Regression in GSSAPI/libxh509 linking? [PR bin/147175]

Andrew Reilly areilly at
Tue Jul 6 14:14:31 UTC 2010

Hi Kostik,

Thanks for looking at this,

On 06/07/2010, at 23:46 , Kostik Belousov wrote:
> Ok, this is useful. But, on the HEAD from Jul 2, I cannot reproduce it,
> with conftest.c and command line above. As well as on the stable/8 that
> is approx. one month old.
> On both systems, MD2_* symbols are resolved by Check
> your instance, do the symbols appear in the library ?

On both my 8- and -current (Jul 3) base systems, has the MD2_* symbols, and doesn't (but requires to them).  /usr/local/lib/libcrpto.a does *not* have the MD2 symbols.

> As a long shot, do you have openssl 1.0 installed from ports ?

My -current box does.  My 8.1-RC doesn't.

> Note the -L /usr/local/lib switch, that causes -lcrypto to be resolved
> from /usr/local/lib, if present. AFAIR, 1.0 removed MD2.

Ah-ha.  So I guess the situation properly is:

Not having heimdal installed from ports, the ones that look for gssapi libs use the base system, and the /usr/bin/krb5-config gssapi --libs includes -lhx509, which has unresolved MD2_* symbols.  The -L/usr/local/lib on the command line (presumably for other ports dependencies) makes the linker look in /usr/local/lib/libcrypto, which is there because of the openssl-1.0 port, and which doesn't have the MD2_ sybmols.  My two "fixes" both kind of work: removing the MD2 references from the base system's libhx509 make it compatible with the -lcrypto in ports; adding an explicit dependency on the base system's libcrypto also works, because that does have the MD2 references.  My 8-stable system presumably works because it doesn't have openssl-1.0 installed from ports.

So: how should I "fix" this, properly, on my -current system?  Is it as simple as installing heimdal from ports?  I can't remove openssl-1.0: that has 191 ports listed in its REQUIRED_BY file.

Should ports/security/heimdal be listed as a dependency of the ports that use GSSAPI?

Is it OK for the base system to *not* have an explicit dependency on libcrypto, even though there seems to be one, and adding such a dependency seems to "fix" this problem?



More information about the freebsd-current mailing list