3

I'm using an old version of ubuntu 10.04 which is no longer maintained. The payment system I'm using has recently updated its SST/TLS certificates and now require openssl > 1.0.0.

I've downloaded the latest version and built it from scratch using the following commands:

CFLAGS=-fPIC ./config shared
CFLAGS='$CFLAGS -fPIC -Wl -Bsymbolic' CXXFLAGS='$CXXFLAGS -fPIC -Wl -Bsymbolic' make
make test
make install

After running make install it has put all the files under /usr/local/ssl. I've then added new path to /etc/environment to make OS find new version of openssl before the system's one.

I've installed rbenv and ruby-build plugin for it to build ruby from scratch pointing to the newly compiled openssl library. However ruby won't use that specified version and use system's version instead. Running ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION' reports i'm still using 0.9.8k version. The command used for compiling ruby is as follows: 

CFLAGS="$CFLAGS -fPIC" RUBY_CONFIGURE_OPTS="--with-openssl-dir=/usr/local/ssl" rbenv install ree-1.8.7-2012.02

I've looked through compiler logs and it seems ruby-build is using the specified path for ssl.

I've also tried upgrading the operating system but that didn't help since 10.04 and 12.04 have diverged greatly and I had a lot of conflicts in config files.

So the question is how can I compile openssl and ruby so that ruby uses the specified openssl binaries and headers during its compilation?

jww
  • 97,681
  • 90
  • 411
  • 885
roman
  • 5,100
  • 14
  • 44
  • 77
  • *"I understand this may not be the right question for stackoverflow..."* works for me. You have a `CFLAGS`, and you're invoking a compiler driver. That's much more on-topic than a lot of the crap that shows up here. – jww Oct 03 '15 at 10:43

1 Answers1

0

So the question is how can I compile openssl and ruby so that ruby uses the specified openssl binaries and headers during its compilation?

So, my first response is to migrate to Ubuntu 14.04. Ubuntu 14.04 is LTS, and it provides the latest OpenSSL. I would skip Ubuntu 12.04. Barring that...

Moving on from a platform upgrade, first build OpenSSL with RPATHs. That's because OpenSSL only enables them for the BSDs, and not the Linuxes. Without them, libssl will use the system's libcrypto in /usr/lib, rather than the one you provide in /usr/local/ssl/lib.

To build OpenSSL with RPATHs, see Build OpenSSL with RPATH? on Stack Overflow or Compilation and Installation | Using RPATHs on the OpenSSL wiki.

Once you build OpenSSL with RPATHs, then you have to do the same for Ruby. Export the appropriate CFLAGS and LDFLAGS, and then:

./configure --with-openssl-dir=/usr/local/ssl --prefix=/usr/local
make
sudo make install

I get tired of all these stupid RPATH/DLL Hell games (yes, even Linux suffers them). I often do this to avoid it altogether:

$ cd ruby
$ egrep -IR "(\-lssl|\-lcrypto)" * | cut -d ":" -f 1 | uniq | sort

From that, you will get a list of files that link to OpenSSL. The list will probably be configure.ac, configure and Makefile.

Then use sed to remove the dynamic linking part by cutting-in the static archive:

$ sed -i 's|-lssl|/usr/local/ssl/lib/libssl.a|g' configure.ac configure Makefile
$ sed -i 's|-lcrypto|/usr/local/ssl/lib/libcrypto.a|g' configure.ac configure Makefile

Then, all those silly RPATH problems go away. The only thing left is to ensure you are using the right headers. For that, after doing the grep/sed trick:

$ export CFLAGS="-I/usr/local/ssl/include -I/usr/local/ssl/include/openssl"
$ ./configure --with-openssl-dir=/usr/local/ssl --prefix=/usr/local
$ make
$ sudo make install

Once installed, you won't even have the external OpenSSL dependency.

Now, with all that said, I just downloaded Ruby 2.2.3, and there is no INSTALL to tell us how to configure and build the library. In addition, it appears there are no configuration options for utilizing OpenSSL:

ruby-2.2.3$ ./configure --help | grep -i ssl
ruby-2.2.3$ ./configure --help | grep -i tls

And grep is turning up 0 hits for the libraries they would be using:

ruby-2.2.3$ grep -IR "\-lssl" *
ruby-2.2.3$ grep -IR "\-lcrypto" *

So, I'm not sure what to make of it.

I basically gave up on Ruby a long time ago because its so damn difficult to do the simplest things related to setting up a secure channel, like disabling SSLv3, disabling Compression and enabling SNI. See, for example, How to set TLS context options in Ruby (like OpenSSL::SSL::SSL_OP_NO_SSLv2) and using Server Name Indication when running with TLS 1.0 and above.

Community
  • 1
  • 1
jww
  • 97,681
  • 90
  • 411
  • 885