MbedTLS linking issues with HashLink binaries on Linux

[tobil4sk]

Since the binaries are currently compiled on Ubuntu 18.04 which has mbedtls 2.8.0, ssl.hdll is linked to libmbedtls.so.10. Ubuntu 20.04 has libmbedtls.so.12, and Ubuntu 22.04 has libmbedtls.so.14, which is the current version for MbedTLS 2. This means that if hashlink continues to link mbedtls dynamically, the binaries cannot work on all versions of Linux at once. Even MbedTLS 3 seems to change the .so name with every minor release: https://abi-laboratory.pro/?view=timeline&l=mbedtls

We could start linking mbedtls statically, but that means the mbedtls version will be stuck at whatever hashlink was compiled with, which is a security concern.

This is possibly the root cause of issues like #590.

[ncannasse]

Should we not link to libmbedtls.so directly ? It should be backward and forward compatible. Unless it's not? Le mar. 21 mars 2023 à 21:03, tobil4sk ***@***.***> a écrit :

…

Since the binaries are currently compiled on Ubuntu 18.04 which has mbedtls 2.8.0, ssl.hdll is linked to libmbedtls.so.10. Ubuntu 20.04 has libmbedtls.so.12, and Ubuntu 22.04 has libmbedtls.so.14, which is the current version for MbedTLS 2. This means that if hashlink continues to link mbedtls dynamically, the binaries cannot work on all versions of Linux at once. Even MbedTLS 3 seems to change the .so name with every minor release: https://abi-laboratory.pro/?view=timeline&l=mbedtls We could start linking mbedtls statically, but that means the mbedtls version will be stuck at whatever hashlink was compiled with, which is a security concern. This is possibly the root cause of issues like #590 <#590>. — Reply to this email directly, view it on GitHub <#595>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAHZXQDDYVGS6L45GYWU27TW5ICPNANCNFSM6AAAAAAWC5QFQE> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[tobil4sk]

Every time the .so.x number changes, it signifies that the abi compatibility has been broken. This prevents old binaries from trying to load the new incompatible library. MbedTLS seems to break compatibility very often (or at least, they change the .so number very often).

https://unix.stackexchange.com/questions/475/how-do-so-shared-object-numbers-work