[Kea-users] Help - Making HTTPS Call from Kea Hook Library

Mon Jun 19 09:07:36 UTC 2017

Thanks Francis for the help. I tried solution #2, it worked well.
Now I want for a fresh install. so, after untar'ing the kea src, I edited
configure (appended -lcrypto with -lssl) and did usual installation
(configure, make, make install) and it worked well too. Hope this is a
recommended way.

On Thu, Jun 15, 2017 at 11:27 PM, Francis Dupont <fdupont at isc.org> wrote:

> Gokulakrishnan Gopalakrishnan writes:
> > ...
> > for making HTTPS Call using boost. While starting the server, I'm getting
> > error loading user_chk lib (*undefined Symbol: SSL_library_unit*).
>
> => the cryptolink library uses either the Botan or the OpenSSL crypto
> backend (it was initially Botan only but I added OpenSSL to provide
> an alternative, e.g. for people requiring a certified crypto).
> So if you build Kea with the OpenSSL backend you get the -lcrypto
> dependeny, i.e. the low level OpenSSL library. Note that we chose to
> not include direct HTTPS/TLS support inside Kea even both Botan and
> OpenSSL support TLS, of course with very different API.
> To conclude in your case you need the second SSL/TLS OpenSSL library -lssl
>
> > to build the library with "-lcrypto - lssl". I'm bit confused on how to
> > change the Makefile to build the library using these two libs.
>
> => you have two choices:
>  - you modify the Makefile.am and rerun autoconf, configure, etc
>
>  - you patch config.status to add -lssl in a variable definition
>   for instance the one with -lcrypto (i.e. you substitute "-lcrypto"
>   by "-lcrypto -lssl" everywhere) and you rerun it by:
>   sh ./config.status
>
> I use often the second solution because it is quick but it is dirty too
> so if it fixes your problem you have to try the first/clean way after.
>
> // Extra notes for corner cases, mainly the hook library case
>
> Note the order can matter (in theory it should not but in practice
> it could). And if you are working with a DSO (aka hook library)
> things can become really complex as hooks are loaded using dlopen()
> so anything the hook can need must be available in the Kea binary.
>
> There are already a few hacks to enforce some symbols to be visible,
> you have an example at the end of src/lib/eval/lexer.ll you can
> adapt to enforce a reference to a symbol in -lssl (without this
> the dynamic library libssl.so will be skipped by ld when the Kea
> binary is built). So if you have the -lssl not adding the library
> you should:
>  - check if the libssl.so is linked by something like
>   libtool --mode=execute ldd kea-dhcp4
>  (with libtool kea-dhcp4 is a shell script, the real binary is in
>   the src/bin/dhcp4/.libs directory and ldd applied directly on it
>   just returns errors saying it can't find libraries)
>   ldd on Linux and BSDs returns the list of dynamic libraries used
>   by the binary
>
>  - if libssl.so is not listed by ldd then add a hack at the end of
>   src/lib/cryptolink/openssl_link.cc with a reference to a libssl.so
>   symbol. Choose one (e.g., SSL_library_init), add its include
>   (<openssl/ssl.h>) and a call to it as in lexer.ll. Note the function
>   will be never really called but it will be referenced.
>   Rebuild and recheck.
>
> Regards
>
> Francis Dupont <fdupont at isc.org>
>
> PS: I assume you use dynamic linking on Linux or BSD. If you use static
> linking (./configure --enable-static-link) and/or Apple OS X / macOS
> some details change.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20170619/2c6cb07f/attachment.htm>