Suggestion: get the source for the exact same version of openssl your system uses, and rebuild it with sslv2 disabled.
e.g. sudo apt install build-essential devscripts sudo apt build-dep openssl mkdir tmp cd tmp apt source openssl cd openssl-* gedit debian/rules # see below debuild -b -uc -us cd .. sudo apt install *.deb While editing debian/rules in gedit, change the line CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib no-ssl3 enable-unit-test no-ssl3-method enable-rfc3779 enable-cms to add the no-ssl2 argument, or something like that. See https://wiki.openssl.org/index.php/Compilation_and_Installation But be careful! You probably want to have the original system .deb files for its openssl in an origopenssl dir so you can reinstall them with 'sudo dpkg -i origopenssl/*.deb' when this breaks. - Dan On Wed, Aug 5, 2020 at 1:28 PM Patrick Mooc <patrick.m...@gmail.com> wrote: > Thank you very much Kyle for your quick and clear answer. > > The reason why I want to upgrade OpenSSL version, is that I encounter a > problem with 1 frame exchange between client and server. > > This frame is the first packet sent from client to server (Client Hello > Packet) and the protocol used for this packet is SSLv2. > I don't understand why, because I force the use of TLSv1 (in ssl.conf file > as in application software), but only for this first exchange packet, SSLv2 > is used. All other packets are well using TLSv10 as configured. > > I have also searched for forcing the use of TLSv10 ciphers in OpenSSL > configuration and in application software, but I didn't succeed doing so. > > That's why I had in idea of upgrading OpenSSL version to avoid the use of > SSLv2 protocol. > > > Thus, if you have any idea of how to solve my problem without upgrading > OpenSSL version or Linux distribution, It would be very nice. > > > Thank you in advance for your answer. > > Best Regards, > > > Le 05/08/2020 à 22:10, Kyle Hamilton a écrit : > > It is never recommended to upgrade you distribution's version of OpenSSL > with one you compile yourself. Doing so will often break all software > installed by the distribution that uses it. > > If you need functionality from newer versions of OpenSSL, your options are > to upgrade your OS version, or to install a local copy of OpenSSL and > manually compile and link local copies of the applications that need the > newer functionality. > > (Newer versions of OpenSSL do not maintain the same Application Binary > Interface (ABI), which means that binaries compiled against older versions > will not correctly operate or dynamically link against newer libraries. > Also, distributions such as Debian can modify the ABI in such a way that > nothing distributed directly by openssl.org can be compiled to meet it > without source code modification.) > > -Kyle H > > On Wed, Aug 5, 2020, 14:49 Patrick Mooc <patrick.m...@gmail.com> wrote: > >> Hello, >> >> I'm using an old version of OpenSSL (0.9.8g) on an old Linux Debian >> distribution (Lenny). >> >> Is it possible to upgrade OpenSSL version without upgrading Linux Debian >> distribution ? >> If yes, up to which version of OpenSSL ? >> >> Are all versions of OpenSSL compliant with all Linux Debian distribution ? >> >> >> Thank you in advance for your answer. >> >> Best Regards, >> >>
