Hello,
I tried to follow your procedure but I saw that I don't have same folders.
That lets me know that I forgot to give an important point concerning my
problem :
the Debian distribution I use, is not on a PC, but it is an embedded
one. It is a Qt project (also an old version of course, version 4.7)
I made some new tests today and it seems that there is only one case in
which the SSLv2 Client Hello packet is sent.
It happens on a Soap call in a php scripting file.
Thus I have to see how to constraint this Soap call not to use SSLv2
protocol.
I guess that the php library used is also an old one, I have to check this.
When this piece of code is not called, Client Hello packet are well sent
with TLSv10 protocol.
Best Regards,
Le 07/08/2020 à 18:33, Dan Kegel a écrit :
Suggestion: get the source for the exact same version of openssl your
system uses, and rebuild it with sslv2 disabled.
e.g.
sudo apt install build-essential devscripts
sudo apt build-dep openssl
mkdir tmp
cd tmp
apt source openssl
cd openssl-*
gedit debian/rules # see below
debuild -b -uc -us
cd ..
sudo apt install *.deb
While editing debian/rules in gedit, change the line
CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl
--libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib
no-ssl3 enable-unit-test no-ssl3-method enable-rfc3779 enable-cms
to add the no-ssl2 argument, or something like that. See
https://wiki.openssl.org/index.php/Compilation_and_Installation
But be careful! You probably want to have the original system .deb
files for its openssl in an origopenssl dir
so you can reinstall them with 'sudo dpkg -i origopenssl/*.deb' when
this breaks.
- Dan
On Wed, Aug 5, 2020 at 1:28 PM Patrick Mooc <patrick.m...@gmail.com
<mailto:patrick.m...@gmail.com>> wrote:
Thank you very much Kyle for your quick and clear answer.
The reason why I want to upgrade OpenSSL version, is that I
encounter a problem with 1 frame exchange between client and server.
This frame is the first packet sent from client to server (Client
Hello Packet) and the protocol used for this packet is SSLv2.
I don't understand why, because I force the use of TLSv1 (in
ssl.conf file as in application software), but only for this first
exchange packet, SSLv2 is used. All other packets are well using
TLSv10 as configured.
I have also searched for forcing the use of TLSv10 ciphers in
OpenSSL configuration and in application software, but I didn't
succeed doing so.
That's why I had in idea of upgrading OpenSSL version to avoid the
use of SSLv2 protocol.
Thus, if you have any idea of how to solve my problem without
upgrading OpenSSL version or Linux distribution, It would be very
nice.
Thank you in advance for your answer.
Best Regards,
Le 05/08/2020 à 22:10, Kyle Hamilton a écrit :
It is never recommended to upgrade you distribution's version of
OpenSSL with one you compile yourself. Doing so will often break
all software installed by the distribution that uses it.
If you need functionality from newer versions of OpenSSL, your
options are to upgrade your OS version, or to install a local
copy of OpenSSL and manually compile and link local copies of the
applications that need the newer functionality.
(Newer versions of OpenSSL do not maintain the same Application
Binary Interface (ABI), which means that binaries compiled
against older versions will not correctly operate or dynamically
link against newer libraries. Also, distributions such as Debian
can modify the ABI in such a way that nothing distributed
directly by openssl.org <http://openssl.org> can be compiled to
meet it without source code modification.)
-Kyle H
On Wed, Aug 5, 2020, 14:49 Patrick Mooc <patrick.m...@gmail.com
<mailto:patrick.m...@gmail.com>> wrote:
Hello,
I'm using an old version of OpenSSL (0.9.8g) on an old Linux
Debian
distribution (Lenny).
Is it possible to upgrade OpenSSL version without upgrading
Linux Debian
distribution ?
If yes, up to which version of OpenSSL ?
Are all versions of OpenSSL compliant with all Linux Debian
distribution ?
Thank you in advance for your answer.
Best Regards,
