[openssl-users] Migrating to openssl 1.1.1 in real life linux server
Dennis Clarke
dclarke at blastwave.org
Tue Sep 11 17:47:18 UTC 2018
On 09/11/2018 01:09 PM, Viktor Dukhovni wrote:
>
>
>> On Sep 11, 2018, at 10:59 AM, Juan Isoza <jisoza at gmail.com> wrote:
>>
>> What is the better way, for anyone running, by example, Apache or nginx on a popular Linux districution (Ubuntu, Debian, Suse) and want support TLS 1.3 ?
>>
>> Waiting package update to have openssl 1.1.1 ? probably a lot of time
>>
Roll you own. It works. Really really well in fact.
>> Recompile openssl dynamic library and replace system library ? We must be sure we don't broke the system
Don't do that. That path leads to madness.
>>
>> Recompile Apache or NGinx with openssl statically linked ? probably complex
>
> You can install OpenSSL 1.1.1 in a non-default location, say:
>
> ./Configure --prefix=/usr/local/opt/openssl/1.1.1 BSD-x86_64-opt shared
>
> with the "BSD-x86_64-opt" target inheriting from "BSD-x86_64":
>
> --- Configurations/10-main.conf
> +++ Configurations/10-main.conf
>
> + "BSD-x86_64-opt" => {
> + inherit_from => [ "BSD-x86_64" ],
> + shlib_variant => "-opt",
> + },
> +
>
<snip>
> Integrating this into "ports" is an exercise for the reader...
>
It sounds like a downstream ELF header nightmare. Most likely better to
just isolate systems entirely and build the software stack dependencies
using standard locations and standard SONAME/RPATH/RUNPATH data. However
if someone wants to spin in tight circles battling lib resolution, well
gee, sounds like endless fun. Not for me .. thanks.
Dennis
More information about the openssl-users
mailing list