Fix bundled OpenSSL SONAME conflict with .NET HttpClient#225
Merged
MaxRev-Dev merged 2 commits intomainfrom Apr 11, 2026
Merged
Fix bundled OpenSSL SONAME conflict with .NET HttpClient#225MaxRev-Dev merged 2 commits intomainfrom
MaxRev-Dev merged 2 commits intomainfrom
Conversation
The bundled libssl.so.3.2.0 and libcrypto.so.3.2.0 had their files renamed but retained the internal SONAME of libssl.so.3/libcrypto.so.3. When GDAL loaded first, the dynamic linker registered the bundled libraries under the system SONAME, shadowing the system OpenSSL. Subsequent .NET HTTPS requests via HttpClient/SslStream would then use the bundled (older) OpenSSL instead of the system version, causing SSL_ERROR_SSL on systems with newer OpenSSL (e.g. Arch Linux with OpenSSL 3.6.1). Fix: patch the SONAME inside the bundled libraries to match their renamed filenames (libssl.so.3.2.0/libcrypto.so.3.2.0) so the dynamic linker no longer confuses them with the system libssl.so.3/libcrypto.so.3.
The old 7z2107-extra.7z (v21.07) was removed from the 7-Zip server, causing 404 errors in the Windows build. Update to 7z2501-extra.7z (v25.01).
This was referenced Apr 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #224 — Bundled
libssl.so.3.2.0/libcrypto.so.3.2.0shadow system OpenSSL, breaking .NETHttpClientHTTPS on Linux systems with newer OpenSSL (e.g. Arch Linux with OpenSSL 3.6.1).Root cause: The existing build patched NEEDED references and renamed files from
libssl.so.3→libssl.so.3.2.0, but the internal SONAME remainedlibssl.so.3. When GDAL loads first, the dynamic linker registers the bundled library under SONAMElibssl.so.3, shadowing the system OpenSSL. .NET then uses the bundled (older/incompatible) version for TLS, causingSSL_ERROR_SSLatInterop.OpenSsl.Decrypt.Fix: Add
patchelf --set-sonameto update the internal SONAME to match the renamed filename. After the fix:libssl.so.3.2.0— used exclusively by GDAL's libcurl, libpq, etc.libssl.so.3— used by .NET for HTTPSVerified via Docker container with
LD_DEBUG=libs:Both GDAL (210 drivers) and HTTPS (
HttpClient) work correctly after the fix.Test plan
readelf -dLD_DEBUGshows separate library loading after fixHttpClientHTTPS succeeds after fixcollect-deps-makefilechanges (requires CI)