Undefined symbol with native 1.1.33 and RHEL5

[Jesse Defer <Je...@asu.edu>]

I am getting the following error from native on Tomcat startup:
/usr/local/java/latest7/bin/java: symbol lookup error: /usr/local/apr/lib/libtcnative-1.so.0.1.33: undefined symbol: SSL_CTX_clear_extra_chain_certs

SSL_CTX_clear_extra_chain_certs does not appear to be part of the RHEL5 distributed OpenSSL 0.9.8.  There are no compile warnings/errors from native,

RHEL5.11
Tomcat 6.0.44
APR 1.5.1

Have the OpenSSL version requirements changed?

Respectfully,
Jesse DeFer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Undefined symbol with native 1.1.33 and RHEL5

[Jesse Defer <Je...@asu.edu>]

> Jesse,
> 
> On 6/4/15 12:49 PM, Christopher Schultz wrote:
> > Jesse,
> >
> > On 6/4/15 11:43 AM, Jesse Defer wrote:
> >> I am getting the following error from native on Tomcat startup:
> >> /usr/local/java/latest7/bin/java: symbol lookup error:
> >> /usr/local/apr/lib/libtcnative-1.so.0.1.33: undefined symbol:
> >> SSL_CTX_clear_extra_chain_certs
> >
> >> SSL_CTX_clear_extra_chain_certs does not appear to be part of the
> >> RHEL5 distributed OpenSSL 0.9.8.  There are no compile
> >> warnings/errors from native,
> >
> >> RHEL5.11 Tomcat 6.0.44 APR 1.5.1
> >
> >> Have the OpenSSL version requirements changed?
> >
> > Are you sure your compile-time and run-time versions of OpenSSL are
> > the same?
> >
> > I'm having trouble finding minimum-version information about
> > SSL_CTX_clear_extra_chain_certs. Can you check in openssl.h (and
> > whatever else it includes on your system) to see if that function is
> > defined?
> >
> > On my Mac, I've got 0.9.8zd plus 1.0.1j and 1.0.2a. Only the 1.0.1 and
> > 1.0.2 versions have that function defined, but it's actually a macro
> > pointing to SSL_CTX_ctrl with some default parameters.
> >
> > So I'm surprised that you're seeing
> > SSL_CTX_clear_extra_chain_certs being called a "symbol", since the
> > compiler should be replacing it with something else. Well, if it's not
> > defined at all, it might assume it's a function with no prototype and
> > just assume that at runtime things will work-out.
> > Looks like not.
> >
> > Re-check your compiler logs: I think you'll find a warning about an
> > unresolved symbol. Probably with the linker, too. But it will only be
> > a warning, depending upon the compiler flags.
> >
> > sslutils:245 uses that macro:
> >
> > SSL_CTX_clear_extra_chain_certs(ctx);
> >
> > Perhaps we need to add a version-check around that, and then define
> > the macro as OpenSSL does if necessary.
> >
> > Can you add a Bugzilla issue for this? Feel free to reference this
> > mailing list thread.
> >
> > -chris
> 
> In the meantime, can you throw this into tcnative.h at the bottom, and re-
> build everything?
> 
> #define SSL_CTX_clear_extra_chain_certs(ctx) \
>         SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
> 
> See if that works for you.
> 
> - -chris

It compiled and it doesn't throw the missing symbol errors anymore.  Everything seems to work but I will continue to test.

I had to add (pulled from openssl 1.0.1):
#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83

Jesse

Re: Undefined symbol with native 1.1.33 and RHEL5

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jesse,

On 6/4/15 12:49 PM, Christopher Schultz wrote:
> Jesse,
> 
> On 6/4/15 11:43 AM, Jesse Defer wrote:
>> I am getting the following error from native on Tomcat startup: 
>> /usr/local/java/latest7/bin/java: symbol lookup error: 
>> /usr/local/apr/lib/libtcnative-1.so.0.1.33: undefined symbol: 
>> SSL_CTX_clear_extra_chain_certs
> 
>> SSL_CTX_clear_extra_chain_certs does not appear to be part of
>> the RHEL5 distributed OpenSSL 0.9.8.  There are no compile 
>> warnings/errors from native,
> 
>> RHEL5.11 Tomcat 6.0.44 APR 1.5.1
> 
>> Have the OpenSSL version requirements changed?
> 
> Are you sure your compile-time and run-time versions of OpenSSL
> are the same?
> 
> I'm having trouble finding minimum-version information about 
> SSL_CTX_clear_extra_chain_certs. Can you check in openssl.h (and 
> whatever else it includes on your system) to see if that function
> is defined?
> 
> On my Mac, I've got 0.9.8zd plus 1.0.1j and 1.0.2a. Only the 1.0.1
> and 1.0.2 versions have that function defined, but it's actually a
> macro pointing to SSL_CTX_ctrl with some default parameters.
> 
> So I'm surprised that you're seeing
> SSL_CTX_clear_extra_chain_certs being called a "symbol", since the
> compiler should be replacing it with something else. Well, if it's
> not defined at all, it might assume it's a function with no
> prototype and just assume that at runtime things will work-out.
> Looks like not.
> 
> Re-check your compiler logs: I think you'll find a warning about
> an unresolved symbol. Probably with the linker, too. But it will
> only be a warning, depending upon the compiler flags.
> 
> sslutils:245 uses that macro:
> 
> SSL_CTX_clear_extra_chain_certs(ctx);
> 
> Perhaps we need to add a version-check around that, and then
> define the macro as OpenSSL does if necessary.
> 
> Can you add a Bugzilla issue for this? Feel free to reference this 
> mailing list thread.
> 
> -chris

In the meantime, can you throw this into tcnative.h at the bottom, and
re-build everything?

#define SSL_CTX_clear_extra_chain_certs(ctx) \
        SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)

See if that works for you.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVcIIeAAoJEBzwKT+lPKRYwdkP/3o1G+EtRRXMse5UI7+a2cU7
aRXcOQciDa9qbyDOFsNRWwayZuvK6yfE4JRXFfsBKlJ50Ec1alJd4dzqXz+BDsTx
Q457uI07tr5pLZ+WMpUhlricmpGwD95b+UKWNrZX19D2ZZEHuhRuKwXsC2rSTq8D
bhYxjihgbMQxRozfjfw9NbMnQ1ZJAHLm7TiTp9JbkSQKmYxQ3SnQ9QtTkLII8+yF
WfOT7Y3bBeGpUPFN+/C335qAUQDkcx2iVlHUJfKeHIiy2XRv27D3/tkQM/9taAvD
Xt5J1hjqKFmAn0IELHd/TEzeMiDPCKheE7UDURSgVTbg8zcHvzMQANRzg7b/DLBm
XOTT9GAhJd8+ApqlfMuZidv6rxCcLsG7BZPXbnIYh6J0d21vjVGQCvPo0oCBi3/3
ymbZAkHzl1otfA7+fNyqG4oOOehCjGmwkev2qmrzyVTXRI2axFpWuDGbYTatGrWW
6wGTIBlJxhUCSxW4rK1kQEgWueyNTbG/Y/pHG7G4fdOYwsxRlT0MgRTj2CY/fvsS
BmuCysD9VBuXMiWzc0V1Ixf19pBzX10qDlSBNPPpaeC36KJhAwwZDdEiDOFf+UtG
NAGMy8Ig8zCPxXr4Guci7ps4MKKbbl5Zq5ND5hAqJxn/xqVBqRLh/lZDIks5Ozp3
7m3pDF3uM5n9sCzjBYjD
=xQfW
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Undefined symbol with native 1.1.33 and RHEL5

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jesse,

On 6/4/15 11:43 AM, Jesse Defer wrote:
> I am getting the following error from native on Tomcat startup: 
> /usr/local/java/latest7/bin/java: symbol lookup error:
> /usr/local/apr/lib/libtcnative-1.so.0.1.33: undefined symbol:
> SSL_CTX_clear_extra_chain_certs
> 
> SSL_CTX_clear_extra_chain_certs does not appear to be part of the
> RHEL5 distributed OpenSSL 0.9.8.  There are no compile
> warnings/errors from native,
> 
> RHEL5.11 Tomcat 6.0.44 APR 1.5.1
> 
> Have the OpenSSL version requirements changed?

Are you sure your compile-time and run-time versions of OpenSSL are
the same?

I'm having trouble finding minimum-version information about
SSL_CTX_clear_extra_chain_certs. Can you check in openssl.h (and
whatever else it includes on your system) to see if that function is
defined?

On my Mac, I've got 0.9.8zd plus 1.0.1j and 1.0.2a. Only the 1.0.1 and
1.0.2 versions have that function defined, but it's actually a macro
pointing to SSL_CTX_ctrl with some default parameters.

So I'm surprised that you're seeing SSL_CTX_clear_extra_chain_certs
being called a "symbol", since the compiler should be replacing it
with something else. Well, if it's not defined at all, it might assume
it's a function with no prototype and just assume that at runtime
things will work-out. Looks like not.

Re-check your compiler logs: I think you'll find a warning about an
unresolved symbol. Probably with the linker, too. But it will only be
a warning, depending upon the compiler flags.

sslutils:245 uses that macro:

  SSL_CTX_clear_extra_chain_certs(ctx);

Perhaps we need to add a version-check around that, and then define
the macro as OpenSSL does if necessary.

Can you add a Bugzilla issue for this? Feel free to reference this
mailing list thread.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVcIGMAAoJEBzwKT+lPKRYw08P/icdrYqC64xnIkSLoXr7JIqb
6hB2efkSbGT9QMZRAcfLyV8rD0m+qdj9X2qh+Bak2kMpvSjZ6lhTgo+NcVY9Ns0a
FddZg/tXzl8qmoK1V7RsT0/zJ8lguWZ2uLbZw+aTZMBHyI1Co6Hy8owglKFQrePs
HreWGDtEHFjhZsqHE8DlNjl+usXC0gNHTNn8V2orlyk0zrfLyoaBeD0fpwlMRy3m
KhJ5y6KvlXmP0pjqJyWeddJiDoEWALnIooewddJJ/B5XfHkC5P4OIQZ0jtFYpC+D
fLFV5INK8RKcwI9bPezWJ8glnKr9xZvz/l6fb+cDbliMYaOePA/33sFbvC7ZoC2/
CYzexNUBd2642+4ttdPSW67ifmex6WRoam9AHbSTA0Y8UGOEuRTlNp3i7k+IVs0u
ywi1AeTx+D/v/VUgoY8++WT30Il8NcldJStOhlz2/zYOCLdtWRTiBzAoSBCpqerh
9AluB7glhYerjYLRJ8aSxfr6o3jESORi6MqgL9Bn2gXmWmvUCCs93W2xAMrXI8IH
CYrjcLVcPTWgrZ+arwhEO57VTyIyGmbA/0pSJhSBpIv6kJ54Xq1aHm62zXb90RZ+
Rimal9N3p/fB5pIc/I0fiW4gRhY2S2MIksM+e3sq1CmPQYDVEZTr73XZoj+M6u0a
G167bznhuNZz7PAG1/fA
=UDm6
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org