[openssl-users] Migrating to openssl 1.1.1 in real life linux server

Kurt Roeckx kurt at roeckx.be
Tue Sep 11 18:10:01 UTC 2018


On Tue, Sep 11, 2018 at 04:59:45PM +0200, Juan Isoza wrote:
> Hello,
> 
> What is the better way, for anyone running, by example, Apache or nginx on
> a popular Linux districution (Ubuntu, Debian, Suse) and want support TLS
> 1.3 ?
> 
> Waiting package update to have openssl 1.1.1 ? probably a lot of time
> 
> Recompile openssl dynamic library and replace system library ? We must be
> sure we don't broke the system
> 
> Recompile Apache or NGinx with openssl statically linked ? probably complex

Note that you most likely need an update of both nginx/apache and
openssl.

I will very likely make 1.1.1 available in Debian backports. I hope that
the nginx maintainer will also make a version that works with 1.1.1.

But this is most likely going to take a while. We first want to make
things work properly in testing. In the mean time buillding things
yourself seems like the easiest solution. If using Debian you can
just take the versions of the packages currently in unstable and
build them on stable.


Kurt



More information about the openssl-users mailing list