openssl libs problem

Jaap Struyk japie at deserver.nl
Mon May 28 09:24:41 PDT 2007


Robert Connolly schreef:

> It's odd. I got a lot of google hits on this, it's a know problem with 
> selinux. I'm not sure why I haven't noticed it before. Try to build openssl 
> with:
> make MANDIR=/usr/share/man AS="gcc -c -Wa,--noexecstack"

Thanks Robert,

That did work, but doesn't that leave me with an "unprotected" libssl?
On the other hand, without it I have to disable mprotect in the kernel
wich isn't good either.
In the past, I can remember that the hlfs book contained e few
beyond-hlfs apps.; openssh, openntp and then openssl was part of the
"beyond" and if I recall it right it had to patched for ssp.
Was that pach also removing the execstack like the way above or was that
a "true" adaption of openssl?

Anyway, alls well now and everything I compiled right now worked as
expected apart from gmp-4.2.1
After a lot of trouble I got working with "gentoo hardened" patches:

gmp-4.1.4-noexecstack.patch, gmpxx.h.ternary.diff, x86-fat.diff,
gmp-4.2.1-ABI-multilib.patch, mpz_set_d.diff

(only the first one really needed for ssp)
and compiling it with:

export GMPABI=32
env CC="gcc -fno-stack-protector -fno-pic -fno-pie -nopie" ./configure
--prefix=/usr --enable-static=no --enable-shared=yes --with-pic
make
make check
make install

Since freshclam uses libgmp for checking sigs. I can't live without it,
maybe someone else can benefit from the above.

Another good thing is that on the new hlfs system the postfix "local"
program doesn't have to be recompiled with -fno-stack-protector, it
works right out of the box.
-- 
Groetjes Japie
http://www.japie.deserver.nl

2.6.21.1 GNU/Linux

Windows 98: Not Plug & Play, but Bug & Pay!
;^)



More information about the hlfs-dev mailing list