migrating from OpsenSSL 1.1.1t to 3.0.10

Tomas Mraz tomas at openssl.org
Mon Sep 11 09:53:44 UTC 2023 

Yes, everything that uses OpenSSL needs to be recompiled when migrating
from 1.1.1 to 3.x versions. There is no way around that.

Tomas Mraz, OpenSSL

On Mon, 2023-09-11 at 11:43 +0200, Matthias Apitz wrote:
> 
> Hello,
> 
> We have a lot of own C/C++ written servers, compiled and linked
> against
> libcrypto.1.1 and libssl.1.1:
> 
> # ls -l /usr/local/sisis-pap/lib/libssl* /usr/local/sisis-
> pap/lib/libcry*
> -rw-r--r-- 1 bin  bin  5072394 Jun 16 09:02 /usr/local/sisis-
> pap/lib/libcrypto.a
> lrwxrwxrwx 1 root root      16 Jun 16 09:08 /usr/local/sisis-
> pap/lib/libcrypto.so -> libcrypto.so.1.1
> -rwxr-xr-x 1 bin  bin  3002744 Jun 16 09:08 /usr/local/sisis-
> pap/lib/libcrypto.so.1.1
> -rw-r--r-- 1 bin  bin  1029426 Jun 16 09:02 /usr/local/sisis-
> pap/lib/libssl.a
> lrwxrwxrwx 1 root root      13 Jun 16 09:08 /usr/local/sisis-
> pap/lib/libssl.so -> libssl.so.1.1
> -rwxr-xr-x 1 bin  bin   697248 Jun 16 09:08 /usr/local/sisis-
> pap/lib/libssl.so.1.1
> 
> These servers are our own application servers, but also for example
> the
> PostgreSQL server (also compiled from source).
> 
> So far so good.
> 
> Now with the announced EOL of 1.1.1 I compiled OpenSSL 3.0.10 which
> gave
> in a new target directoy the following libs:
> 
> # ls -l /usr/local/sisis-pap-ssl30/lib/libssl* /usr/local/sisis-pap-
> ssl30/lib/libcry*
> -rw-r--r-- 1 root root 8975888 Sep 11 08:38 /usr/local/sisis-pap-
> ssl30/lib/libcrypto.a
> lrwxrwxrwx 1 root root      14 Sep 11 08:38 /usr/local/sisis-pap-
> ssl30/lib/libcrypto.so -> libcrypto.so.3
> -rwxr-xr-x 1 root root 4962368 Sep 11 08:38 /usr/local/sisis-pap-
> ssl30/lib/libcrypto.so.3
> -rw-r--r-- 1 root root 1253636 Sep 11 08:38 /usr/local/sisis-pap-
> ssl30/lib/libssl.a
> lrwxrwxrwx 1 root root      11 Sep 11 08:38 /usr/local/sisis-pap-
> ssl30/lib/libssl.so -> libssl.so.3
> -rwxr-xr-x 1 root root  803008 Sep 11 08:38 /usr/local/sisis-pap-
> ssl30/lib/libssl.so.3
> 
> To make the existing servers happy, it does not help to change the
> LD_LIBRARY_PATH to get the 3.0.10 libs in front of the old 1.1.1t
> libs
> and also making sym links like:
> 
> lrwxrwxrwx 1 root root      45 Sep 11 11:11 /usr/local/sisis-pap-
> ssl30/lib/libcrypto.so.1.1 -> /usr/local/sisis-pap-
> ssl30/lib/libcrypto.so.3
> lrwxrwxrwx 1 root root      42 Sep 11 11:12 /usr/local/sisis-pap-
> ssl30/lib/libssl.so.1.1 -> /usr/local/sisis-pap-ssl30/lib/libssl.so.3
> 
> will not help, because the server (here the PostgreSQL server) is
> missing old symbols in the new 3.0.10 shared libs:
> 
> # /etc/init.d/postgres.ssl30 start
> /usr/local/sisis-pap/pgsql-15.1/bin/postmaster: /usr/local/sisis-pap-
> ssl30/lib/libssl.so.1.1: version `OPENSSL_1_1_0' not found (required
> by /usr/local/sisis-pap/pgsql-15.1/bin/postmaster)
> /usr/local/sisis-pap/pgsql-15.1/bin/postmaster: /usr/local/sisis-pap-
> ssl30/lib/libcrypto.so.1.1: version `OPENSSL_1_1_0' not found
> (required by /usr/local/sisis-pap/pgsql-15.1/bin/postmaster)
>         libssl.so.1.1 => /usr/local/sisis-pap-ssl30/lib/libssl.so.1.1
> (0x00007fb9b5046000)
>         libcrypto.so.1.1 => /usr/local/sisis-pap-
> ssl30/lib/libcrypto.so.1.1 (0x00007fb9b4c2f000)
> Starting PostgreSQL: su: cannot open session: Module is unknown
> 
> This matches what is expressed in the migration guide:
> https://www.openssl.org/docs/man3.1/man7/migration_guide.html
> ...
> OpenSSL 3.0 is a major release and consequently any application that
> currently uses an older version of OpenSSL will at the very least
> need
> to be recompiled in order to work with the new version.
> ...
> 
> Thanks
> 
>         matthias
> 
> 

-- 
Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list