Ubuntu和SSLv2_method的未定义符号
Canonical重命名符号在其opensl的软件包版本中,如果是,则是出于什么目的?当我从头开始编译openssl-1.0.0e.tar.gz(直接从openssl.org下载)时,我看到了必要的符号,但是Python(和我)似乎在打包版本中找不到它.
Is Canonical renaming symbols in their package version of openssl, and if so for what purpose? When I compile openssl-1.0.0e.tar.gz (downloaded from openssl.org directly) from scratch I see the necessary symbol, but Python (and I) can't seem to find it in the packaged version.
继续阅读有关我如何诊断此问题的更多信息...
Read on for more information about how I diagnosed this problem...
我正在尝试在Ubuntu 11.10上编译Python 2.6.1,并获得上面的错误消息.我使用这个较旧的Python的原因是为了使我的Ubuntu安装与生产系统100%兼容以进行开发.
I am trying to compile Python 2.6.1 on Ubuntu 11.10, and get the error message above. The reason I am using this older Python is that I am trying to make my Ubuntu installation 100% compatible with a production system for development purposes.
表演时
strace -feopen make -j4 |& grep "libssl"
我看到我正在使用一个有前途的文件:
I see that I am using a promising file:
[pid 22614] open("/usr/lib/x86_64-linux-gnu//libssl.so",O_RDONLY)= 7
[pid 22614] open("/usr/lib/x86_64-linux-gnu//libssl.so", O_RDONLY) = 7
运行nm,此文件没有符号.但是.a文件确实有一个类似的文件:
Running nm, this file has no symbols. However the .a file does have a similar one:
0000000000000030 T SSLv23_method
0000000000000030 T SSLv23_method
软件包libssl1.0.0-dbg是通过synaptic安装的,但是当我列出该软件包的已安装文件时,我看到的只是已安装文件的列表仅适用于已安装的软件包",这显然是Ubuntu的错误.因此,我不确定如何检查.so中存在哪些符号.
The package libssl1.0.0-dbg is installed via synaptic, however when I list the installed files for this package all I see is "The list of installed files is only available for installed packages" which is clearly an Ubuntu bug. So I am not sure how I am supposed to check which symbols are present in the .so.
但是,我怀疑他们在任何情况下都将SSLv2_method重命名为SSLv23_method.
However, I am suspicious that they have renamed SSLv2_method to SSLv23_method in any case.
如何继续弄清Ubuntu的openssl-1.0.0的状态?
How to proceed to figure out the status of Ubuntu's openssl-1.0.0?
Ubuntu人们在不支持SSLv2的情况下构建了OpenSSL,因为该协议具有
The Ubuntu people build OpenSSL without SSLv2 support because the protocol has known security issues. So that's why you can't find SSLv2_method in their library even though you can find it when you compile the library yourself.
Ubuntu构建日志公开可用.您可以在 oneiric-i386.openssl_1中看到. 0.0e 记录该库已使用-no-ssl2选项配置,从而禁用了对SSLv2的支持.
Ubuntu build logs are publicly available. You can see in the oneiric-i386.openssl_1.0.0e log that the library gets configured with the -no-ssl2 option, which disables support for SSLv2.
./Configure --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/i386-linux-gnu no-idea no-mdc2 no-rc5 zlib enable-tlsext no-ssl2 debian-i386
Configuring for debian-i386
no-gmp [default] OPENSSL_NO_GMP (skip dir)
no-idea [option] OPENSSL_NO_IDEA (skip dir)
no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir)
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5
no-md2 [default] OPENSSL_NO_MD2 (skip dir)
no-mdc2 [option] OPENSSL_NO_MDC2 (skip dir)
no-rc5 [option] OPENSSL_NO_RC5 (skip dir)
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)
no-shared [default]
no-ssl2 [option] OPENSSL_NO_SSL2 (skip dir)
no-store [experimental] OPENSSL_NO_STORE (skip dir)
no-zlib-dynamic [default]
请注意,SSLv23_method的可用性并不意味着客户端将能够使用SSLv2连接到服务器. OpenSSL文档简要地讨论了这种情况:
Note that the availability of SSLv23_method does not mean that a client will be able to connect to a server with SSLv2. The OpenSSL documentation briefly discusses this situation:
以后可以使用 的SSL_OP_NO_SSLv2,SSL_OP_NO_SSLv3,SSL_OP_NO_TLSv1选项 SSL_CTX_set_options()或SSL_set_options()函数. 使用这些 选项可以选择例如SSLv23_server_method()并成为 能够与所有可能的客户进行谈判,但只允许较新的客户 协议,例如SSLv3或TLSv1.
The list of protocols available can later be limited using the SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the SSL_CTX_set_options() or SSL_set_options() functions. Using these options it is possible to choose e.g. SSLv23_server_method() and be able to negotiate with all possible clients, but to only allow newer protocols like SSLv3 or TLSv1.