Message 389379 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	barry, christian.heimes, gregory.p.smith, pablogsal, vstinner
Date	2021-03-23.10:04:34
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1616493874.61.0.1868346084.issue43466@roundup.psfhosted.org>
In-reply-to

Content
GH-24989 adds -Wl,--exclude-libs just for libssl.a and libcrypto.a IFF support for -Wl,--exclude-libs,ALL is detected by configure. This puts the symbols from the OpenSSL archive files into the LOCAL segment of ELF binaries. The PR does not set -Wl,--exclude-libs,ALL because I like to keep behavior the same as with 3.9. When OpenSSL is locally build with "no-shared -fPIC", then Python automatically builds a partially static-linked _ssl and _hashlib extension modules that do not pollute the global namespace: $ ./config \ --prefix=/home/heimes/dev/python/multissl/openssl/1.1.1j-static \ --openssldir=/etc/pki/tls \ no-shared -fPIC ... $ ./configure --with-openssl=/home/heimes/dev/python/multissl/openssl/1.1.1j-static $ make $ ldd build/lib.linux-x86_64-3.10/_ssl.cpython-310-x86_64-linux-gnu.so linux-vdso.so.1 (0x00007fff8dbbc000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fa5a533d000) libc.so.6 => /lib64/libc.so.6 (0x00007fa5a5172000) /lib64/ld-linux-x86-64.so.2 (0x00007fa5a56ac000) $ readelf -Ws build/lib.linux-x86_64-3.10/_ssl.cpython-310-x86_64-linux-gnu.so \| grep SSL_CTX_new 5617: 0000000000072a90 1133 FUNC LOCAL DEFAULT 11 SSL_CTX_new I deliberately did not update documentation with instructions for static linking. Static linking of OpenSSL has security and compatibility implications. I don't want to officially support it and deal with bug reports. -Wl,--exclude-libs just enables sane partial static-linking.

GH-24989 adds -Wl,--exclude-libs just for libssl.a and libcrypto.a IFF support for -Wl,--exclude-libs,ALL is detected by configure. This puts the symbols from the OpenSSL archive files into the LOCAL segment of ELF binaries. The PR does not set -Wl,--exclude-libs,ALL because I like to keep behavior the same as with 3.9.

When OpenSSL is locally build with "no-shared -fPIC", then Python automatically builds a partially static-linked _ssl and _hashlib extension modules that do not pollute the global namespace:


$ ./config \
    --prefix=/home/heimes/dev/python/multissl/openssl/1.1.1j-static \
    --openssldir=/etc/pki/tls \
    no-shared -fPIC
...
$ ./configure --with-openssl=/home/heimes/dev/python/multissl/openssl/1.1.1j-static
$ make
$ ldd build/lib.linux-x86_64-3.10/_ssl.cpython-310-x86_64-linux-gnu.so 
        linux-vdso.so.1 (0x00007fff8dbbc000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fa5a533d000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fa5a5172000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fa5a56ac000)
$ readelf -Ws build/lib.linux-x86_64-3.10/_ssl.cpython-310-x86_64-linux-gnu.so | grep SSL_CTX_new
  5617: 0000000000072a90  1133 FUNC    LOCAL  DEFAULT   11 SSL_CTX_new


I deliberately did not update documentation with instructions for static linking. Static linking of OpenSSL has security and compatibility implications. I don't want to officially support it and deal with bug reports. -Wl,--exclude-libs just enables sane partial static-linking.

History
Date	User	Action	Args
2021-03-23 10:04:34	christian.heimes	set	recipients: + christian.heimes, barry, gregory.p.smith, vstinner, pablogsal
2021-03-23 10:04:34	christian.heimes	set	messageid: <1616493874.61.0.1868346084.issue43466@roundup.psfhosted.org>
2021-03-23 10:04:34	christian.heimes	link	issue43466 messages
2021-03-23 10:04:34	christian.heimes	create