OpenSSL compliance with Linux distributions

Dan Kegel dank at
Fri Aug 7 16:33:45 UTC 2020

Suggestion: get the source for the exact same version of openssl your
system uses, and rebuild it with sslv2 disabled.


sudo apt install build-essential devscripts
sudo apt build-dep openssl
mkdir tmp
cd tmp
apt source openssl
cd openssl-*
gedit debian/rules     # see below
debuild -b -uc -us
cd ..
sudo apt install *.deb

While editing debian/rules in gedit, change the line

CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl
--libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib no-ssl3
enable-unit-test no-ssl3-method enable-rfc3779 enable-cms

to add the no-ssl2 argument, or something like that.  See

But be careful!  You probably want to have the original system .deb files
for its openssl in an origopenssl dir
so you can reinstall them with 'sudo dpkg -i origopenssl/*.deb' when this

- Dan

On Wed, Aug 5, 2020 at 1:28 PM Patrick Mooc <patrick.mooc at> wrote:

> Thank you very much Kyle for your quick and clear answer.
> The reason why I want to upgrade OpenSSL version, is that I encounter a
> problem with 1 frame exchange between client and server.
> This frame is the first packet sent from client to server (Client Hello
> Packet) and the protocol used for this packet is SSLv2.
> I don't understand why, because I force the use of TLSv1 (in ssl.conf file
> as in application software), but only for this first exchange packet, SSLv2
> is used. All other packets are well using TLSv10 as configured.
> I have also searched for forcing the use of TLSv10 ciphers in OpenSSL
> configuration and in application software, but I didn't succeed doing so.
> That's why I had in idea of upgrading OpenSSL version to avoid the use of
> SSLv2 protocol.
> Thus, if you have any idea of how to solve my problem without upgrading
> OpenSSL version or Linux distribution, It would be very nice.
> Thank you in advance for your answer.
> Best Regards,
> Le 05/08/2020 à 22:10, Kyle Hamilton a écrit :
> It is never recommended to upgrade you distribution's version of OpenSSL
> with one you compile yourself.  Doing so will often break all software
> installed by the distribution that uses it.
> If you need functionality from newer versions of OpenSSL, your options are
> to upgrade your OS version, or to install a local copy of OpenSSL and
> manually compile and link local copies of the applications that need the
> newer functionality.
> (Newer versions of OpenSSL do not maintain the same Application Binary
> Interface (ABI), which means that binaries compiled against older versions
> will not correctly operate or dynamically link against newer libraries.
> Also, distributions such as Debian can modify the ABI in such a way that
> nothing distributed directly by can be compiled to meet it
> without source code modification.)
> -Kyle H
> On Wed, Aug 5, 2020, 14:49 Patrick Mooc <patrick.mooc at> wrote:
>> Hello,
>> I'm using an old version of OpenSSL (0.9.8g) on an old Linux Debian
>> distribution (Lenny).
>> Is it possible to upgrade OpenSSL version without upgrading Linux Debian
>> distribution ?
>> If yes, up to which version of OpenSSL ?
>> Are all versions of OpenSSL compliant with all Linux Debian distribution ?
>> Thank you in advance for your answer.
>> Best Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list