I'm trying to compile some script that fetches some "https" urls, and Nim told me to use -d:ssl switch.
But when I use that switch the compiler fails with the error could not import: X509_check_host.
I found some info about this error, but still unclear what to do, as my openssl seems to be relatively fresh [email protected] (installed on mac with brew).
It fails with both nim 1.4.2 and 1.4.6.
nim -v
Nim Compiler Version 1.4.6 [MacOSX: amd64]
Compiled at 2021-05-06
Copyright (c) 2006-2020 by Andreas Rumpf
active boot switches: -d:release
Other languages are able to use https, not sure if they use openssl or something else though.
I thought that particular function was present in libressl, (which I'm afraid you will be using even if you've installed openssl, due to the current way openssl searches). At least, it is in v46/48, but you may have an older version kicking around.
Could you please show the result of find /usr/lib -name 'libssl*', and find /usr/lib -name 'libcrypto* to help with fixing these issues moving forward?
Due to a bug in Nims openssl it will default to the oldest version of libre it can find on osx.
To fix your issue for now, I believe ` --passl:-Wl,-rpath,/usr/local/opt/openssl/lib` should work to let it find your installed openssl 1.1
Thank you for the quick reply! Your suggestion to use explicit paths fixed the problem, it works! Also, seems like the paths are correct, as it works with both:
--passl:-Wl,-rpath,/usr/local/opt/openssl/lib
--passl:-Wl,-rpath,/usr/local/opt/[email protected]/lib
The output of other commands you've asked:
find /usr/lib -name 'libssl*'
/usr/lib/libssl.0.9.7.dylib
/usr/lib/libssl.0.9.8.dylib
/usr/lib/libssl.35.dylib
/usr/lib/libssl.39.dylib
/usr/lib/libssl.dylib
/usr/lib/pkgconfig/libssl.pc
and
find /usr/lib -name 'libcrypto*'
/usr/lib/libcrypto.0.9.7.dylib
/usr/lib/libcrypto.0.9.8.dylib
/usr/lib/libcrypto.35.dylib
/usr/lib/libcrypto.38.dylib
/usr/lib/libcrypto.dylib
/usr/lib/pkgconfig/libcrypto.pc
and
import openssl,strutils
echo getOpenSSLVersion().toHex()
# => 0000000020000000
and
ls /usr/local/opt/[email protected]
AUTHORS LICENSE bin share
CHANGES NEWS include
INSTALL_RECEIPT.json README lib
Yes, so by default Nim was using those .38/.39 dylibs. and X509_check_host was added in .41/.43(aka 2.5.1).
The 0x2000000 sslVersion means that snippet loaded libressl, unfortunately it doesn't distinguish between libressl versions, some way of doing that needs to be added to openssl clearly.
Finally, since those paths existed, that export DYLD_LIBRARY_PATH="/usr/local/opt/[email protected]/lib" should work, but it needs to be exported in the environment of the running binary, it has no effect at compile time. That means every time a new shell is opened, or in a .profile or .zshrc or something. Not a great solution.
The rpath solution is not super portable either, not everyone uses homebrew.
I think moving net to a compiled-in rather than dynamically linked solution like https://nimble.directory/pkg/bearssl is going to have to be the long term solution, the challenge is to transition without breaking anything in the process.