OpenSSL vs BoringSSL

683 views
Skip to first unread message

Mark Sibly

unread,
Mar 22, 2022, 6:51:34 PM3/22/22
to discuss-webrtc
Hello,

Like apparently a lot of people, I've been trying to purge boringssl from webrtc in favor of openssl but haven't managed to crack it yet.

In fact the latest version of webrtc source from a 'fetch' seems to failt to build completely when you try to use opensll. I'm using the following gn args:

is_debug=false use_custom_libcxx=false use_sysroot=false rtc_include_tests=false rtc_build_ssl=false rtc_builtin_ssl_root_certificates=false rtc_ssl_root=\"/usr/include\""

The files openssl_certificate.* and openssl_identity.* contain a bunch of const std::string&'s that look like they should be absl::string_views. Perhaps it's been this way for a while now though, dunno.

There's are easy enough to fix (although I'm guessing that code is a bit untested) but you still end up with ssl symbols defined in the output, eg:

nm webrtc-build/release/obj/libwebrtc.a | grep SSL_set_tlsext_host_name
0000000000000000 T SSL_set_tlsext_host_name

This is the particular symbol that was tripping up my app but there's ton of others in there too.

It would be great to see this fixed properly one of these days, but in the meantime I've found a trick that works for me - just make sure libwebrtc comes before any openssl based libs when you link, eg: my executable works with this:

target_link_libraries(websockettest webrtc websocket core)

...but *not* with this...

target_link_libraries(websockettest websocket webrtc core)

It'll crash on a call to the above mentioned SSL_set_tlsext_host_name.

I'm not sure if it'll work for everyone, but felt it was worth sharing just in case as this issue has been driving me up the wall!

Bye,
Mark

Mark Sibly

unread,
Mar 22, 2022, 10:53:21 PM3/22/22
to discuss-webrtc
OK, turns out that worked for my little test but not my main one for some reason, so I had another hack at removing boringssl completely and came up with this nasty hack:

0) Make sure you're including the 'use openssl' gn args, eg: "rtc_build_ssl=false rtc_builtin_ssl_root_certificates=false rtc_ssl_root=\"/usr/include\"". Note I'm also doing a non-component (static lib) build, not sure if this'll work on component builds.

1) Fix the compile errors in openssl_certificate.* and openssl_identity.*

2) Replace thirdparty/boringssl/BUILD.gn with this:
```
component("boringssl") {
    libs = ["ssl", "crypto"]
}
```
3) Add this after the imports and the top of rtc_base/BUILD.gn (not sure why you need this as well as 2):
```
libs = ["ssl", "crypto"]
```
4) Comment out this line in third_party/usrsctp/usrsctplib/usrsctplib/user_environment.c, not sure what effect this'll have but I'll worry about that later:
```
// #error Only BoringSSL is supported with SCTP_USE_OPENSSL_RAND
```
And that should be it! Now when you look at the lib symbols you just get a bunch of undefined refs:
```
nm webrtc-build/release/obj/libwebrtc.a | egrep 'SSL_.*'
        U OPENSSL_init_crypto
        U OPENSSL_init_ssl
        U SSL_accept
        U SSL_connect
...etc...
```

Bye,
Mark

Mark Sibly

unread,
Mar 22, 2022, 11:02:48 PM3/22/22
to discuss-webrtc
Oops...apologies for including quoted text, been a while since I did mailing lists....

Samel S

unread,
Oct 23, 2022, 7:36:45 AM10/23/22
to discuss-webrtc
root@ubuntu:~/webrtc/webrtc-checkout/src$ gn gen out/Release --args="is_debug=false use_custom_libcxx=false use_sysroot=false rtc_include_tests=false rtc_build_ssl=false rtc_builtin_ssl_root_certificates=false rtc_ssl_root=\"/usr/include\""
Done. Made 1116 targets from 268 files in 623ms
root@ubuntu:~/webrtc/webrtc-checkout/src$ ninja -C out/Release
ninja: Entering directory `out/Release'
[2442/2576] LINK ./stun_prober
FAILED: stun_prober
python3 "../../build/toolchain/gcc_link_wrapper.py" --output="./stun_prober" -- ../../third_party/llvm-build/Release+Asserts/bin/clang++ -fuse-ld=lld -Wl,--fatal-warnings -Wl,--build-id -fPIC -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -Wl,--icf=all -Wl,--color-diagnostics -Wl,--no-call-graph-profile-sort -m64 -no-canonical-prefixes -Werror -Wl,-O2 -Wl,--gc-sections -rdynamic -Wl,-z,defs -Wl,--as-needed -pie -Wl,--disable-new-dtags -o "./stun_prober" -Wl,--start-group @"./stun_prober.rsp"  -Wl,--end-group  -latomic -ldl -lpthread -lrt -lX11
ld.lld: error: undefined symbol: RAND_bytes
>>> referenced by helpers.cc
>>>               rtc_base/helpers.o:(rtc::SecureRandomGenerator::Generate(void*, unsigned long)) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: EVP_MD_CTX_new
>>> referenced by openssl_digest.cc
>>>               rtc_base/openssl_digest.o:(rtc::OpenSSLDigest::OpenSSLDigest(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: EVP_MD_CTX_reset
>>> referenced by openssl_digest.cc
>>>               rtc_base/openssl_digest.o:(rtc::OpenSSLDigest::OpenSSLDigest(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: EVP_DigestInit_ex
>>> referenced by openssl_digest.cc
>>>               rtc_base/openssl_digest.o:(rtc::OpenSSLDigest::OpenSSLDigest(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)) in archive obj/rtc_base/librtc_base.a
>>> referenced by openssl_digest.cc
>>>               rtc_base/openssl_digest.o:(rtc::OpenSSLDigest::Finish(void*, unsigned long)) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: EVP_md5
>>> referenced by openssl_digest.cc
>>>               rtc_base/openssl_digest.o:(rtc::OpenSSLDigest::GetDigestEVP(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, evp_md_st const**)) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: EVP_sha1
>>> referenced by openssl_digest.cc
>>>               rtc_base/openssl_digest.o:(rtc::OpenSSLDigest::GetDigestEVP(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, evp_md_st const**)) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: EVP_sha224
>>> referenced by openssl_digest.cc
>>>               rtc_base/openssl_digest.o:(rtc::OpenSSLDigest::GetDigestEVP(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, evp_md_st const**)) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: EVP_sha256
>>> referenced by openssl_digest.cc
>>>               rtc_base/openssl_digest.o:(rtc::OpenSSLDigest::GetDigestEVP(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, evp_md_st const**)) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: EVP_sha384
>>> referenced by openssl_digest.cc
>>>               rtc_base/openssl_digest.o:(rtc::OpenSSLDigest::GetDigestEVP(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, evp_md_st const**)) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: EVP_sha512
>>> referenced by openssl_digest.cc
>>>               rtc_base/openssl_digest.o:(rtc::OpenSSLDigest::GetDigestEVP(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, evp_md_st const**)) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: EVP_MD_CTX_free
>>> referenced by openssl_digest.cc
>>>               rtc_base/openssl_digest.o:(rtc::OpenSSLDigest::~OpenSSLDigest()) in archive obj/rtc_base/librtc_base.a
>>> referenced by openssl_digest.cc
>>>               rtc_base/openssl_digest.o:(rtc::OpenSSLDigest::~OpenSSLDigest()) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: EVP_MD_size
>>> referenced by openssl_digest.cc
>>>               rtc_base/openssl_digest.o:(rtc::OpenSSLDigest::Size() const) in archive obj/rtc_base/librtc_base.a
>>> referenced by openssl_digest.cc
>>>               rtc_base/openssl_digest.o:(rtc::OpenSSLDigest::Finish(void*, unsigned long)) in archive obj/rtc_base/librtc_base.a
>>> referenced by openssl_certificate.cc
>>>               rtc_base/openssl_certificate.o:(rtc::OpenSSLCertificate::ComputeDigest(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned char*, unsigned long, unsigned long*) const) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: EVP_DigestUpdate
>>> referenced by openssl_digest.cc
>>>               rtc_base/openssl_digest.o:(rtc::OpenSSLDigest::Update(void const*, unsigned long)) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: EVP_DigestFinal_ex
>>> referenced by openssl_digest.cc
>>>               rtc_base/openssl_digest.o:(rtc::OpenSSLDigest::Finish(void*, unsigned long)) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: OPENSSL_init_ssl
>>> referenced by openssl_adapter.cc
>>>               rtc_base/openssl_adapter.o:(rtc::OpenSSLAdapter::InitializeSSL()) in archive obj/rtc_base/librtc_base.a
>>> referenced by openssl_adapter.cc
>>>               rtc_base/openssl_adapter.o:(rtc::OpenSSLAdapter::InitializeSSL()) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: ERR_load_BIO_strings
>>> referenced by openssl_adapter.cc
>>>               rtc_base/openssl_adapter.o:(rtc::OpenSSLAdapter::InitializeSSL()) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: OPENSSL_init_crypto
>>> referenced by openssl_adapter.cc
>>>               rtc_base/openssl_adapter.o:(rtc::OpenSSLAdapter::InitializeSSL()) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: RAND_poll
>>> referenced by openssl_adapter.cc
>>>               rtc_base/openssl_adapter.o:(rtc::OpenSSLAdapter::InitializeSSL()) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: SSL_CTX_up_ref
>>> referenced by openssl_adapter.cc
>>>               rtc_base/openssl_adapter.o:(rtc::OpenSSLAdapter::OpenSSLAdapter(rtc::Socket*, rtc::OpenSSLSessionCache*, rtc::SSLCertificateVerifier*)) in archive obj/rtc_base/librtc_base.a

ld.lld: error: undefined symbol: SSL_free
>>> referenced by openssl_adapter.cc
>>>               rtc_base/openssl_adapter.o:(rtc::OpenSSLAdapter::Cleanup()) in archive obj/rtc_base/librtc_base.a

ld.lld: error: too many errors emitted, stopping now (use -error-limit=0 to see all errors)
clang++: error: linker command failed with exit code 1 (use -v to see invocation)
[2447/2576] CXX obj/pc/rtp_sender/rtp_sender.o
ninja: build stopped: subcommand failed.

V I

unread,
Oct 23, 2022, 11:44:38 PM10/23/22
to discuss...@googlegroups.com
you need to add crypto and ssl to the list of the libraries to link. It's just "-latomic -ldl -lpthread -lrt -lX11", but it should also include "-lcrypto -lssl"

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/96e0ca18-bdc6-472b-86f0-106b1e0ac1d1n%40googlegroups.com.

木日卡

unread,
Nov 22, 2023, 8:28:00 AM11/22/23
to discuss-webrtc
According to your configuration, I successfully compiled the Linux version of webrtc on Ubuntu, but failed to compile the Android version. Can you give me some advice?  Looking forward to your reply, thank you.

Harald Alvestrand

unread,
Nov 27, 2023, 5:14:42 AM11/27/23
to discuss...@googlegroups.com
can you who are attempting this tell us why you want to use openssl?

The OpenSSL configuration is presently not exercised by any bots in the internal builds, it would be good if someone would take on the task of building it on a regular basis and feeding back the necessary patches, but it's not something Google is likely to invest effort (apart from patch review) on.



--
This list falls under the WebRTC Code of Conduct - https://webrtc.org/support/code-of-conduct.

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages