Custom Build Errors

Mark Sigsbee

unread,

Apr 15, 2026, 9:13:07 AMApr 15

to openss...@openssl.org

I'm trying to build 3.6.0 with 3.2.1 for its approved FIPS library on Ubuntu 22.04. I know the default version of OpenSSL is 3.0 and basically leave it alone or the world will come to an end.

I'm building a newer version hoping to resolve issues that I'm getting with 3.0 and confirmed by Ubuntu Pro support.

I d/l'ed both into $ /PKI.
I followed the build instructions provided here: openssl/README-FIPS.md at master · openssl/openssl

My check agrees with the check results in the readme.

When I execute:
$ sudo /PKI/openssl-3.6.0/apps/openssl list -providers -verbose

I get this:
/PKI$ sudo /PKI/openssl-3.6.0/apps/openssl list -providers -verbose
/PKI/openssl-3.6.0/apps/openssl: /lib/x86_64-linux-gnu/libssl.so.3: version `OPENSSL_3.4.0' not found (required by /PKI/openssl-3.6.0/apps/openssl)
/PKI/openssl-3.6.0/apps/openssl: /lib/x86_64-linux-gnu/libssl.so.3: version `OPENSSL_3.2.0' not found (required by /PKI/openssl-3.6.0/apps/openssl)
/PKI/openssl-3.6.0/apps/openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.0.9' not found (required by /PKI/openssl-3.6.0/apps/openssl)
/PKI/openssl-3.6.0/apps/openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.3.0' not found (required by /PKI/openssl-3.6.0/apps/openssl)
/PKI/openssl-3.6.0/apps/openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.5.0' not found (required by /PKI/openssl-3.6.0/apps/openssl)
/PKI/openssl-3.6.0/apps/openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.6.0' not found (required by /PKI/openssl-3.6.0/apps/openssl)
/PKI/openssl-3.6.0/apps/openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.4.0' not found (required by /PKI/openssl-3.6.0/apps/openssl)
/PKI/openssl-3.6.0/apps/openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.2.0' not found (required by /PKI/openssl-3.6.0/apps/openssl)

How do I correct this and get my desired result?

Neil Horman

unread,

Apr 15, 2026, 9:31:15 AMApr 15

to Mark Sigsbee, openss...@openssl.org

you don't have the library search path configured correctly on your platform. Try running:

LD_LIBRARY_PATH=/PKI/openssl-3.6.0/lib PKI/openssl-3.6.0/apps/openssl list -providers -verbose

That will allow the application to run. You may also need to set OPENSSL_CONF and OPENSSL_MODULES appropriately to find the needed configuration and provider DSO's

To avoid needing to set these values you need to configure openssl using the --prefix option to set the latter two variables automatically. To avoid the need for LD_LIBRARY_PATH, you either need to configure your environment to add /PKI/openssl-3.6.0/lib[64] to the library search path globally, or install the library to a location already in the search path (though the latter isn't recommended if you are using a system with a default openssl already configured there).

Neil

--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/CAPqvXLPc7dDaR3S05bmdSAaFJSZ0k5uSmCs0AY_juicFindorQ%40mail.gmail.com.

Mark Sigsbee

unread,

Apr 15, 2026, 9:45:10 AMApr 15

to Neil Horman, openss...@openssl.org

Thanks for the response.

/PKI/openssl-3.6.0/lib

Doesn't exist.

Neil Horman

unread,

Apr 15, 2026, 9:47:08 AMApr 15

to Mark Sigsbee, openss...@openssl.org

did you run make install to put openssl-3.6 in that directory? Or is that your build directory? If its the latter then the libraries (libcrypto.so.3 and libssl.so.3) will be in the root of that subtree, and LD_LIBRARY_PATH should just be set to /PKI/openssl-3.6.0

Neil

Mark Sigsbee

unread,

Apr 15, 2026, 10:34:33 AMApr 15

to Neil Horman, openss...@openssl.org

Honestly, I've been following so may threads trying to resolve this, at this point I'm not sure what I did. I do know that both of the lib*.so.3 files are in the root folder (openssl-3.6.0).

$ sudo echo $LD_LIBRARY_PATH

/PKI/openssl-3.6.0

I get the same error when re-executing the command.

Neil Horman

unread,

Apr 15, 2026, 10:54:21 AMApr 15

to Mark Sigsbee, openss...@openssl.org

Mark-

Based on what you've described, is it possible that, when you tried to make use of 3.1.2 provider with the 3.6 library that you, in addition to copying the 3.1.2 fips.so file from your 3.1.2 build, you also copied the 3.1.2 libcrypto.so.3 and libssl.so.3 files to the 3.6 directory? That would also result in the errors that you are seeing. Only the fips.so file should have been copied from the 3.1.2 build.

Neil

Mark Sigsbee

unread,

Apr 15, 2026, 1:39:49 PMApr 15

to Neil Horman, openss...@openssl.org

According to this: openssl/README-FIPS.md at master · openssl/openssl

I executed this in the 3.6.0 directory. And I did it in the 3.6.0. directory based on the previous section:

$ cp ../openssl-3.1.2/providers/fips.so providers/.
$ cp ../openssl-3.1.2/providers/fipsmodule.cnf providers/.
// Note that for OpenSSL 3.1.2 that the `fipsmodule.cnf` file should not
// be copied across multiple machines if it contains an entry for
// `install-status`. (Otherwise the self tests would be skipped).

// Validate the output of the following to make sure we are using the
// OpenSSL 3.1.2 FIPS provider
$ ./util/wrap.pl -fips apps/openssl list -provider-path providers \
-provider fips -providers

// Now run the current tests using the OpenSSL 3.1.2 FIPS provider.
$ make tests

Mark Sigsbee

unread,

9:11 AM (1 hour ago) 9:11 AM

to Neil Horman, openss...@openssl.org

When I enter this: LD_LIBRARY_PATH=/PKI/openssl-3.6.0/lib PKI/openssl-3.6.0/apps/openssl list -providers -verbose

I get "command not found".

When I enter this: LD_LIBRARY_PATH=/PKI/openssl-3.6.0/lib /PKI/openssl-3.6.0/apps/openssl list -providers -verbose #added forward slash in front of second PKI

I get the crazy response that I shared above.

Thanks,

Mark

On Wed, Apr 15, 2026 at 9:31 AM Neil Horman <nho...@openssl.org> wrote:

Neil Horman

unread,

9:53 AM (1 hour ago) 9:53 AM

to Mark Sigsbee, openss...@openssl.org

Adding the '/' makes sense, as I expect that PKI/openssl-3.6.0 isn't in your path

As for the linker errors, I'm fairly certain you've somehow mistakenly copied the libcrypto.so.3 library from your 3.1.2 build into /PKI/openssl-3.6.0/lib

If you run this command:

objdump -x /PKI/openssl-3.6.0/apps/openssl

you'll see output that includes this table:

Version References:
required from libc.so.6:
0x069691b3 0x00 16 GLIBC_2.33
0x06969194 0x00 15 GLIBC_2.14
0x069691b4 0x00 13 GLIBC_2.34
0x069691b8 0x00 11 GLIBC_2.38
0x0d696913 0x00 09 GLIBC_2.3
0x09691a75 0x00 06 GLIBC_2.2.5
required from libssl.so.3:
0x06702f20 0x00 18 OPENSSL_3.4.0
0x06702d20 0x00 05 OPENSSL_3.2.0
0x06702b20 0x00 03 OPENSSL_3.0.0
required from libcrypto.so.3:
0x06702b29 0x00 17 OPENSSL_3.0.9
0x06702b23 0x00 14 OPENSSL_3.0.3
0x06702e20 0x00 12 OPENSSL_3.3.0
0x06703020 0x00 10 OPENSSL_3.5.0
0x06702120 0x00 08 OPENSSL_3.6.0
0x06702f20 0x00 07 OPENSSL_3.4.0
0x06702d20 0x00 04 OPENSSL_3.2.0
0x06702b20 0x00 02 OPENSSL_3.0.0

That says the ELF file that is your openssl app requires that symbols from the OPENSSL_3.0.0 through OPENSSL_3.6.0 need to be resolved by this binary in libcrypto.so.3, as well as version 3.0.0, 3.2.0 and 3.4.0 from libssl.so.3. This makes sense, because as we add api calls in minor versions the build system tags them with the version number in which they are added.

If you now run this command:

objdump -x /PKI/openssl-3.6.0/lib/libcrypto.so.3

What you _should_ see is a table that looks like this:

Version definitions:
1 0x01 0x06af4743 libcrypto.so.3
2 0x00 0x06702b20 OPENSSL_3.0.0
3 0x00 0x06702b23 OPENSSL_3.0.3
OPENSSL_3.0.0
4 0x00 0x06702b28 OPENSSL_3.0.8
OPENSSL_3.0.3
5 0x00 0x06702b29 OPENSSL_3.0.9
OPENSSL_3.0.8
6 0x00 0x06702c20 OPENSSL_3.1.0
OPENSSL_3.0.9
7 0x00 0x06702d20 OPENSSL_3.2.0
OPENSSL_3.1.0
8 0x00 0x06702e20 OPENSSL_3.3.0
OPENSSL_3.2.0
9 0x00 0x06702f20 OPENSSL_3.4.0
OPENSSL_3.3.0
10 0x00 0x06703020 OPENSSL_3.5.0
OPENSSL_3.4.0
11 0x00 0x06702120 OPENSSL_3.6.0
OPENSSL_3.5.0

Which define the versions that the openssl app needs from the library, and everything matches up.

What I expect you _will_ see however is a table that looks like this:

objdump -x /PKI/openssl-3.6.0/lib/libcrypto.so.3

Version definitions:
1 0x01 0x06af4743 libcrypto.so.3
2 0x00 0x06702b20 OPENSSL_3.0.0

i.e. the library being pointed to by LD_LIBRARY_PATH doesn't contain the version definitions that the application requires.

I should be a bit more through here. I asserted that somehow you inadvertently copied libcrypto.so.3 and libssl.so.3 from a non-matching build to /PKI/openssl-3.6.0/lib/ . Its possible that didn't happen. Instead it may also be possible that the needed libraries in /PKI/openssl-3.6.0/lib/ don't exist there at all. If that were the case, the LD_LIBRARY_PATH lookup would fail and the runtime loader would fall back to the standard search path, loading /usr/lib64/libcrypto.so.3, which on ubuntu 22.04 would be a build from openssl-3.0.2, which would give you exactly the same error.

I would suggest the following:

1) confirm that /PKI/openssl-3.6.0/lib/libcrypto.so.3 and /PKI/openssl-3.6.0/lib/libssl.so.3 exist

2) Assuming that they do, run the above objdump commands to confirm the output I presented.

If the result of (1) is that those files don't exist in that location, the problem is that you're loading the system libcrypto/libssl and we need to adjust either your library locations or search path to find the right version that you want to use.

If the result of (1) is that those files do exist there in that location, then my initial theory is correct, and you've got an old version of libcrypto/libssl where it shouldn't be.