternative, e.g. for people requiring a certified crypto).
So if you build Kea with the OpenSSL backend you get the -lcrypto
dependeny, i.e. the low level OpenSSL library. Note that we chose to
not include direct HTTPS/TLS support inside Kea even both Botan and
OpenSSL support TLS, of course with very different API.
To conclude in your case you need the second SSL/TLS OpenSSL library -lssl

> to build the library with "-lcrypto - lssl". I'm bit confused on how to
> change the Makefile to build the library using these two libs.

=> you have two choices:
 - you modify the Makefile.am and rerun autoconf, configure, etc

 - you patch config.status to add -lssl in a variable definition
  for instance the one with -lcrypto (i.e. you substitute "-lcrypto"
  by "-lcrypto -lssl" everywhere) and you rerun it by:
  sh ./config.status

I use often the second solution because it is quick but it is dirty too
so if it fixes your problem you have to try the first/clean way after.

// Extra notes for corner cases, mainly the hook library case

Note the order can matter (in theory it should not but in practice
it could). And if you are working with a DSO (aka hook library)
things can become really complex as hooks are loaded using dlopen()
so anything the hook can need must be available in the Kea binary.

There are already a few hacks to enforce some symbols to be visible,
you have an example at the end of src/lib/eval/lexer.ll you can
adapt to enforce a reference to a symbol in -lssl (without this
the dynamic library libssl.so will be skipped by ld when the Kea
binary is built). So if you have the -lssl not adding the library
you should:
 - check if the libssl.so is linked by something like
  libtool --mode=execute ldd kea-dhcp4
 (with libtool kea-dhcp4 is a shell script, the real binary is in
  the src/bin/dhcp4/.libs directory and ldd applied directly on it
  just returns errors saying it can't find libraries)
  ldd on Linux and BSDs returns the list of dynamic libraries used
  by the binary

 - if libssl.so is not listed by ldd then add a hack at the end of
  src/lib/cryptolink/openssl_link.cc with a reference to a libssl.so
  symbol. Choose one (e.g., SSL_library_init), add its include
  (<openssl/ssl.h>) and a call to it as in lexer.ll. Note the function
  will be never really called but it will be referenced.
  Rebuild and recheck.

Regards

Francis Dupont <fdupont at isc.org>

PS: I assume you use dynamic linking on Linux or BSD. If you use static
linking (./configure --enable-static-link) and/or Apple OS X / macOS
some details change.