<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello,</p>
<p>I tried to follow your procedure but I saw that I don't have same
folders.</p>
<p>That lets me know that I forgot to give an important point
concerning my problem :<br>
the Debian distribution I use, is not on a PC, but it is an
embedded one. It is a Qt project (also an old version of course,
version 4.7)<br>
</p>
<p>I made some new tests today and it seems that there is only one
case in which the SSLv2 Client Hello packet is sent.<br>
It happens on a Soap call in a php scripting file.<br>
Thus I have to see how to constraint this Soap call not to use
SSLv2 protocol.<br>
I guess that the php library used is also an old one, I have to
check this.<br>
</p>
<p>When this piece of code is not called, Client Hello packet are
well sent with TLSv10 protocol.</p>
<p>Best Regards,</p>
<p><br>
</p>
<div class="moz-cite-prefix">Le 07/08/2020 à 18:33, Dan Kegel a
écrit :<br>
</div>
<blockquote type="cite"
cite="mid:CAPF-yOYXH=kPBXciDTPFU8YzomnWbn=+SXKVk0HgYU_sGx5a5A@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Suggestion: get the source for the exact same
version of openssl your system uses, and rebuild it with sslv2
disabled.<br>
<div><br>
</div>
<div>e.g.</div>
<div><br>
</div>
<div>sudo apt install build-essential devscripts</div>
<div>sudo apt build-dep openssl</div>
<div>mkdir tmp</div>
<div>cd tmp</div>
<div>apt source openssl</div>
<div>cd openssl-*</div>
<div>gedit debian/rules # see below</div>
<div>debuild -b -uc -us</div>
<div>cd ..</div>
<div>sudo apt install *.deb</div>
<div><br>
</div>
<div>While editing debian/rules in gedit, change the line</div>
<div><br>
</div>
<div>CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl
--libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5
no-zlib no-ssl3 enable-unit-test no-ssl3-method enable-rfc3779
enable-cms<br>
</div>
<div><br>
</div>
<div>to add the no-ssl2 argument, or something like that. See <a
href="https://wiki.openssl.org/index.php/Compilation_and_Installation"
moz-do-not-send="true">https://wiki.openssl.org/index.php/Compilation_and_Installation</a></div>
<div><br>
</div>
<div>But be careful! You probably want to have the original
system .deb files for its openssl in an origopenssl dir</div>
<div>so you can reinstall them with 'sudo dpkg -i
origopenssl/*.deb' when this breaks.</div>
<div><br>
</div>
<div>- Dan</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Aug 5, 2020 at 1:28 PM
Patrick Mooc <<a href="mailto:patrick.mooc@gmail.com"
moz-do-not-send="true">patrick.mooc@gmail.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Thank you very much Kyle for your quick and clear answer.</p>
<p>The reason why I want to upgrade OpenSSL version, is that
I encounter a problem with 1 frame exchange between client
and server.</p>
<p>This frame is the first packet sent from client to server
(Client Hello Packet) and the protocol used for this
packet is SSLv2.<br>
I don't understand why, because I force the use of TLSv1
(in ssl.conf file as in application software), but only
for this first exchange packet, SSLv2 is used. All other
packets are well using TLSv10 as configured.</p>
<p>I have also searched for forcing the use of TLSv10
ciphers in OpenSSL configuration and in application
software, but I didn't succeed doing so.<br>
</p>
<p>That's why I had in idea of upgrading OpenSSL version to
avoid the use of SSLv2 protocol.</p>
<p><br>
</p>
<p>Thus, if you have any idea of how to solve my problem
without upgrading OpenSSL version or Linux distribution,
It would be very nice.</p>
<p><br>
</p>
<p>Thank you in advance for your answer.<br>
<br>
Best Regards,</p>
<p><br>
</p>
<div>Le 05/08/2020 à 22:10, Kyle Hamilton a écrit :<br>
</div>
<blockquote type="cite">
<div dir="auto">
<div>It is never recommended to upgrade you
distribution's version of OpenSSL with one you compile
yourself. Doing so will often break all software
installed by the distribution that uses it.
<div dir="auto"><br>
</div>
<div dir="auto">If you need functionality from newer
versions of OpenSSL, your options are to upgrade
your OS version, or to install a local copy of
OpenSSL and manually compile and link local copies
of the applications that need the newer
functionality.</div>
<div dir="auto"><br>
</div>
<div dir="auto">(Newer versions of OpenSSL do not
maintain the same Application Binary Interface
(ABI), which means that binaries compiled against
older versions will not correctly operate or
dynamically link against newer libraries. Also,
distributions such as Debian can modify the ABI in
such a way that nothing distributed directly by <a
href="http://openssl.org" target="_blank"
moz-do-not-send="true">openssl.org</a> can be
compiled to meet it without source code
modification.)</div>
<br>
-Kyle H</div>
<div dir="auto"><br>
<div class="gmail_quote" dir="auto">
<div dir="ltr" class="gmail_attr">On Wed, Aug 5,
2020, 14:49 Patrick Mooc <<a
href="mailto:patrick.mooc@gmail.com"
target="_blank" moz-do-not-send="true">patrick.mooc@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
I'm using an old version of OpenSSL (0.9.8g) on an
old Linux Debian <br>
distribution (Lenny).<br>
<br>
Is it possible to upgrade OpenSSL version without
upgrading Linux Debian <br>
distribution ?<br>
If yes, up to which version of OpenSSL ?<br>
<br>
Are all versions of OpenSSL compliant with all
Linux Debian distribution ?<br>
<br>
<br>
Thank you in advance for your answer.<br>
<br>
Best Regards,<br>
<br>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</body>
</html>