OpenSSL compliance with Linux distributions

Fri Aug 7 16:33:45 UTC 2020

Suggestion: get the source for the exact same version of openssl your
system uses, and rebuild it with sslv2 disabled.

e.g.

sudo apt install build-essential devscripts
sudo apt build-dep openssl
mkdir tmp
cd tmp
apt source openssl
cd openssl-*
gedit debian/rules     # see below
debuild -b -uc -us
cd ..
sudo apt install *.deb

While editing debian/rules in gedit, change the line

CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl
--libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib no-ssl3
enable-unit-test no-ssl3-method enable-rfc3779 enable-cms

to add the no-ssl2 argument, or something like that.  See
https://wiki.openssl.org/index.php/Compilation_and_Installation

But be careful!  You probably want to have the original system .deb files
for its openssl in an origopenssl dir
so you can reinstall them with 'sudo dpkg -i origopenssl/*.deb' when this
breaks.

- Dan

On Wed, Aug 5, 2020 at 1:28 PM Patrick Mooc <patrick.mooc at gmail.com> wrote:

> Thank you very much Kyle for your quick and clear answer.
>
> The reason why I want to upgrade OpenSSL version, is that I encounter a
> problem with 1 frame exchange between client and server.
>
> This frame is the first packet sent from client to server (Client Hello
> Packet) and the protocol used for this packet is SSLv2.
> I don't understand why, because I force the use of TLSv1 (in ssl.conf file
> as in application software), but only for this first exchange packet, SSLv2
> is used. All other packets are well using TLSv10 as configured.
>
> I have also searched for forcing the use of TLSv10 ciphers in OpenSSL
> configuration and in application software, but I didn't succeed doing so.
>
> That's why I had in idea of upgrading OpenSSL version to avoid the use of
> SSLv2 protocol.
>
>
> Thus, if you have any idea of how to solve my problem without upgrading
> OpenSSL version or Linux distribution, It would be very nice.
>
>
> Thank you in advance for your answer.
>
> Best Regards,
>
>
> Le 05/08/2020 à 22:10, Kyle Hamilton a écrit :
>
> It is never recommended to upgrade you distribution's version of OpenSSL
> with one you compile yourself.  Doing so will often break all software
> installed by the distribution that uses it.
>
> If you need functionality from newer versions of OpenSSL, your options are
> to upgrade your OS version, or to install a local copy of OpenSSL and
> manually compile and link local copies of the applications that need the
> newer functionality.
>
> (Newer versions of OpenSSL do not maintain the same Application Binary
> Interface (ABI), which means that binaries compiled against older versions
> will not correctly operate or dynamically link against newer libraries.
> Also, distributions such as Debian can modify the ABI in such a way that
> nothing distributed directly by openssl.org can be compiled to meet it
> without source code modification.)
>
> -Kyle H
>
> On Wed, Aug 5, 2020, 14:49 Patrick Mooc <patrick.mooc at gmail.com> wrote:
>
>> Hello,
>>
>> I'm using an old version of OpenSSL (0.9.8g) on an old Linux Debian
>> distribution (Lenny).
>>
>> Is it possible to upgrade OpenSSL version without upgrading Linux Debian
>> distribution ?
>> If yes, up to which version of OpenSSL ?
>>
>> Are all versions of OpenSSL compliant with all Linux Debian distribution ?
>>
>>
>> Thank you in advance for your answer.
>>
>> Best Regards,
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200807/39a8af66/attachment-0001.html>