[openssl-users] Migrating to openssl 1.1.1 in real life linux server

Viktor Dukhovni openssl-users at dukhovni.org
Tue Sep 11 17:09:36 UTC 2018

> On Sep 11, 2018, at 10:59 AM, Juan Isoza <jisoza at gmail.com> wrote:
> What is the better way, for anyone running, by example, Apache or nginx on a popular Linux districution (Ubuntu, Debian, Suse) and want support TLS 1.3 ?
> Waiting package update to have openssl 1.1.1 ? probably a lot of time
> Recompile openssl dynamic library and replace system library ? We must be sure we don't broke the system
> Recompile Apache or NGinx with openssl statically linked ? probably complex

You can install OpenSSL 1.1.1 in a non-default location, say:

	./Configure --prefix=/usr/local/opt/openssl/1.1.1 BSD-x86_64-opt shared

with the "BSD-x86_64-opt" target inheriting from "BSD-x86_64":

  --- Configurations/10-main.conf
  +++ Configurations/10-main.conf
  +    "BSD-x86_64-opt" => {
  +        inherit_from     => [ "BSD-x86_64" ],
  +        shlib_variant   => "-opt",
  +    },

but also specifying 'shlib_variant => "-opt"', see Configurations/README:

        shlib_variant   => A "variant" identifier inserted between the base
                           shared library name and the extension.  On "unixy"
                           platforms (BSD, Linux, Solaris, MacOS/X, ...) this
                           supports installation of custom OpenSSL libraries
                           that don't conflict with other builds of OpenSSL
                           installed on the system.  The variant identifier
                           becomes part of the SONAME of the library and also
                           any symbol versions (symbol versions are not used or
                           needed with MacOS/X).  For example, on a system
                           where a default build would normally create the SSL
                           shared library as 'libssl.so -> libssl.so.1.1' with
                           the value of the symlink as the SONAME, a target
                           definition that sets 'shlib_variant => "-abc"' will
                           create 'libssl.so -> libssl-abc.so.1.1', again with
                           an SONAME equal to the value of the symlink.  The
                           symbol versions associated with the variant library
                           would then be 'OPENSSL_ABC_<version>' rather than
                           the default 'OPENSSL_<version>'. The string inserted
                           into symbol versions is obtained by mapping all
                           letters in the "variant" identifier to upper case
                           and all non-alphanumeric characters to '_'.

The resulting libraries have a non-default SONAME:

  $ readelf -d *.so  | grep SONAME
   0x000000000000000e SONAME               Library soname: [libcrypto-opt.so.1.1]
   0x000000000000000e SONAME               Library soname: [libssl-opt.so.1.1]

And non-default symbol versions:

  $ objdump -T libssl.so | grep SSL_CTX_new
  00000000000338c0 g    DF .text  00000000000003b3  OPENSSL_OPT_1_1_0 SSL_CTX_new

  $ objdump -T libcrypto.so | grep X509_new
  00000000001d7be0 g    DF .text  0000000000000011  OPENSSL_OPT_1_1_0 X509_new

All that remains is to link Apache, Nginx, ... with these libraries instead:

	LDFLAGS+="-L/usr/local/opt/openssl/1.1.1/lib -Wl,-rpath,/usr/local/opt/openssl/1.1.1/lib"

Integrating this into "ports" is an exercise for the reader...


More information about the openssl-users mailing list