Building ruby with rbenv and ruby-build fails with undefined symbol: SSLv2_method
When I run rbenv install 2.2.4 or rbenv install 2.3.0 in both cases the build fails with the error message
"undefined symbol: SSLv2_method"
...What could cause these issues ...
The SSLv2 gear was completely removed from OpenSSL in March due to CVE-2016-0800 (DROWN Attack).
I think the complete removal was a bit harsh because of the effects like you are experiencing. There should have been a warning and transition period. And it should have occurred 10 years ago or so.
Instead of complete removal due to DROWN, I think SSLv2_method
, SSLv2_client_method
and SSLv2_server_method
should have set an appropriate error code like ERR_R_REMOVED_INSECURE
and returned NULL. <openssl/opensslconf.h>
should have unconditionally set OPENSSL_NO_SSL2
also.
OpenSSL realized they broke ABI compatibility and added the symbols back to 1.0.2 with Commit 133138569f37d149. The check-in provided the symbols SSLv2_method
, SSLv2_client_method
and SSLv2_server_method
again, but they return NULL without setting an error code. They also do not define OPENSSL_NO_SSL2
. Also see [openssl.org #4398] BUG / 1.0.2g breaks CURL extension.
SSLv2 has been insecure for 15 or 20 years. Packages like Ruby should not have been referencing the symbols. You should file a security bug report against Ruby for referencing the symbol.
... and how could I resolve them?
To fix the issue, I believe you need either (1) wait for OpenSSL 1.0.2h, (2), manually patch OpenSSL 1.0.2g, or (3) remove all Ruby references to SSLv2_method
, SSLv2_client_method
and SSLv2_server_method
.
Here's the patch you need for (2), manually patch OpenSSL 1.0.2g:
diff --git a/ssl/s2_meth.c b/ssl/s2_meth.c
index b312f17..d46e2f5 100644
--- a/ssl/s2_meth.c
+++ b/ssl/s2_meth.c
@@ -74,8 +74,8 @@ IMPLEMENT_ssl2_meth_func(SSLv2_method,
ssl2_accept, ssl2_connect, ssl2_get_method)
#else /* !OPENSSL_NO_SSL2 */
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
+SSL_METHOD *SSLv2_method(void) { return NULL; }
+SSL_METHOD *SSLv2_client_method(void) { return NULL; }
+SSL_METHOD *SSLv2_server_method(void) { return NULL; }
#endif
You should also configure and compile OpenSSL with at least no-ssl2 no-ssl3 no-comp
flags because they are known security problems. The configure options define OPENSSL_NO_SSL2
, OPENSSL_NO_SSL3
and OPENSSL_NO_COMP
in <openssl/opensslconf.h>
.
undefined symbol: SSLv2_method when running bundle install
I did the following and it fixed the issue:
$ source ~/.rvm/scripts/rvm
$ rvm pkg install zlib
$ rvm pkg install openssl
$ sudo apt-get install libreadline-dev
$ rvm pkg install readline
$ rvm install 1.9.3 --with-openssl-dir=$rvm_path/usr
$ gem install rails
rbenv/ruby-build and shared libraries (libruby.so)
When compiling Ruby from source, you need to set --enable-shared
to build shared libraries. With Rbenv, you can try to set this in RUBY_CONFIGURE_OPTS
before installing Ruby:
export RUBY_CONFIGURE_OPTS="--enable-shared"
rbenv install 2.1.2
Or alternatively:
RUBY_CONFIGURE_OPTS="--enable-shared" rbenv install 2.1.2
Related Topics
How to Use Rspec to Mock Stdin/Stdout to Test Console Reads & Writes
Using Rbenv Doesn't Work with Sudo
Ruby Modulo 3 with Negative Numbers Is Unintuitive
Assign/Replace Params Hash in Rails
Finding If a Sentence Contains a Specific Phrase in Ruby
What Does "<Top (Required)>" Mean in a Ruby Stack Trace
Is Everything an Object in Ruby
Ruby - Send Get Request with Headers
Error: Failed to Build Gem Native Extension (Ruby Extconf.Rb): MAC Osx
Why Is Gets Throwing an Error When Arguments Are Passed to My Ruby Script
Heroku App Crash H10 - Bash: Bin/Rails: No Such File or Directory
Converting a Hexadecimal Digest to Base64 in Ruby
Rvm Does Not Install Ruby 1.9.2 on Snow Leopard: 'Error Running 'Make '
Dry Way to Assign Hash Values to an Object