1351362 – radosgw binary wrongly linked with multiple SSL implementation libs (NSS -and- OpenSSL)

Bug 1351362 - radosgw binary wrongly linked with multiple SSL implementation libs (NSS -and- OpenSSL)

Summary: radosgw binary wrongly linked with multiple SSL implementation libs (NSS -and...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	2.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	2.0
Assignee:	Matt Benjamin (redhat)
QA Contact:	Rachana Patel
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-29 21:13 UTC by Matt Benjamin (redhat)
Modified:	2017-07-30 15:42 UTC (History)
CC List:	11 users (show)
Fixed In Version:	RHEL: ceph-10.2.2-11.el7cp Ubuntu: ceph_10.2.2-9redhat1xenial
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-08-23 19:43:20 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Ceph Project Bug Tracker	16535	0	None	None	None	2016-06-29 22:31:58 UTC
Red Hat Product Errata	RHBA-2016:1755	0	normal	SHIPPED_LIVE	Red Hat Ceph Storage 2.0 bug fix and enhancement update	2016-08-23 23:23:52 UTC

Description Matt Benjamin (redhat) 2016-06-29 21:13:39 UTC

Description of problem:

The change to enable SSL with RGW civetweb front-end introduced incorrect dynamic linkage with OpenSSL's SSL implementation, when instead the (correct) NSS SSL implementation was required (and already linked).

How reproducible:
Manifest.

Steps to Reproduce:
objdump -p bin/radosgw shows libssl3.so (correct) but also libssl.so.10 (incorrect, for our build)

Additional info:
Merely running "ldd bin/radosgw" on a CORRECTLY linked radosgw binary is not a reliable test for correct linkage, due to a (possible) packaging problem with libcurl.so on RHEL7--libcurl.so dynamically links libssh2.so to get libcrypto, which in turn links libssl.so--so there is indirect dynamic linkage with libssl.so currently either way.  HOWEVER, that issue, if it is a bug, can be resolved by updating the affected non-Ceph packages.  (Bug being filed with Fedora.)

Comment 3 Matt Benjamin (redhat) 2016-06-29 21:38:33 UTC

Upstream tracking issue #16535

Comment 7 shilpa 2016-07-14 09:15:14 UTC

Since RGW Native SSL support has been moved to 2.1, can this BZ be moved to 2.1 too?

Comment 8 Ken Dreyer (Red Hat) 2016-07-14 09:17:32 UTC

The patch is already in for 2.0, so let's keep this bug for 2.0.

Comment 9 shilpa 2016-07-14 10:13:53 UTC

I ran the command on ceph 10.2.2-18. Not sure where I should look for libssl3.so

# objdump -p /usr/bin/radosgw

/usr/bin/radosgw:     file format elf64-x86-64

Program Header:
    PHDR off    0x0000000000000040 vaddr 0x0000000000000040 paddr 0x0000000000000040 align 2**3
         filesz 0x00000000000001f8 memsz 0x00000000000001f8 flags r-x
  INTERP off    0x0000000000000238 vaddr 0x0000000000000238 paddr 0x0000000000000238 align 2**0
         filesz 0x000000000000001c memsz 0x000000000000001c flags r--
    LOAD off    0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**21
         filesz 0x00000000000326e9 memsz 0x00000000000326e9 flags r-x
    LOAD off    0x0000000000032f38 vaddr 0x0000000000232f38 paddr 0x0000000000232f38 align 2**21
         filesz 0x0000000000002670 memsz 0x0000000000003200 flags rw-
 DYNAMIC off    0x00000000000342f0 vaddr 0x00000000002342f0 paddr 0x00000000002342f0 align 2**3
         filesz 0x0000000000000260 memsz 0x0000000000000260 flags rw-
    NOTE off    0x0000000000000254 vaddr 0x0000000000000254 paddr 0x0000000000000254 align 2**2
         filesz 0x0000000000000044 memsz 0x0000000000000044 flags r--
EH_FRAME off    0x000000000002da00 vaddr 0x000000000002da00 paddr 0x000000000002da00 align 2**2
         filesz 0x0000000000000944 memsz 0x0000000000000944 flags r--
   STACK off    0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**4
         filesz 0x0000000000000000 memsz 0x0000000000000000 flags rw-
   RELRO off    0x0000000000032f38 vaddr 0x0000000000232f38 paddr 0x0000000000232f38 align 2**0
         filesz 0x00000000000020c8 memsz 0x00000000000020c8 flags r--

Dynamic Section:
  NEEDED               librgw.so.2
  NEEDED               libcurl.so.4
  NEEDED               libfcgi.so.0
  NEEDED               libpthread.so.0
  NEEDED               libdl.so.2
  NEEDED               libstdc++.so.6
  NEEDED               libgcc_s.so.1
  NEEDED               libc.so.6
  INIT                 0x000000000000f958
  FINI                 0x0000000000029f24
  INIT_ARRAY           0x0000000000232f38
  INIT_ARRAYSZ         0x0000000000000038
  FINI_ARRAY           0x0000000000232f70
  FINI_ARRAYSZ         0x0000000000000008
  GNU_HASH             0x0000000000000298
  STRTAB               0x0000000000005030
  SYMTAB               0x0000000000000d88
  STRSZ                0x00000000000051b5
  SYMENT               0x0000000000000018
  DEBUG                0x0000000000000000
  PLTGOT               0x0000000000234550
  PLTRELSZ             0x0000000000001c98
  PLTREL               0x0000000000000007
  JMPREL               0x000000000000dcc0
  RELA                 0x000000000000a8b8
  RELASZ               0x0000000000003408
  RELAENT              0x0000000000000018
  BIND_NOW             0x0000000000000000
  FLAGS_1              0x0000000000000001
  VERNEED              0x000000000000a778
  VERNEEDNUM           0x0000000000000005
  VERSYM               0x000000000000a1e6
  RELACOUNT            0x00000000000000d9

Version References:
  required from libgcc_s.so.1:
    0x0b792650 0x00 15 GCC_3.0
  required from libdl.so.2:
    0x09691a75 0x00 12 GLIBC_2.2.5
  required from libpthread.so.0:
    0x09691972 0x00 11 GLIBC_2.3.2
    0x09691a75 0x00 06 GLIBC_2.2.5
  required from libstdc++.so.6:
    0x0297f861 0x00 14 GLIBCXX_3.4.11
    0x02297f89 0x00 13 GLIBCXX_3.4.9
    0x0297f865 0x00 08 GLIBCXX_3.4.15
    0x056bafd3 0x00 04 CXXABI_1.3
    0x08922974 0x00 03 GLIBCXX_3.4
  required from libc.so.6:
    0x0d696917 0x00 16 GLIBC_2.7
    0x0d696914 0x00 10 GLIBC_2.4
    0x09691974 0x00 09 GLIBC_2.3.4
    0x0d696913 0x00 07 GLIBC_2.3
    0x06969194 0x00 05 GLIBC_2.14
    0x09691a75 0x00 02 GLIBC_2.2.5

Comment 10 Matt Benjamin (redhat) 2016-07-19 18:20:27 UTC

This linkage looks correct.

Comment 11 shilpa 2016-07-20 09:16:10 UTC

(In reply to Matt Benjamin (redhat) from comment #10)
> This linkage looks correct.

Thanks Matt. Is there anything else to be verified here?

Comment 12 Matt Benjamin (redhat) 2016-07-20 13:28:08 UTC

(In reply to shilpa from comment #11)
> (In reply to Matt Benjamin (redhat) from comment #10)
> > This linkage looks correct.
> 
> Thanks Matt. Is there anything else to be verified here?

I do not believe so.  Thanks!

Comment 13 shilpa 2016-07-20 16:20:33 UTC

Moving it to verified.

Comment 15 errata-xmlrpc 2016-08-23 19:43:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1755.html

Note You need to log in before you can comment on or make changes to this bug.