hashlink icon indicating copy to clipboard operation
hashlink copied to clipboard
verified publisher icon HaxeFoundation

MbedTLS linking issues with HashLink binaries on Linux

Open tobil4sk opened this issue 2 years ago • 2 comments

Since the binaries are currently compiled on Ubuntu 18.04 which has mbedtls 2.8.0, ssl.hdll is linked to libmbedtls.so.10. Ubuntu 20.04 has libmbedtls.so.12, and Ubuntu 22.04 has libmbedtls.so.14, which is the current version for MbedTLS 2. This means that if hashlink continues to link mbedtls dynamically, the binaries cannot work on all versions of Linux at once. Even MbedTLS 3 seems to change the .so name with every minor release: https://abi-laboratory.pro/?view=timeline&l=mbedtls

We could start linking mbedtls statically, but that means the mbedtls version will be stuck at whatever hashlink was compiled with, which is a security concern.

This is possibly the root cause of issues like #590.

tobil4sk avatar Mar 21 '23 20:03 tobil4sk

Should we not link to libmbedtls.so directly ? It should be backward and forward compatible. Unless it's not?

Le mar. 21 mars 2023 à 21:03, tobil4sk @.***> a écrit :

Since the binaries are currently compiled on Ubuntu 18.04 which has mbedtls 2.8.0, ssl.hdll is linked to libmbedtls.so.10. Ubuntu 20.04 has libmbedtls.so.12, and Ubuntu 22.04 has libmbedtls.so.14, which is the current version for MbedTLS 2. This means that if hashlink continues to link mbedtls dynamically, the binaries cannot work on all versions of Linux at once. Even MbedTLS 3 seems to change the .so name with every minor release: https://abi-laboratory.pro/?view=timeline&l=mbedtls

We could start linking mbedtls statically, but that means the mbedtls version will be stuck at whatever hashlink was compiled with, which is a security concern.

This is possibly the root cause of issues like #590 https://github.com/HaxeFoundation/hashlink/issues/590.

— Reply to this email directly, view it on GitHub https://github.com/HaxeFoundation/hashlink/issues/595, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHZXQDDYVGS6L45GYWU27TW5ICPNANCNFSM6AAAAAAWC5QFQE . You are receiving this because you are subscribed to this thread.Message ID: @.***>

ncannasse avatar Mar 21 '23 20:03 ncannasse

Every time the .so.x number changes, it signifies that the abi compatibility has been broken. This prevents old binaries from trying to load the new incompatible library. MbedTLS seems to break compatibility very often (or at least, they change the .so number very often).

https://unix.stackexchange.com/questions/475/how-do-so-shared-object-numbers-work

tobil4sk avatar Mar 21 '23 20:03 tobil4sk