Error when compiling nginx from source using a custom version of OpenSSL.

September 2, 2015 2.3k views
Miscellaneous Nginx LEMP Security Ubuntu

My full question is detailed here.

In short, when I try to compile nginx to a custom (newer) version of OpenSSL than is installed on my server (Ubuntu), I get the error below:

relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC

Any ideas on how to solve this? I am not finding much on the interwebs already. Thanks.

2 comments
  • Hi, keep in mind that distros such as Ubuntu backport security fixes to packages like OpenSSL. That is, the version number doesn't change but security fixes are still applied as long as you're updating your server with the latest packages. So, if you had a specific OpenSSL feature you need from a newer version, you may need to upgrade. But if you're doing this because the old version number is bothering you, then I strongly recommend against it. If you stop using the secure and fully patched versions of OpenSSL provided by Ubuntu, then you'll need to start watching every time a new OpenSSL version is released and compiling it as well as recompiling any software that statically links to it. And in cases where there are major security events where distros such as Ubuntu get advanced knowledge and all coordinate releasing their fixes along with the announcement, you'll be behind while the rest of the world had instant access to the patched packages.

  • @jsamuel,

    Wow, first, was just exploring your service a bit. I will look into ServerPilot more. It looks like a great service.

    And, thanks. I was unaware of the fact that Ubuntu backported security fixes. Thanks for your articulate and detailed response. I am self-teaching server administration. So, thanks for educating me.

1 Answer

This question was answered by @jsamuel:

Hi, keep in mind that distros such as Ubuntu backport security fixes to packages like OpenSSL. That is, the version number doesn't change but security fixes are still applied as long as you're updating your server with the latest packages. So, if you had a specific OpenSSL feature you need from a newer version, you may need to upgrade. But if you're doing this because the old version number is bothering you, then I strongly recommend against it. If you stop using the secure and fully patched versions of OpenSSL provided by Ubuntu, then you'll need to start watching every time a new OpenSSL version is released and compiling it as well as recompiling any software that statically links to it. And in cases where there are major security events where distros such as Ubuntu get advanced knowledge and all coordinate releasing their fixes along with the announcement, you'll be behind while the rest of the world had instant access to the patched packages.

View the original comment

Have another answer? Share your knowledge.