installing OpenSSL 1.1.1 on RedHat 6.x

[Tim Culhane]

Hi Victor,

We used to ship OpenSSL with our product but decided to decouple OpenSSL  so
that customers had the flexibility to run with whatever versionof OpenSSL
and could upgrade OpenSSL when they needed to rather than waiting for an
update from us containing a new OpenSSL implementation.


Tim


-----Original Message-----
From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Viktor
Dukhovni
Sent: Thursday 8 July 2021 20:49
To: openssl-users at openssl.org
Subject: Re: installing OpenSSL 1.1.1 on RedHat 6.x

On Thu, Jul 08, 2021 at 05:55:42PM +0100, Tim Culhane wrote:

> We have a customer who is running our product on a RedHat 6.x server.
> Our product uses OpenSSL 1.1.1 to handle secure connections.
> 
> Initial testing by the customer is showing segmentation faults in 
> OpenSSL during the handshake process.

You can build and bundle your own OpenSSL library (libssl and libcrypto),
that is dynamically linked, has a custom "SONAME", and custom symbol version
names.

Such a dynamically linked SSL library can coexist in the same address space
with another (e.g. platform-vendor provided) OpenSSL version, provided both
use symbol versioning.

> I know that RedHat certainly doesn't ship recent versions of OpenSSL  
> for RedHat 6.x.  However it is still possible to install later OpenSSL 
> versions to run side-by-side the system installation.
> 
> What I'm wondering is, would there be a  technical reason why OpenSSL 
> 1.1.1 would not work correctly on a RedHat 6.x system?

There are two potential problems:

    - Symbol name/version collisions.
    - Passing of incompatible SSL contexts/handles created in one
      library to an API linked with another incompatible library.

The second issue is quite rare, but though the first is common, it can
avoided by building the custom non-platform OpenSSL libraries with care.

Look for "shlib_variant" in the Configuration profiles for OpenSSL 1.1.1x.

-- 
    Viktor.