problem loading shared lib pg_tde.so

On 5/6/24 04:05, Matthias Apitz wrote:

I have a problem while loading the pg_tde.so shared lib.

contrib/pg_tde was built with:

cd postgresql-16.2/contrib/pg_tde || exit
gmake clean
export LDFLAGS="-L/usr/local/sisis-pap/lib -L/usr/lib64"
export CFLAGS="-m64 -I/usr/local/sisis-pap/include"
export CPPFLAGS="-m64 -I/usr/local/sisis-pap/include"

./configure --prefix=/usr/local/sisis-pap/pgsql-16.2 \
--libdir=/usr/local/sisis-pap/pgsql-16.2/lib
--with-libcurl=/usr/local/sisis-pap/

gmake
gmake install

but the shared lib /usr/local/sisis-pap/pgsql-16.2/lib/pg_tde.so
can't be loaded on startup of the server:

024-05-06 11:18:45.967 CEST [15368] FATAL: could not load library "/usr/local/sisis-pap/pgsql-16.2/lib/pg_tde.so": /usr/lib64/libssh.so.4: undefined symbol: EVP_KDF_CTX_new_id, version OPENSSL_1_1_1d
2024-05-06 11:18:45.967 CEST [15368] LOG: database system is shut down

This is the OpenSSL version of SuSE Linux Enterprise 15 SP5:

# openssl version
OpenSSL 1.1.1l-fips 24 Aug 2021 SUSE release 150500.17.25.1

This is what we have compiled and PostgreSQL should use:

# export LD_LIBRARY_PATH=/usr/local/sisis-pap/lib
# /usr/local/sisis-pap/bin/openssl version
OpenSSL 1.1.1t 7 Feb 2023

I see three different versions of OpenSSL:

OPENSSL_1_1_1d -- From error messsage
OpenSSL 1.1.1l-fips -- SuSE 15 version
OpenSSL 1.1.1t -- Your built version?

Are you sure you pointing at the same version in all cases?

When I disable 'pg_tde' in data/postgresql.auto.conf the server
starts fine;

vim /data/postgresql162/data/postgresql.auto.conf
# disabled shared_preload_libraries = 'pg_tde'

# /etc/init.d/postgres162 start
starts fine

and the postgres proc is using our libssl.so.1.1

# lsof -p 17254 | egrep 'libssl'
postgres 17254 postgres mem REG 254,0 697248 1080241 /usr/local/sisis-pap/lib/libssl.so.1.1

# strings /usr/local/sisis-pap/lib/libssl.so.1.1 | grep EVP_KDF
(nix)

# strings /usr/lib64/libssh.so.4 | grep EVP_KDF
EVP_KDF_CTX_new_id
EVP_KDF_ctrl
EVP_KDF_CTX_free
EVP_KDF_derive

I have a complete different OpenSSL 3.0.x environment: all OpenSSL
consumers use /usr/local/sisis-pap.sp01/lib/libssl.so.3, also
PostgreSQL and pg_tde have been compiled against this; and this
runs fine with 'pg_tde'.

What the avove error means?

Thanks

matthias

--
Adrian Klaver
adrian.klaver@aklaver.com

On 5/6/24 07:42, Adrian Klaver wrote:

On 5/6/24 04:05, Matthias Apitz wrote:

I see three different versions of OpenSSL:

OPENSSL_1_1_1d      -- From error messsage
OpenSSL 1.1.1l-fips    -- SuSE 15 version
OpenSSL 1.1.1t            -- Your built version?

Are you sure you pointing at the same version in all cases?

Should have added what does the below return?:

ldd /usr/local/sisis-pap/pgsql-16.2/lib/pg_tde.so

    matthias

--
Adrian Klaver
adrian.klaver@aklaver.com

El día lunes, mayo 06, 2024 a las 07:45:52 -0700, Adrian Klaver escribió:

On 5/6/24 07:42, Adrian Klaver wrote:

On 5/6/24 04:05, Matthias Apitz wrote:

I see three different versions of OpenSSL:

OPENSSL_1_1_1d      -- From error messsage
OpenSSL 1.1.1l-fips    -- SuSE 15 version
OpenSSL 1.1.1t            -- Your built version?

Are you sure you pointing at the same version in all cases?

Yes, to my built version.

Should have added what does the below return?:

ldd /usr/local/sisis-pap/pgsql-16.2/lib/pg_tde.so

I added in the start script of the server the following line about ldd,
to get it exactly in the LD_LIBRARY_PATH of the server:

...
case $1 in
start)
echo -n "Starting PostgreSQL: "
test -e "$PG_OOM_ADJUST_FILE" && echo "$PG_MASTER_OOM_SCORE_ADJ" > "$PG_OOM_ADJUST_FILE"
su - $PGUSER -c "$LD_ENV $DAEMON_ENV env > /tmp/pg_tde.ldd"
su - $PGUSER -c "$LD_ENV $DAEMON_ENV ldd /usr/local/sisis-pap/pgsql-16.2/lib/pg_tde.so >> /tmp/pg_tde.ldd"
su - $PGUSER -c "$LD_ENV $DAEMON_ENV $DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
echo "ok"
;;
...

After looking carefully at the file /tmp/pg_tde.ldd I saw the problem:

# egrep 'LD_LIBRARY_PATH|libcurl' /tmp/pg_tde.ldd
LD_LIBRARY_PATH=:/usr/local/sisis-pap/lib
libcurl.so.4 => /usr/lib64/libcurl.so.4 (0x00007fc830146000)

LD_LIBRARY_PATH was set as it should to /usr/local/sisis-pap/lib but the
libcurl.so.4 was not seen. I made curl by my own and this installed:

# ls -l /usr/local/sisis-pap/lib/libcurl*
-rw-r--r-- 1 bin bin 1315526 May 6 10:29 /usr/local/sisis-pap/lib/libcurl.a
-rwxr-xr-x 1 bin bin 1004 May 6 10:29 /usr/local/sisis-pap/lib/libcurl.la
-rwxr-xr-x 1 bin bin 735168 May 6 10:29 /usr/local/sisis-pap/lib/libcurl.so.4.8.0

but the pg_tde.so was loocking for libcurl.so.4 and not for libcurl.so.4.8.0

I made a symlink as

# ln -s /usr/local/sisis-pap/lib/libcurl.so.4.8.0 /usr/local/sisis-pap/lib/libcurl.so.4

and the server comes up fine:

# /etc/init.d/postgres162 start
Starting PostgreSQL: ok

# grep curl /tmp/pg_tde.ldd
libcurl.so.4 => /usr/local/sisis-pap/lib/libcurl.so.4 (0x00007faefc8bd000)

I have to figure out why the making of 'curl' does not produce that
symlink by its own, or why the making of pg_tde.so let it ask for
libcurl.so.4 and not for libcurl.so.4.8.0.

Thanks for your help, Adrian.

matthias

--
Matthias Apitz, ✉ guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

El día martes, mayo 07, 2024 a las 07:07:22 +0200, Matthias Apitz escribió:

# ls -l /usr/local/sisis-pap/lib/libcurl*
-rw-r--r-- 1 bin bin 1315526 May 6 10:29 /usr/local/sisis-pap/lib/libcurl.a
-rwxr-xr-x 1 bin bin 1004 May 6 10:29 /usr/local/sisis-pap/lib/libcurl.la
-rwxr-xr-x 1 bin bin 735168 May 6 10:29 /usr/local/sisis-pap/lib/libcurl.so.4.8.0

...

I have to figure out why the making of 'curl' does not produce that
symlink by its own, or why the making of pg_tde.so let it ask for
libcurl.so.4 and not for libcurl.so.4.8.0.

It was not the fault in making 'curl'. It was my fault in the shell
script which bundles PostgreSQL 16.2, pg_tde.so and libcurl together
for delivery to other hosts/customer which only picked up the 3 files
above and not also the symlinks.

We can now safely close this thread.

matthias

--
Matthias Apitz, ✉ guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub