Yes, everything that uses OpenSSL needs to be recompiled when migrating from 1.1.1 to 3.x versions. There is no way around that. Tomas Mraz, OpenSSL On Mon, 2023-09-11 at 11:43 +0200, Matthias Apitz wrote: > > Hello, > > We have a lot of own C/C++ written servers, compiled and linked > against > libcrypto.1.1 and libssl.1.1: > > # ls -l /usr/local/sisis-pap/lib/libssl* /usr/local/sisis- > pap/lib/libcry* > -rw-r--r-- 1 bin bin 5072394 Jun 16 09:02 /usr/local/sisis- > pap/lib/libcrypto.a > lrwxrwxrwx 1 root root 16 Jun 16 09:08 /usr/local/sisis- > pap/lib/libcrypto.so -> libcrypto.so.1.1 > -rwxr-xr-x 1 bin bin 3002744 Jun 16 09:08 /usr/local/sisis- > pap/lib/libcrypto.so.1.1 > -rw-r--r-- 1 bin bin 1029426 Jun 16 09:02 /usr/local/sisis- > pap/lib/libssl.a > lrwxrwxrwx 1 root root 13 Jun 16 09:08 /usr/local/sisis- > pap/lib/libssl.so -> libssl.so.1.1 > -rwxr-xr-x 1 bin bin 697248 Jun 16 09:08 /usr/local/sisis- > pap/lib/libssl.so.1.1 > > These servers are our own application servers, but also for example > the > PostgreSQL server (also compiled from source). > > So far so good. > > Now with the announced EOL of 1.1.1 I compiled OpenSSL 3.0.10 which > gave > in a new target directoy the following libs: > > # ls -l /usr/local/sisis-pap-ssl30/lib/libssl* /usr/local/sisis-pap- > ssl30/lib/libcry* > -rw-r--r-- 1 root root 8975888 Sep 11 08:38 /usr/local/sisis-pap- > ssl30/lib/libcrypto.a > lrwxrwxrwx 1 root root 14 Sep 11 08:38 /usr/local/sisis-pap- > ssl30/lib/libcrypto.so -> libcrypto.so.3 > -rwxr-xr-x 1 root root 4962368 Sep 11 08:38 /usr/local/sisis-pap- > ssl30/lib/libcrypto.so.3 > -rw-r--r-- 1 root root 1253636 Sep 11 08:38 /usr/local/sisis-pap- > ssl30/lib/libssl.a > lrwxrwxrwx 1 root root 11 Sep 11 08:38 /usr/local/sisis-pap- > ssl30/lib/libssl.so -> libssl.so.3 > -rwxr-xr-x 1 root root 803008 Sep 11 08:38 /usr/local/sisis-pap- > ssl30/lib/libssl.so.3 > > To make the existing servers happy, it does not help to change the > LD_LIBRARY_PATH to get the 3.0.10 libs in front of the old 1.1.1t > libs > and also making sym links like: > > lrwxrwxrwx 1 root root 45 Sep 11 11:11 /usr/local/sisis-pap- > ssl30/lib/libcrypto.so.1.1 -> /usr/local/sisis-pap- > ssl30/lib/libcrypto.so.3 > lrwxrwxrwx 1 root root 42 Sep 11 11:12 /usr/local/sisis-pap- > ssl30/lib/libssl.so.1.1 -> /usr/local/sisis-pap-ssl30/lib/libssl.so.3 > > will not help, because the server (here the PostgreSQL server) is > missing old symbols in the new 3.0.10 shared libs: > > # /etc/init.d/postgres.ssl30 start > /usr/local/sisis-pap/pgsql-15.1/bin/postmaster: /usr/local/sisis-pap- > ssl30/lib/libssl.so.1.1: version `OPENSSL_1_1_0' not found (required > by /usr/local/sisis-pap/pgsql-15.1/bin/postmaster) > /usr/local/sisis-pap/pgsql-15.1/bin/postmaster: /usr/local/sisis-pap- > ssl30/lib/libcrypto.so.1.1: version `OPENSSL_1_1_0' not found > (required by /usr/local/sisis-pap/pgsql-15.1/bin/postmaster) > libssl.so.1.1 => /usr/local/sisis-pap-ssl30/lib/libssl.so.1.1 > (0x00007fb9b5046000) > libcrypto.so.1.1 => /usr/local/sisis-pap- > ssl30/lib/libcrypto.so.1.1 (0x00007fb9b4c2f000) > Starting PostgreSQL: su: cannot open session: Module is unknown > > This matches what is expressed in the migration guide: > https://www.openssl.org/docs/man3.1/man7/migration_guide.html > ... > OpenSSL 3.0 is a major release and consequently any application that > currently uses an older version of OpenSSL will at the very least > need > to be recompiled in order to work with the new version. > ... > > Thanks > > matthias > > -- Tomáš Mráz, OpenSSL
