[openssl-users] Migrating to openssl 1.1.1 in real life linux server

Viktor Dukhovni openssl-users at dukhovni.org
Tue Sep 11 17:57:48 UTC 2018

On Tue, Sep 11, 2018 at 01:47:18PM -0400, Dennis Clarke wrote:

> >    --- Configurations/10-main.conf
> >    +++ Configurations/10-main.conf
> >   
> >    +    "BSD-x86_64-opt" => {
> >    +        inherit_from     => [ "BSD-x86_64" ],
> >    +        shlib_variant   => "-opt",
> >    +    },
> >    +

I guess this is a thread about Linux, and I gave a BSD example, but
there are no substative differences.

> It sounds like a downstream ELF header nightmare.

Actually, it works just fine.  You link with the variant library,
and it happily coexists with any dependencies you may have that in
turn depend on the system TLS library.  The variant SONAME and
symbol versions provide all the requisite isolation.  You only
pay the cost of customization for the handful of packages you
want to have running against the non-default libraries.

This has been running in production on thousands of servers for
multiple years on Ubuntu (karmic, since retired), Debian wheezy,
jessie and stretch.

Otherwise, you have to be sure to recompile the world, to avoid
dependency conflicts where some system library use TLS, say for
LDAP lookups via an nsswitch module, and crashes because it wants
a differen OpenSSL version.


More information about the openssl-users mailing list