Discussion:
Building win64 openssl static library with no-ssl3 option fails on 1.0.1j
Arthur Ramsey
2014-10-17 17:07:08 UTC
Permalink
Hello,

I want to disable SSLv3 for a tomcat / tcnative deployment on Windows.
Tomcat lacks the ability to disable SSLv3 while retaining TLSv1.1 and
TLSv1.2, so I'm attempting to disable SSLv3 at build time with no-ssl3.
This was successful on Linux, but not on Windows. I was able to build
on Windows with the following procedure.

1.
Install Strawbery perl
2.
Open Visual Studio x64 Cross Tools Command prompt

%comspec% /k "C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\vcvarsall.bat" x86_amd64

3.
Change to the directory containing openssl sources

cd C:\openssl-1.0.1j

4.
Configure the openssl build

perl Configure VC-WIN64A no-ssl2

5.
Prepare the target environment

ms\do_win64a

6.
Clean up previous compliation

nmake -f ms\nt.mak clean

7.
Build

nmake -f ms\nt.mak

8.
Test the build

nmake -f ms\nt.mak test

Once I add the no-ssl3 option, compilation of the 64-bit static library
fails with the following.

Building OpenSSL
lib /nologo /out:out32\ssleay32.lib @C:\Users\arthurr\AppData\Local\Temp\nm96B5.tmp
link /nologo /subsystem:console /opt:ref /debug /out:out32\constant_time_test.exe @C:\Users\arthurr\AppData\Local\Temp\nm96D5.tmp
LINK : fatal error LNK1181: cannot open input file 'out32\ssleay32.lib'
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\BIN\x86_amd64\link.EXE"' : return code '0x49d'
Stop.

I see there was a fix for no-ssl3 in 1.0.1j, but it may still be an
issue with Windows builds? The error isn't descriptive, but perhaps a
openssl-dev could try reproducing the issue. I feel pretty confident
this a issue with the build scripts for Windows. I initially tried the
openssl-users list, but didn't get any responses.
--
Arthur Ramsey
Systems Administrator
Mediture
***@mediture.com
952.400.0323

This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer ***@mediture.com.
Tim Hudson
2014-10-20 00:56:15 UTC
Permalink
Post by Arthur Ramsey
Hello,
I want to disable SSLv3 for a tomcat / tcnative deployment on
Windows. Tomcat lacks the ability to disable SSLv3 while retaining
TLSv1.1 and TLSv1.2, so I'm attempting to disable SSLv3 at build time
with no-ssl3. This was successful on Linux, but not on Windows. I
was able to build on Windows with the following procedure.
1.
Install Strawbery perl
2.
Open Visual Studio x64 Cross Tools Command prompt
%comspec% /k "C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\vcvarsall.bat" x86_amd64
3.
Change to the directory containing openssl sources
cd C:\openssl-1.0.1j
4.
Configure the openssl build
perl Configure VC-WIN64A no-ssl2
5.
Prepare the target environment
ms\do_win64a
6.
Clean up previous compliation
nmake -f ms\nt.mak clean
7.
Build
nmake -f ms\nt.mak
8.
Test the build
nmake -f ms\nt.mak test
Once I add the no-ssl3 option, compilation of the 64-bit static
library fails with the following.
Building OpenSSL
LINK : fatal error LNK1181: cannot open input file 'out32\ssleay32.lib'
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\BIN\x86_amd64\link.EXE"' : return code '0x49d'
Stop.
I see there was a fix for no-ssl3 in 1.0.1j, but it may still be an
issue with Windows builds? The error isn't descriptive, but perhaps a
openssl-dev could try reproducing the issue. I feel pretty confident
this a issue with the build scripts for Windows. I initially tried
the openssl-users list, but didn't get any responses.
Thanks for the detailed bug report!
Applying this temporary patch to util/mk1mf.pl will resolve this issue.

Tim.

diff --git a/util/mk1mf.pl b/util/mk1mf.pl
index f0c2df0..4d2bbb2 100755
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@@ -671,11 +671,11 @@ foreach (values %lib_nam)
$lib_obj=$lib_obj{$_};
local($slib)=$shlib;

- if (($_ eq "SSL") && $no_ssl2 && $no_ssl3)
- {
- $rules.="\$(O_SSL):\n\n";
- next;
- }
+# if (($_ eq "SSL") && $no_ssl2 && $no_ssl3)
+# {
+# $rules.="\$(O_SSL):\n\n";
+# next;
+# }

$defs.=&do_defs(${_}."OBJ",$lib_obj,"\$(OBJ_D)",$obj);
$lib=($slib)?" \$(SHLIB_CFLAGS)".$shlib_ex_cflags{$_}:"
\$(LIB_CFLAGS)";



______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Arthur Ramsey
2014-10-20 03:56:11 UTC
Permalink
Tim,

That patch worked. I also created a ticket, #3573, which I believe can
be closed.

Thanks,
Arthur
Post by Tim Hudson
Post by Arthur Ramsey
Hello,
I want to disable SSLv3 for a tomcat / tcnative deployment on
Windows. Tomcat lacks the ability to disable SSLv3 while retaining
TLSv1.1 and TLSv1.2, so I'm attempting to disable SSLv3 at build time
with no-ssl3. This was successful on Linux, but not on Windows. I
was able to build on Windows with the following procedure.
1.
Install Strawbery perl
2.
Open Visual Studio x64 Cross Tools Command prompt
%comspec% /k "C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\vcvarsall.bat" x86_amd64
3.
Change to the directory containing openssl sources
cd C:\openssl-1.0.1j
4.
Configure the openssl build
perl Configure VC-WIN64A no-ssl2
5.
Prepare the target environment
ms\do_win64a
6.
Clean up previous compliation
nmake -f ms\nt.mak clean
7.
Build
nmake -f ms\nt.mak
8.
Test the build
nmake -f ms\nt.mak test
Once I add the no-ssl3 option, compilation of the 64-bit static
library fails with the following.
Building OpenSSL
LINK : fatal error LNK1181: cannot open input file 'out32\ssleay32.lib'
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\BIN\x86_amd64\link.EXE"' : return code '0x49d'
Stop.
I see there was a fix for no-ssl3 in 1.0.1j, but it may still be an
issue with Windows builds? The error isn't descriptive, but perhaps a
openssl-dev could try reproducing the issue. I feel pretty confident
this a issue with the build scripts for Windows. I initially tried
the openssl-users list, but didn't get any responses.
Thanks for the detailed bug report!
Applying this temporary patch to util/mk1mf.pl will resolve this issue.
Tim.
diff --git a/util/mk1mf.pl b/util/mk1mf.pl
index f0c2df0..4d2bbb2 100755
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@@ -671,11 +671,11 @@ foreach (values %lib_nam)
$lib_obj=$lib_obj{$_};
local($slib)=$shlib;
- if (($_ eq "SSL") && $no_ssl2 && $no_ssl3)
- {
- $rules.="\$(O_SSL):\n\n";
- next;
- }
+# if (($_ eq "SSL") && $no_ssl2 && $no_ssl3)
+# {
+# $rules.="\$(O_SSL):\n\n";
+# next;
+# }
$defs.=&do_defs(${_}."OBJ",$lib_obj,"\$(OBJ_D)",$obj);
$lib=($slib)?" \$(SHLIB_CFLAGS)".$shlib_ex_cflags{$_}:"
\$(LIB_CFLAGS)";
______________________________________________________________________
OpenSSL Project http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Loading...