OpenSSL compliance with Linux distributions
patrick.mooc at gmail.com
Mon Aug 10 19:57:23 UTC 2020
I tried to follow your procedure but I saw that I don't have same folders.
That lets me know that I forgot to give an important point concerning my
the Debian distribution I use, is not on a PC, but it is an embedded
one. It is a Qt project (also an old version of course, version 4.7)
I made some new tests today and it seems that there is only one case in
which the SSLv2 Client Hello packet is sent.
It happens on a Soap call in a php scripting file.
Thus I have to see how to constraint this Soap call not to use SSLv2
I guess that the php library used is also an old one, I have to check this.
When this piece of code is not called, Client Hello packet are well sent
with TLSv10 protocol.
Le 07/08/2020 à 18:33, Dan Kegel a écrit :
> Suggestion: get the source for the exact same version of openssl your
> system uses, and rebuild it with sslv2 disabled.
> sudo apt install build-essential devscripts
> sudo apt build-dep openssl
> mkdir tmp
> cd tmp
> apt source openssl
> cd openssl-*
> gedit debian/rules # see below
> debuild -b -uc -us
> cd ..
> sudo apt install *.deb
> While editing debian/rules in gedit, change the line
> CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl
> --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib
> no-ssl3 enable-unit-test no-ssl3-method enable-rfc3779 enable-cms
> to add the no-ssl2 argument, or something like that. See
> But be careful! You probably want to have the original system .deb
> files for its openssl in an origopenssl dir
> so you can reinstall them with 'sudo dpkg -i origopenssl/*.deb' when
> this breaks.
> - Dan
> On Wed, Aug 5, 2020 at 1:28 PM Patrick Mooc <patrick.mooc at gmail.com
> <mailto:patrick.mooc at gmail.com>> wrote:
> Thank you very much Kyle for your quick and clear answer.
> The reason why I want to upgrade OpenSSL version, is that I
> encounter a problem with 1 frame exchange between client and server.
> This frame is the first packet sent from client to server (Client
> Hello Packet) and the protocol used for this packet is SSLv2.
> I don't understand why, because I force the use of TLSv1 (in
> ssl.conf file as in application software), but only for this first
> exchange packet, SSLv2 is used. All other packets are well using
> TLSv10 as configured.
> I have also searched for forcing the use of TLSv10 ciphers in
> OpenSSL configuration and in application software, but I didn't
> succeed doing so.
> That's why I had in idea of upgrading OpenSSL version to avoid the
> use of SSLv2 protocol.
> Thus, if you have any idea of how to solve my problem without
> upgrading OpenSSL version or Linux distribution, It would be very
> Thank you in advance for your answer.
> Best Regards,
> Le 05/08/2020 à 22:10, Kyle Hamilton a écrit :
>> It is never recommended to upgrade you distribution's version of
>> OpenSSL with one you compile yourself. Doing so will often break
>> all software installed by the distribution that uses it.
>> If you need functionality from newer versions of OpenSSL, your
>> options are to upgrade your OS version, or to install a local
>> copy of OpenSSL and manually compile and link local copies of the
>> applications that need the newer functionality.
>> (Newer versions of OpenSSL do not maintain the same Application
>> Binary Interface (ABI), which means that binaries compiled
>> against older versions will not correctly operate or dynamically
>> link against newer libraries. Also, distributions such as Debian
>> can modify the ABI in such a way that nothing distributed
>> directly by openssl.org <http://openssl.org> can be compiled to
>> meet it without source code modification.)
>> -Kyle H
>> On Wed, Aug 5, 2020, 14:49 Patrick Mooc <patrick.mooc at gmail.com
>> <mailto:patrick.mooc at gmail.com>> wrote:
>> I'm using an old version of OpenSSL (0.9.8g) on an old Linux
>> distribution (Lenny).
>> Is it possible to upgrade OpenSSL version without upgrading
>> Linux Debian
>> distribution ?
>> If yes, up to which version of OpenSSL ?
>> Are all versions of OpenSSL compliant with all Linux Debian
>> distribution ?
>> Thank you in advance for your answer.
>> Best Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users