On 09/11/2018 01:09 PM, Viktor Dukhovni wrote:
On Sep 11, 2018, at 10:59 AM, Juan Isoza <jisoza@xxxxxxxxx> wrote:
What is the better way, for anyone running, by example, Apache or nginx on a popular Linux districution (Ubuntu, Debian, Suse) and want support TLS 1.3 ?
Waiting package update to have openssl 1.1.1 ? probably a lot of time
Roll you own. It works. Really really well in fact.
Recompile openssl dynamic library and replace system library ? We must be sure we don't broke the system
Don't do that. That path leads to madness.
Recompile Apache or NGinx with openssl statically linked ? probably complex
You can install OpenSSL 1.1.1 in a non-default location, say:
./Configure --prefix=/usr/local/opt/openssl/1.1.1 BSD-x86_64-opt shared
with the "BSD-x86_64-opt" target inheriting from "BSD-x86_64":
--- Configurations/10-main.conf
+++ Configurations/10-main.conf
+ "BSD-x86_64-opt" => {
+ inherit_from => [ "BSD-x86_64" ],
+ shlib_variant => "-opt",
+ },
+
<snip>
Integrating this into "ports" is an exercise for the reader...
It sounds like a downstream ELF header nightmare. Most likely better to
just isolate systems entirely and build the software stack dependencies
using standard locations and standard SONAME/RPATH/RUNPATH data. However
if someone wants to spin in tight circles battling lib resolution, well
gee, sounds like endless fun. Not for me .. thanks.
Dennis
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
