Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Regarding linking curl to OpenSSL

From: Michael Stahl via curl-library <curl-library_at_cool.haxx.se>
Date: Tue, 22 Aug 2017 13:11:41 +0200

On 22.08.2017 12:15, Rahul Sabnis via curl-library wrote:
> Hello,
>
> We are building curl with OpenSSL. We have also downloaded OpenSSL
> source and built it locally. While building curl we use whatever OpenSSL
> we have built.
>
> --with-ssl=<My OpenSSL Build Directory>
>
> The build is fine and we package and ship libcurl along with out product.
> But we cannot package and ship the openssl library with our product. The
> prerequisite is that OpenSSL will be already installed.
>
> When our product gets installed and libcurl is called, there is a crash.
> After investigation we identified that the version of OpenSSL installed
> on target machine is higher than that we have built libcurl with.
> For confirming this we replaced the openssl library with the one we
> built curl and everything worked fine.
>
> Questions:
> 1. Is this expected behavior or are we missing something here ?

this is completely expected: OpenSSL does not have a stable ABI, every
new version is ABI incompatible.

> 2. Is it possible to make libcurl work with any OpenSSL library
> regardless of what it is built with ?

no.

what you can do is to bundle OpenSSL with your application, but then
you're responsible to update it for the regular CVEs.

on Windows, you can link it dynamically if you want (but don't under any
circumstances install the DLLs into a global directory like
C:/Windows/System32, this is known to break other applications such as
LibreOffice for example).

on ELF based platforms (GNU/Linux, Solaris, ...) you pretty much have to
link it statically, because it's possible that some system library that
is required by your application is linked against OpenSSL, and if it's a
different version of OpenSSL you'll get a mixture of symbols from the 2
OpenSSL shared objects in the ELF global namespace, and (if you're
lucky) that will crash very quickly.

note that there are other TLS libraries out there, for example in
LibreOffice we ship curl linked with NSS, and NSS has a stable ABI so it
doesn't have these problems; Windows/macOS have native TLS libraries
which can be used with curl too, see --with-darwinssl and /DUSE_SCHANNEL.

> Curl version: 7.54.0
> Platform: RHEL (But I expecting this problem on other platforms like
> AIX, Windows, HP-UX, Solaris).
>
> Thanks,
> Rahul.
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-08-22