> On Sep 11, 2018, at 10:59 AM, Juan Isoza <jisoza@xxxxxxxxx> wrote:
>
> What is the better way, for anyone running, by example, Apache or nginx on a popular Linux districution (Ubuntu, Debian, Suse) and want support TLS 1.3 ?
>
> Waiting package update to have openssl 1.1.1 ? probably a lot of time
>
> Recompile openssl dynamic library and replace system library ? We must be sure we don't broke the system
>
> Recompile Apache or NGinx with openssl statically linked ? probably complex
You can install OpenSSL 1.1.1 in a non-default location, say:
./Configure --prefix=/usr/local/opt/openssl/1.1.1 BSD-x86_64-opt shared
with the "BSD-x86_64-opt" target inheriting from "BSD-x86_64":
--- Configurations/10-main.conf
+++ Configurations/10-main.conf
+ "BSD-x86_64-opt" => {
+ inherit_from => [ "BSD-x86_64" ],
+ shlib_variant => "-opt",
+ },
+
but also specifying 'shlib_variant => "-opt"', see Configurations/README:
shlib_variant => A "variant" identifier inserted between the base
shared library name and the extension. On "unixy"
platforms (BSD, Linux, Solaris, MacOS/X, ...) this
supports installation of custom OpenSSL libraries
that don't conflict with other builds of OpenSSL
installed on the system. The variant identifier
becomes part of the SONAME of the library and also
any symbol versions (symbol versions are not used or
needed with MacOS/X). For example, on a system
where a default build would normally create the SSL
shared library as 'libssl.so -> libssl.so.1.1' with
the value of the symlink as the SONAME, a target
definition that sets 'shlib_variant => "-abc"' will
create 'libssl.so -> libssl-abc.so.1.1', again with
an SONAME equal to the value of the symlink. The
symbol versions associated with the variant library
would then be 'OPENSSL_ABC_<version>' rather than
the default 'OPENSSL_<version>'. The string inserted
into symbol versions is obtained by mapping all
letters in the "variant" identifier to upper case
and all non-alphanumeric characters to '_'.
The resulting libraries have a non-default SONAME:
$ readelf -d *.so | grep SONAME
0x000000000000000e SONAME Library soname: [libcrypto-opt.so.1.1]
0x000000000000000e SONAME Library soname: [libssl-opt.so.1.1]
And non-default symbol versions:
$ objdump -T libssl.so | grep SSL_CTX_new
00000000000338c0 g DF .text 00000000000003b3 OPENSSL_OPT_1_1_0 SSL_CTX_new
$ objdump -T libcrypto.so | grep X509_new
00000000001d7be0 g DF .text 0000000000000011 OPENSSL_OPT_1_1_0 X509_new
All that remains is to link Apache, Nginx, ... with these libraries instead:
CFLAGS+="-I/usr/local/opt/openssl/1.1.1/include"
LDFLAGS+="-L/usr/local/opt/openssl/1.1.1/lib -Wl,-rpath,/usr/local/opt/openssl/1.1.1/lib"
Integrating this into "ports" is an exercise for the reader...
--
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
