[openssl-users] Migrating to openssl 1.1.1 in real life linux server

Viktor Dukhovni openssl-users at dukhovni.org
Tue Sep 11 18:35:54 UTC 2018


On Tue, Sep 11, 2018 at 02:28:12PM -0400, Dennis Clarke wrote:

> >> It sounds like a downstream ELF header nightmare.
> > 
> > Actually, it works just fine.  You link with the variant library,
> > and it happily coexists with any dependencies you may have that in
> > turn depend on the system TLS library.  The variant SONAME and
> > symbol versions provide all the requisite isolation.  You only
> > pay the cost of customization for the handful of packages you
> > want to have running against the non-default libraries.
> 
> Mildly interesting in giving it a try.  However I have 1.1.1 running and
> tested fine on Solaris 10 sparc without any interferance from the system
> provided ( ORacle? ) ssl bits. However I do have RUNPATH and RPATH set
> to /usr/local/lib for everything I have built.

One thing I've not tested, is isolation from system SSL libraries
that don't employ symbol versions.  Debian has been doing symbol
versions for a long time, so I never needed to worry about that.
And OpenSSL 1.1.0 has symbol versions on most platforms.

I would assume that Solaris also has symbol versions for OpenSSL
1.0.x, but if it does not and that's the system's SSL library, then
the variant build might not happily coexist with indirect dependencies
in other shared libraries, haven't tried that.  Regardless, you're
no worse off than with the default SONAME and symbol versions.

-- 
	Viktor.


More information about the openssl-users mailing list