OpenSSL compliance with Linux distributions

Patrick Mooc patrick.mooc at gmail.com
Mon Aug 10 19:57:23 UTC 2020 

Hello,

I tried to follow your procedure but I saw that I don't have same folders.

That lets me know that I forgot to give an important point concerning my 
problem :
the Debian distribution I use, is not on a PC, but it is an embedded 
one. It is a Qt project (also an old version of course, version 4.7)

I made some new tests today and it seems that there is only one case in 
which the SSLv2 Client Hello packet is sent.
It happens on a Soap call in a php scripting file.
Thus I have to see how to constraint this Soap call not to use SSLv2 
protocol.
I guess that the php library used is also an old one, I have to check this.

When this piece of code is not called, Client Hello packet are well sent 
with TLSv10 protocol.

Best Regards,


Le 07/08/2020 à 18:33, Dan Kegel a écrit :
> Suggestion: get the source for the exact same version of openssl your 
> system uses, and rebuild it with sslv2 disabled.
>
> e.g.
>
> sudo apt install build-essential devscripts
> sudo apt build-dep openssl
> mkdir tmp
> cd tmp
> apt source openssl
> cd openssl-*
> gedit debian/rules     # see below
> debuild -b -uc -us
> cd ..
> sudo apt install *.deb
>
> While editing debian/rules in gedit, change the line
>
> CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl 
> --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib 
> no-ssl3 enable-unit-test no-ssl3-method enable-rfc3779 enable-cms
>
> to add the no-ssl2 argument, or something like that.  See 
> https://wiki.openssl.org/index.php/Compilation_and_Installation
>
> But be careful!  You probably want to have the original system .deb 
> files for its openssl in an origopenssl dir
> so you can reinstall them with 'sudo dpkg -i origopenssl/*.deb' when 
> this breaks.
>
> - Dan
>
>
> On Wed, Aug 5, 2020 at 1:28 PM Patrick Mooc <patrick.mooc at gmail.com 
> <mailto:patrick.mooc at gmail.com>> wrote:
>
>     Thank you very much Kyle for your quick and clear answer.
>
>     The reason why I want to upgrade OpenSSL version, is that I
>     encounter a problem with 1 frame exchange between client and server.
>
>     This frame is the first packet sent from client to server (Client
>     Hello Packet) and the protocol used for this packet is SSLv2.
>     I don't understand why, because I force the use of TLSv1 (in
>     ssl.conf file as in application software), but only for this first
>     exchange packet, SSLv2 is used. All other packets are well using
>     TLSv10 as configured.
>
>     I have also searched for forcing the use of TLSv10 ciphers in
>     OpenSSL configuration and in application software, but I didn't
>     succeed doing so.
>
>     That's why I had in idea of upgrading OpenSSL version to avoid the
>     use of SSLv2 protocol.
>
>
>     Thus, if you have any idea of how to solve my problem without
>     upgrading OpenSSL version or Linux distribution, It would be very
>     nice.
>
>
>     Thank you in advance for your answer.
>
>     Best Regards,
>
>
>     Le 05/08/2020 à 22:10, Kyle Hamilton a écrit :
>>     It is never recommended to upgrade you distribution's version of
>>     OpenSSL with one you compile yourself.  Doing so will often break
>>     all software installed by the distribution that uses it.
>>
>>     If you need functionality from newer versions of OpenSSL, your
>>     options are to upgrade your OS version, or to install a local
>>     copy of OpenSSL and manually compile and link local copies of the
>>     applications that need the newer functionality.
>>
>>     (Newer versions of OpenSSL do not maintain the same Application
>>     Binary Interface (ABI), which means that binaries compiled
>>     against older versions will not correctly operate or dynamically
>>     link against newer libraries. Also, distributions such as Debian
>>     can modify the ABI in such a way that nothing distributed
>>     directly by openssl.org <http://openssl.org> can be compiled to
>>     meet it without source code modification.)
>>
>>     -Kyle H
>>
>>     On Wed, Aug 5, 2020, 14:49 Patrick Mooc <patrick.mooc at gmail.com
>>     <mailto:patrick.mooc at gmail.com>> wrote:
>>
>>         Hello,
>>
>>         I'm using an old version of OpenSSL (0.9.8g) on an old Linux
>>         Debian
>>         distribution (Lenny).
>>
>>         Is it possible to upgrade OpenSSL version without upgrading
>>         Linux Debian
>>         distribution ?
>>         If yes, up to which version of OpenSSL ?
>>
>>         Are all versions of OpenSSL compliant with all Linux Debian
>>         distribution ?
>>
>>
>>         Thank you in advance for your answer.
>>
>>         Best Regards,
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200810/0069580b/attachment.html>

More information about the openssl-users mailing list