Best way to have a system with openssl-1.1 and 3.0?

Viktor Dukhovni openssl-users at
Wed Sep 6 00:26:37 UTC 2023

On Tue, Sep 05, 2023 at 07:58:12PM +0200, Michael Brunnbauer wrote:

> I assume that no binary should both link to openssl 1.1 and 3.0 either directly
> or indirectly (via shared libraries using openssl)? This poses a problem with 
> apache, libcurl and libmysql which are all used by php and linked to openssl.

The OpenSSL 3.0 and 1.1.1 shared object libraries can coexist in the
same address space on platforms that support symbol versioning.  This
works when one of the dependencies on OpenSSL is *indirect*.

  executable:  (OpenSSL 1.1.1 dependency of    (OpenSSL 3.0, direct dependency of the executable)

Or the converse (3.0 direct, 1.1.1 indirect).  The executable must use
the correct headers, and command-line linker flags, but that said, it
works just fine.

Right now, I have a system with OpenSSL 3.0 and some applications linked
with OpenSSL 3.2 (dev), but that may indirectly also depend on the 3.0
libraries that are bundled with the system.

With the "shlib_variant" support in the OpenSSL configuration templates,
it is even possible to have two different builds of the *same* OpenSSL
version, that differ only in the SONAME strings and symbol versions.


More information about the openssl-users mailing list