Compiling Mod-auth-cas with external OpenSSL

[Colin Ryan]

Folks,

For various reason's I need to compile my own mod_auth_cas module for
use in Apache. I also have my own builds of OpenSSL  within this toolchain.


I cannot for the life of me seem to get mod_auth_cas to use my external
openssl libraries. I've done this many times before for other software
components. I've tried all the tricks of setting OPENSSL_LIBS, CPPFLAGS,
-ldl flag PKG_CONFIG_DIR etc etc that have worked in the past to no
avail. No matter what I do it says it can find ssl.h, finds -lssl, finds
-lcrypto BUT complains that it cannot find an link to OpenSSL and then
builds with the systems default libraries as revealed by an "ldd" on the
resulting mod_auth_so.c


Any thoughts.


Baseline configure is:


./configure --prefix=/opt/aa --with-apxs=/opt/aa/bin/apxs
--with-apr=/opt/aa/bin/apr-1-config --with-openssl=/opt/aa


I've built the apache2 itself in this environment.


I've also tried old tricks like.


/configure OPENSSL_LIBS="-L/opt/aa/lib -lssl -lcrypto"
OPENSSL_CFLAGS="-I/opt/aa/include"  --prefix=/opt/aa
--with-apxs=/opt/aa/bin/apxs --with-apr=/opt/aa/bin/apr-1-config
--with-openssl=/opt/aa


and as I said various variations of these themes.


Sincerely


Colin

[David Hawes]

On Fri, 1 Nov 2019 at 15:41, Colin Ryan <col...@caveo.ca> wrote:
>
> Folks,
>
> For various reason's I need to compile my own mod_auth_cas module for
> use in Apache. I also have my own builds of OpenSSL within this toolchain.
>
>
> I cannot for the life of me seem to get mod_auth_cas to use my external
> openssl libraries. I've done this many times before for other software
> components. I've tried all the tricks of setting OPENSSL_LIBS, CPPFLAGS,
> -ldl flag PKG_CONFIG_DIR etc etc that have worked in the past to no
> avail. No matter what I do it says it can find ssl.h, finds -lssl, finds
> -lcrypto BUT complains that it cannot find an link to OpenSSL and then
> builds with the systems default libraries as revealed by an "ldd" on the
> resulting mod_auth_so.c

What exact error do you get?

You should just need --with-openssl, but I've built with CPPFLAGS and
LDFLAGS as well.

I'd recommend using the same version of OpenSSL for Apache, curl, and
mod_auth_cas unless you want headaches.

[Colin Ryan]

David,

Yes I've built Apache2 itself with SSL using the safe external OpenSSL as I"m trying to use with the module. When I run the totally to stock ./configure line I posted it gives me

checking for openssl/ssl.h in /opt/aa... yes

checking whether compiling and linking against OpenSSL works... no

checking for CRYPTO_new_ex_data in -lcrypto... yes

checking openssl/crypto.h usability... yes

checking openssl/crypto.h presence... yes

checking for openssl/crypto.h... yes

checking openssl/x509.h usability... yes

checking openssl/x509.h presence... yes

checking for openssl/x509.h... yes

Everything compiles but when I install and ldd the .so of the module it's linked to the system's OpenSSL lib's not the ones in my /opt/aa patch.

If I export export CPPFLAGS="-I/opt/aa/include" and LDFLAGS="-L/opt/aa/lib/ -ldl"

Then I get "yes" on the compiling and linking line but the ldd still indicates linkage to the system's version. I suspect the -ldl is needed as I'm dealing with the static OpenSSL  libssl.a and libcrypto.a..

But results still show what they show. As I've mentioned I've had to do this in the past with other components and the right incarnation of environment variables always seems to work it's magic. Just wondering if I'm missing something obvious in this case.

Thanks

Colin

[David Hawes]

On Mon, 4 Nov 2019 at 12:01, Colin Ryan <col...@caveo.ca> wrote:
>
> David,
>
> Yes I've built Apache2 itself with SSL using the safe external OpenSSL as I"m trying to use with the module. When I run the totally to stock ./configure line I posted it gives me
>
> checking for openssl/ssl.h in /opt/aa... yes
>
> checking whether compiling and linking against OpenSSL works... no
>
> checking for CRYPTO_new_ex_data in -lcrypto... yes
>
> checking openssl/crypto.h usability... yes
>
> checking openssl/crypto.h presence... yes
>
> checking for openssl/crypto.h... yes
>
> checking openssl/x509.h usability... yes
>
> checking openssl/x509.h presence... yes
>
> checking for openssl/x509.h... yes
>
>
> Everything compiles but when I install and ldd the .so of the module it's linked to the system's OpenSSL lib's not the ones in my /opt/aa patch.

This is likely showing libraries linked to libcurl. Can you change the
output by setting LD_LIBRARY_PATH=/opt/aa/lib before running ldd?

> If I export export CPPFLAGS="-I/opt/aa/include" and LDFLAGS="-L/opt/aa/lib/ -ldl"
>
> Then I get "yes" on the compiling and linking line but the ldd still indicates linkage to the system's version. I suspect the -ldl is needed as I'm dealing with the static OpenSSL libssl.a and libcrypto.a..

If you're using a recent OpenSSL (1.1), you likely aren't linking
against libssl and libcrypto at all. Removing or commenting out lines
13529-13743 of configure (master) will remove these checks.

[Colin Ryan]

David,

You tweaked my brain. It was indeed a libcurl thing. While I had the right versions it obviously was using system OpenSSL so for those stuck in the future for what it's worth....

* Rebuilt my OpenSSL with shared support.

* Was then able to build my own version of libcurl with

./configure --prefix=/opt/aa --with-ssl=/opt/aa --enable-libcurl

-option

* Then was able to rebuild mod_auth_cas - but I still needed to have LD_FLAGS="-ldl"

./configure --prefix=/opt/aa --with-apxs=/opt/aa/bin/apxs --with-apr=/opt/aa/bin/apr-1-config --with-openssl=/opt/aa --with-libcurl=/opt/aa

So far so good.

Thanks All.

C