Re: Best way to have a system with openssl-1.1 and 3.0?

Todd Short via openssl-users <openssl-users@xxxxxxxxxxx> · Tue, 5 Sep 2023 14:17:05 -0400

You can easily have multiple LIBRARIES of OpenSSL 1.1 and 3.x on the same system; Ubuntu and Fedora do this, and it’s fairly trivial (i.e. just install the libraries), as the libraries are versioned by default (e.g. libcrypto.so.1.1 and libcrypto.so.3)
The problem is the development environment (i.e. header files and default library) as these files all have the same name. You will need to explicitly place the header files in separate locations; but one should be the default. This would mean putting the default in /usr/include/openssl, and the other one in /usr/include/openssl11, for example. (Alternatively, make the default a symlink to the versioned directory.) And then the “simple” name of the libraries, would need to point (symlink) to the correct one:

/usr/lib64/libcrypto.so -> /usr/lib64/libcrypto.so.3
/usr/lib64/libssl.so -> /usr/lib64/libssl.so.3

Many software packages offer “—with-openssl” options, and you can specify the OpenSSL library.

You could also create scripts that swap the development environment for you:

# move to openssl 3
rm /usr/include/openssl
ln -s /usr/include/openssl3 /usr/include/openssl
rm /usr/lib64/libcrypto.so
ln -s /usr/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so
rm /usr/lib64/libssl.so
ln -s /usr/lib64/libssl.so.3 /usr/lib64/libssl.so

I leave it as an exercise to the reader to move to an openssl 1.1 environment.

After building, the header files no longer matter, and the versioned library will be used by the executable. So the environment can be swapped around.

And yes, having two different versions of libcurl pointing to two different versions of OpenSSL is another issue. You will need to do something similar with libcurl.so to swap between the different (OpenSSL) versions of libcurl, or build it along with your other project, or discover some way to explicitly specify the version of libcurl via a patch or configure option.

--
-Todd Short
// todd.short@xxxxxx
// "One if by land, two if by sea, three if by the Internet."

On Sep 5, 2023, at 1:58 PM, Michael Brunnbauer <brunni@xxxxxxxxxxxx> wrote:

hi all,

I am planning the migration to openssl 3.0 on my self-compiled linux systems.
There is a non-negotiable requirement to support old packages that will only
compile with openssl 1.1 - like PHP < 8.1. This is usually not a problem as
the openssl 3 shared libraries have a new version number but there are some
tricky dependency-problems - one of which I cannot solve:

I assume that no binary should both link to openssl 1.1 and 3.0 either directly
or indirectly (via shared libraries using openssl)? This poses a problem with 
apache, libcurl and libmysql which are all used by php and linked to openssl.

I can install apache linked with openssl 3.0 under a separate prefix and
compile php (also installed under a version-specific prefix) with mysqlnd such 
that libmysql is not linked. This leaves only libcurl as a problem and I do
not know how to solve it. I tried installing libcurl linked with openssl 1.1
under /usr/curl_openssl1 and then compiling php with that path specified.

But the Loader will alway prefer the libcurl.so.4 found under /usr/lib64
to the one under /usr/curl_openssl1/lib. It seems having two libcurls with
the same version number linked to different openssl version is not an option.

Is there a way to solve this?

Regards,

Michael Brunnbauer

-- 
++  Michael Brunnbauer
++  netEstate GmbH
++  Geisenhausener Straße 11a
++  81379 München
++  Tel +49 89 32 19 77 80
++  Fax +49 89 32 19 77 89 
++  E-Mail brunni@xxxxxxxxxxxx
++  https://www.netestate.de/
++
++  Sitz: München, HRB Nr.142452 (Handelsregister B München)
++  USt-IdNr. DE221033342
++  Geschäftsführer: Michael Brunnbauer
++  Prokurist: Dipl. Kfm. (Univ.) Markus Hendel

Attachment:
signature.asc

Description: Message signed with OpenPGP