[openssl-users] Deployment

Dean Warren Dean.Warren at scisys.co.uk
Mon Jul 16 09:31:31 UTC 2018


Yeah that does sounds scary.
I will look into vendors options.
Thanks
Dean Warren 

-----Original Message-----
From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Kyle Hamilton
Sent: 16 July 2018 10:26
To: openssl-users <openssl-users at openssl.org>
Subject: Re: [openssl-users] Deployment

Generally, you *really* do not want to replace the vendor-provided version.  Vendors often alter things to be more compatible with their ABIs, which are the binary interfaces that other programs use to link to the vendor-provided libraries.

If you find you actually do want to, it's best to figure out how to get the source code of the vendor package you currently have installed, determine what patches were applied by the vendor, then apply those patches to the newer library version, and rebuild.  If you have a command that can build a system installation package from source code and maybe patches that you provide, that would be even better.  If you can do that, you can then install the new package you just compiled as an upgrade.

If you can't build a new system package, you have to figure out what files were installed by the vendor's openssl package, and back them up.  Then, you need to find the associated versions built by you, and place them by hand.

And if you can't get the source code to the system version, you're going to have to wing it.  On a machine that you can make mistakes on without inconveniencing other users, do the same thing as if you couldn't build a new system package.  Then, after placing everything, you would generally (on most Linuxes, depending how recent their ld.so package is) run 'ldconfig' to rebuild the symbolic links to what they should be.  But here's the scary part: you then need to shut the machine down, bring it back up, and attempt to connect to it via ssh or something.  You will need to test *every* package that you use that links to openssl, in case there were any ABI incompatibilities introduced by the vendor.
If there are any problems, you'll need to contact the vendor for an updated version.  This may require paying additional support fees.

Good luck!

-Kyle H

On Mon, Jul 16, 2018 at 1:36 AM, Dean Warren <Dean.Warren at scisys.co.uk> wrote:
> Built openssl 0.9.8za with no problems on SUSE Linux Enterprise Server.
>
> Just followed
> https://wiki.openssl.org/index.php/Compilation_and_Installation?
>
> Works a treat - thanks.
>
>
>
> However on sudo make install the new version doesn’t replace the 
> system installed version (obviously this may be different per system).
>
>
>
> How to make sudo make install overwrite my system version?
>
> Is this a parameter within ./Configure?
>
> And/or is it also OK to just replace original bins with symbolic links 
> to new built openssl binary and library (are there others?)?
>
>
>
> Thanks in advance
>
> Dean Warren
> Solutions Architect – Space Division
>
> SCISYS UK Limited
> T:  +44 (0)117 916 5182
> F:  +44 (0)117 916 5299
> E:  dean.warren at scisys.co.uk
> http://www.scisys.co.uk
>
>
>
>
>
> SCISYS UK Limited. Registered in England and Wales No. 4373530.
> Registered Office: Methuen Park, Chippenham, Wiltshire SN14 0GB, UK.
>
> Before printing, please think about the environment.
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list