Bug 1351362 - radosgw binary wrongly linked with multiple SSL implementation libs (NSS -and- OpenSSL)
Summary: radosgw binary wrongly linked with multiple SSL implementation libs (NSS -and...
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: RGW
Version: 2.0
Hardware: All
OS: Linux
Target Milestone: rc
: 2.0
Assignee: Matt Benjamin (redhat)
QA Contact: Rachana Patel
Depends On:
TreeView+ depends on / blocked
Reported: 2016-06-29 21:13 UTC by Matt Benjamin (redhat)
Modified: 2017-07-30 15:42 UTC (History)
11 users (show)

Fixed In Version: RHEL: ceph-10.2.2-11.el7cp Ubuntu: ceph_10.2.2-9redhat1xenial
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-08-23 19:43:20 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 16535 0 None None None 2016-06-29 22:31:58 UTC
Red Hat Product Errata RHBA-2016:1755 0 normal SHIPPED_LIVE Red Hat Ceph Storage 2.0 bug fix and enhancement update 2016-08-23 23:23:52 UTC

Description Matt Benjamin (redhat) 2016-06-29 21:13:39 UTC
Description of problem:

The change to enable SSL with RGW civetweb front-end introduced incorrect dynamic linkage with OpenSSL's SSL implementation, when instead the (correct) NSS SSL implementation was required (and already linked).

How reproducible:

Steps to Reproduce:
objdump -p bin/radosgw shows libssl3.so (correct) but also libssl.so.10 (incorrect, for our build)

Additional info:
Merely running "ldd bin/radosgw" on a CORRECTLY linked radosgw binary is not a reliable test for correct linkage, due to a (possible) packaging problem with libcurl.so on RHEL7--libcurl.so dynamically links libssh2.so to get libcrypto, which in turn links libssl.so--so there is indirect dynamic linkage with libssl.so currently either way.  HOWEVER, that issue, if it is a bug, can be resolved by updating the affected non-Ceph packages.  (Bug being filed with Fedora.)

Comment 3 Matt Benjamin (redhat) 2016-06-29 21:38:33 UTC
Upstream tracking issue #16535

Comment 7 shilpa 2016-07-14 09:15:14 UTC
Since RGW Native SSL support has been moved to 2.1, can this BZ be moved to 2.1 too?

Comment 8 Ken Dreyer (Red Hat) 2016-07-14 09:17:32 UTC
The patch is already in for 2.0, so let's keep this bug for 2.0.

Comment 9 shilpa 2016-07-14 10:13:53 UTC
I ran the command on ceph 10.2.2-18. Not sure where I should look for libssl3.so

# objdump -p /usr/bin/radosgw

/usr/bin/radosgw:     file format elf64-x86-64

Program Header:
    PHDR off    0x0000000000000040 vaddr 0x0000000000000040 paddr 0x0000000000000040 align 2**3
         filesz 0x00000000000001f8 memsz 0x00000000000001f8 flags r-x
  INTERP off    0x0000000000000238 vaddr 0x0000000000000238 paddr 0x0000000000000238 align 2**0
         filesz 0x000000000000001c memsz 0x000000000000001c flags r--
    LOAD off    0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**21
         filesz 0x00000000000326e9 memsz 0x00000000000326e9 flags r-x
    LOAD off    0x0000000000032f38 vaddr 0x0000000000232f38 paddr 0x0000000000232f38 align 2**21
         filesz 0x0000000000002670 memsz 0x0000000000003200 flags rw-
 DYNAMIC off    0x00000000000342f0 vaddr 0x00000000002342f0 paddr 0x00000000002342f0 align 2**3
         filesz 0x0000000000000260 memsz 0x0000000000000260 flags rw-
    NOTE off    0x0000000000000254 vaddr 0x0000000000000254 paddr 0x0000000000000254 align 2**2
         filesz 0x0000000000000044 memsz 0x0000000000000044 flags r--
EH_FRAME off    0x000000000002da00 vaddr 0x000000000002da00 paddr 0x000000000002da00 align 2**2
         filesz 0x0000000000000944 memsz 0x0000000000000944 flags r--
   STACK off    0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**4
         filesz 0x0000000000000000 memsz 0x0000000000000000 flags rw-
   RELRO off    0x0000000000032f38 vaddr 0x0000000000232f38 paddr 0x0000000000232f38 align 2**0
         filesz 0x00000000000020c8 memsz 0x00000000000020c8 flags r--

Dynamic Section:
  NEEDED               librgw.so.2
  NEEDED               libcurl.so.4
  NEEDED               libfcgi.so.0
  NEEDED               libpthread.so.0
  NEEDED               libdl.so.2
  NEEDED               libstdc++.so.6
  NEEDED               libgcc_s.so.1
  NEEDED               libc.so.6
  INIT                 0x000000000000f958
  FINI                 0x0000000000029f24
  INIT_ARRAY           0x0000000000232f38
  INIT_ARRAYSZ         0x0000000000000038
  FINI_ARRAY           0x0000000000232f70
  FINI_ARRAYSZ         0x0000000000000008
  GNU_HASH             0x0000000000000298
  STRTAB               0x0000000000005030
  SYMTAB               0x0000000000000d88
  STRSZ                0x00000000000051b5
  SYMENT               0x0000000000000018
  DEBUG                0x0000000000000000
  PLTGOT               0x0000000000234550
  PLTRELSZ             0x0000000000001c98
  PLTREL               0x0000000000000007
  JMPREL               0x000000000000dcc0
  RELA                 0x000000000000a8b8
  RELASZ               0x0000000000003408
  RELAENT              0x0000000000000018
  BIND_NOW             0x0000000000000000
  FLAGS_1              0x0000000000000001
  VERNEED              0x000000000000a778
  VERNEEDNUM           0x0000000000000005
  VERSYM               0x000000000000a1e6
  RELACOUNT            0x00000000000000d9

Version References:
  required from libgcc_s.so.1:
    0x0b792650 0x00 15 GCC_3.0
  required from libdl.so.2:
    0x09691a75 0x00 12 GLIBC_2.2.5
  required from libpthread.so.0:
    0x09691972 0x00 11 GLIBC_2.3.2
    0x09691a75 0x00 06 GLIBC_2.2.5
  required from libstdc++.so.6:
    0x0297f861 0x00 14 GLIBCXX_3.4.11
    0x02297f89 0x00 13 GLIBCXX_3.4.9
    0x0297f865 0x00 08 GLIBCXX_3.4.15
    0x056bafd3 0x00 04 CXXABI_1.3
    0x08922974 0x00 03 GLIBCXX_3.4
  required from libc.so.6:
    0x0d696917 0x00 16 GLIBC_2.7
    0x0d696914 0x00 10 GLIBC_2.4
    0x09691974 0x00 09 GLIBC_2.3.4
    0x0d696913 0x00 07 GLIBC_2.3
    0x06969194 0x00 05 GLIBC_2.14
    0x09691a75 0x00 02 GLIBC_2.2.5

Comment 10 Matt Benjamin (redhat) 2016-07-19 18:20:27 UTC
This linkage looks correct.

Comment 11 shilpa 2016-07-20 09:16:10 UTC
(In reply to Matt Benjamin (redhat) from comment #10)
> This linkage looks correct.

Thanks Matt. Is there anything else to be verified here?

Comment 12 Matt Benjamin (redhat) 2016-07-20 13:28:08 UTC
(In reply to shilpa from comment #11)
> (In reply to Matt Benjamin (redhat) from comment #10)
> > This linkage looks correct.
> Thanks Matt. Is there anything else to be verified here?

I do not believe so.  Thanks!

Comment 13 shilpa 2016-07-20 16:20:33 UTC
Moving it to verified.

Comment 15 errata-xmlrpc 2016-08-23 19:43:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.