View Issue Details

IDProjectCategoryView StatusLast Update
0036484FPCPackagespublic2020-08-15 13:21
ReporterEric Heijnen Assigned ToMichael Van Canneyt  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Platformx86_64OSMacOS Catalina 
Product Version3.3.1 
Fixed in Version3.3.1 
Summary0036484: MacOS: OpenSSL goes for unversioned .dylib before versioned
DescriptionWhen trying to load the unversion libcrypto.dylib or libssl.dylib MacOS will terminate the application with the error :
"Invalid dylib load. Clients should not load the unversioned libssl dylib as it does not have a stable ABI."
Steps To Reproduceuse fphttpclient and get an https url , or just do a do a dlopen('libssl.dylib')
Additional InformationYou can prevent the application termination by loading a version specific dylib, like "libssl.0.9.8.dylib"

This code before using the openssl library fixes it as well:
openssl.DLLVersions[1]:=openssl.DLLVersions[2];
TagsNo tags attached.
Fixed in Revision43798
FPCOldBugId
FPCTarget3.2.0
Attached Files

Activities

Michael Van Canneyt

2019-12-27 12:04

administrator   ~0120084

Fixed by adding a
  DLLVersions[1]:=DLLVersions[2]
in loadlibraries under macos.

Please test and close if OK.

Trevor Roydhouse

2020-08-14 04:01

reporter   ~0124860

This fix breaks macOS ability to connect to web sites using HTTPS with TLSv1.2 or TLSv1.3 protocols only.

The result of the fix is that while FPC 3.0.4 can connect to such sites successfully using the LibreSSL library (using the unversioned /usr/lib/libssl.dylib which is linked to /usr/lib/libssl.35.dylib -- there are also other LibreSSL library versions 43 and 44) FPC 3.2.0 (and trunk) fall back to using the OpenSSL library (specifically /usr/lib/openssl.0.9.8.dylib) which causes the failure.

Reverting the fix for this bug enables FPC 3.3.0 (and trunk) to use the LibreSSL library and connections are again successful.

For a full discussion of the issue: see https://forum.lazarus.freepascal.org/index.php/topic,50350.0.html especially the last page.

Trevor Roydhouse

2020-08-14 04:59

reporter   ~0124861

Reverted fix tested working with FPC 3.2.0/3.3.1 on Mojave 10.14.6 and Catalina 10.15.6.

Trevor Roydhouse

2020-08-14 07:40

reporter   ~0124864

Reverted fix tested working with FPC 3.2.0/3.3.1 on Big Sur 11.0 Beta 4 (Intel version).

Trevor Roydhouse

2020-08-14 10:53

reporter   ~0124869

Suggest this change:

svn diff
Index: openssl.pas
===================================================================
--- openssl.pas (revision 45778)
+++ openssl.pas (working copy)
@@ -111,7 +111,7 @@
   { ADD NEW ONES WHEN THEY APPEAR!
     Always make .so/dylib first, then versions, in descending order!
     Add "." .before the version, first is always just "" }
- DLLVersions: array[1..19] of string = ('', '.1.1', '.11', '.10', '.1.0.6', '.1.0.5', '.1.0.4', '.1.0.3',
+ DLLVersions: array[1..24] of string = ('', '.46', '.45', '.44', '.43', '.35', '.1.1', '.11', '.10', '.1.0.6', '.1.0.5', '.1.0.4', '.1.0.3',
                                         '.1.0.2', '.1.0.1','.1.0.0','.0.9.8',
                                         '.0.9.7', '.0.9.6', '.0.9.5', '.0.9.4',
                                         '.0.9.3', '.0.9.2', '.0.9.1');

which allows the original fix to work. It will then find the highest of /usr/lib/libssl.[35|43|44|45|46].dylib.

Trevor Roydhouse

2020-08-14 11:01

reporter   ~0124870

LibreSSl's libssl goes up to version 48 as far as I can tell. So need to add 47 and 48 to the array as well.

Michael Van Canneyt

2020-08-14 12:06

administrator   ~0124873

2 remarks:
* the .40 range is only for mac. It makes sense to split this in a separate array, it avoids unnecessary loads which are known to fail on other platforms.
* This bug report is closed, please create a different report.

Bi0T1N

2020-08-14 12:17

reporter   ~0124875

It's not correct that the .40 range is for mac only. It's the range used by LibreSSL and thus also present on my Debian VM.

Michael Van Canneyt

2020-08-14 12:19

administrator   ~0124876

I didn't know about LibreSSL. All the more reason to split it in 2 arrays.

Trevor Roydhouse

2020-08-15 13:21

reporter   ~0124898

Beware that older versions of macOS only include OpenSSL and not LibreSSL if you split the arrays.

Also note that while OpenSSL's libssl and libcrypto appear to always use the same version, LibreSSL does not necessarily (eg libssl.46.dylib is paired with libcrypto.44.dylib for LibreSSL v2.8.3. ) which also means that -- at least for macOS -- the array also needs .38, .41 and .42. I don't know about Linux or OpenBSD.

Here's macOS by version:

10.11
- OpenSSL 0.9.7, 0.9.8
- LibreSSL libssh.35 and libcrypto.35

10.12
- OpenSSL 0.9.7, 0.9.8
- LibreSSL libssh.35, libssh.39; libcrypto.35, libcrypto.38

10.13
- OpenSSL 0.9.7, 0.9.8
- LibreSSL libssh.35, libssh.43; libcrypto.35, libcrypto.41

10.14
- OpenSSL 0.9.7, 0.9.8
- LibreSSL libssh.35, libssh.43, libssl.44; libcrypto.35, libcrypto.41, libcrypto.42

10.15
- OpenSSL 0.9.7, 0.9.8
- LibreSSL libssh.35, libssh.43, libssl.44, libssl.46; libcrypto.35, libcrypto.41, libcrypto.42, libcrypto.44

11.0 beta 4
- OpenSSL 0.9.7, 0.9.8
- LibreSSL libssh.35, libssh.43, libssl.44, libssl.46; libcrypto.35, libcrypto.41, libcrypto.42, libcrypto.44

Issue History

Date Modified Username Field Change
2019-12-27 11:48 Eric Heijnen New Issue
2019-12-27 12:04 Michael Van Canneyt Assigned To => Michael Van Canneyt
2019-12-27 12:04 Michael Van Canneyt Status new => resolved
2019-12-27 12:04 Michael Van Canneyt Resolution open => fixed
2019-12-27 12:04 Michael Van Canneyt Fixed in Version => 3.3.1
2019-12-27 12:04 Michael Van Canneyt Fixed in Revision => 43798
2019-12-27 12:04 Michael Van Canneyt FPCTarget => 3.2.0
2019-12-27 12:04 Michael Van Canneyt Note Added: 0120084
2020-08-14 04:01 Trevor Roydhouse Note Added: 0124860
2020-08-14 04:59 Trevor Roydhouse Note Added: 0124861
2020-08-14 07:40 Trevor Roydhouse Note Added: 0124864
2020-08-14 10:53 Trevor Roydhouse Note Added: 0124869
2020-08-14 11:01 Trevor Roydhouse Note Added: 0124870
2020-08-14 12:06 Michael Van Canneyt Note Added: 0124873
2020-08-14 12:17 Bi0T1N Note Added: 0124875
2020-08-14 12:19 Michael Van Canneyt Note Added: 0124876
2020-08-15 13:21 Trevor Roydhouse Note Added: 0124898