Best way to have a system with openssl-1.1 and 3.0?

Todd Short todd.short at me.com
Tue Sep 5 18:17:05 UTC 2023 

You can easily have multiple LIBRARIES of OpenSSL 1.1 and 3.x on the same system; Ubuntu and Fedora do this, and it’s fairly trivial (i.e. just install the libraries), as the libraries are versioned by default (e.g. libcrypto.so.1.1 and libcrypto.so.3)

The problem is the development environment (i.e. header files and default library) as these files all have the same name. You will need to explicitly place the header files in separate locations; but one should be the default. This would mean putting the default in /usr/include/openssl, and the other one in /usr/include/openssl11, for example. (Alternatively, make the default a symlink to the versioned directory.) And then the “simple” name of the libraries, would need to point (symlink) to the correct one:

/usr/lib64/libcrypto.so -> /usr/lib64/libcrypto.so.3
/usr/lib64/libssl.so -> /usr/lib64/libssl.so.3

Many software packages offer “—with-openssl” options, and you can specify the OpenSSL library.

You could also create scripts that swap the development environment for you:

# move to openssl 3
rm /usr/include/openssl
ln -s /usr/include/openssl3 /usr/include/openssl
rm /usr/lib64/libcrypto.so
ln -s /usr/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so
rm /usr/lib64/libssl.so
ln -s /usr/lib64/libssl.so.3 /usr/lib64/libssl.so

I leave it as an exercise to the reader to move to an openssl 1.1 environment.

After building, the header files no longer matter, and the versioned library will be used by the executable. So the environment can be swapped around.

And yes, having two different versions of libcurl pointing to two different versions of OpenSSL is another issue. You will need to do something similar with libcurl.so to swap between the different (OpenSSL) versions of libcurl, or build it along with your other project, or discover some way to explicitly specify the version of libcurl via a patch or configure option.

--
-Todd Short
// todd.short at me.com
// "One if by land, two if by sea, three if by the Internet."

> On Sep 5, 2023, at 1:58 PM, Michael Brunnbauer <brunni at netestate.de> wrote:
> 
> 
> hi all,
> 
> I am planning the migration to openssl 3.0 on my self-compiled linux systems.
> There is a non-negotiable requirement to support old packages that will only
> compile with openssl 1.1 - like PHP < 8.1. This is usually not a problem as
> the openssl 3 shared libraries have a new version number but there are some
> tricky dependency-problems - one of which I cannot solve:
> 
> I assume that no binary should both link to openssl 1.1 and 3.0 either directly
> or indirectly (via shared libraries using openssl)? This poses a problem with
> apache, libcurl and libmysql which are all used by php and linked to openssl.
> 
> I can install apache linked with openssl 3.0 under a separate prefix and
> compile php (also installed under a version-specific prefix) with mysqlnd such
> that libmysql is not linked. This leaves only libcurl as a problem and I do
> not know how to solve it. I tried installing libcurl linked with openssl 1.1
> under /usr/curl_openssl1 and then compiling php with that path specified.
> 
> But the Loader will alway prefer the libcurl.so.4 found under /usr/lib64
> to the one under /usr/curl_openssl1/lib. It seems having two libcurls with
> the same version number linked to different openssl version is not an option.
> 
> Is there a way to solve this?
> 
> Regards,
> 
> Michael Brunnbauer
> 
> --
> ++  Michael Brunnbauer
> ++  netEstate GmbH
> ++  Geisenhausener Straße 11a
> ++  81379 München
> ++  Tel +49 89 32 19 77 80
> ++  Fax +49 89 32 19 77 89
> ++  E-Mail brunni at netestate.de
> ++  https://www.netestate.de/
> ++
> ++  Sitz: München, HRB Nr.142452 (Handelsregister B München)
> ++  USt-IdNr. DE221033342
> ++  Geschäftsführer: Michael Brunnbauer
> ++  Prokurist: Dipl. Kfm. (Univ.) Markus Hendel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230905/cb556463/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230905/cb556463/attachment.sig>

More information about the openssl-users mailing list