Link to home
Create AccountLog in
Avatar of penguins_rule
penguins_ruleFlag for United States of America

asked on

Upgrade openssl 1.0.0 to version supporting TLS1.2

Is it possible to upgrade OpenSSL 1.0.0-fips to a version which can support TLS1.2 on my server?

currently running RedHat Enterprise Server 6.4
with kernel 2.6.32-358.el6.x86_64
Avatar of Nick Upson
Nick Upson
Flag of United Kingdom of Great Britain and Northern Ireland image

yes, you probably need to update to 6.10 to do it
Avatar of penguins_rule

ASKER

can TLS1.0 run on my current server configuration? What would be required to update?

Better to take a different line of thought.

1) TLSv1.0 + TLSv1.1 have been deprecated for some time now.

2) Eventually all browsers will likely return a suspicious site warning (dev channel conversations) for any sit running #1.

3) PayPal + most Payment gateways now quietly block any site running #1 from initiating any transaction. Errors are quiet, obscure, near impossible to debug.

4) Many Banks are transitioning now too.

5) Most browser projects have announced their dropping of #1 support completely from their browsers.

So the real question relates to what your site does + type of visitors.

If this is a public site, meant to handle normal HTTPS traffic for many years to come, it's time to upgrade to RHEL 8 or Ubuntu Focal.

Running an old 2.6.X Kernel will begin to drain massive time out of your day over the coming years, dealing with similar problems.
Avatar of Dr. Klahn
Dr. Klahn

David is 100% correct.  The amount of time needed to build OpenSSL from scratch, and then update everything which uses SSL, is not worth the effort.  I did it back in January when I had no choice because the target system runs on a Pogoplug and no newer releases are available.  I got away with it because only ssh, sftp and Apache face the internet on that system.

At a minimum it would be necessary to rebuild ssh, sftp, Apache and whatever email client is in use.  That means downloading source for all of them (5 minutes), and then trying to coax them to build (20 eight-hour days.)

And if you miss even one utility linked against openSSL chaos will ensue because executables expect version X and if only version Y is present, anywhere from an error message to a kernel halt can be expected.

Chaos will ensue anyway, because the version of openSSL built from the kit does not end up in the locations where the linux distribution keeps and expects it.  Rebuilding utilities then means finding out what magic switches must be specified to say "Use the new SSL and not the old one", e.g. "--with-open-ssl=/usr/lib --use-ssl-dynamic-link --prefer-newer-ssl" and so on.  And those are different for each utility's build kit.
 

It just is not worth the effort.  Bring up a newer distribution.
Aside: Expanding Dr. Klahn's OpenSSL source building notes...

Remember, going from OpenSSL 1.0.0x to 1.1.0x will require far more than just building OpenSSL from source.

You'll also have to rebuild all code using OpenSSL from latest source too, like Apache + PHP (maybe) + curl/wget/httrack + MariaDB/MySQL...

Because 1.1.1x changes the internal APIs, so just building OpenSSL + using a trick like LD_LIBRARY_PATH or relinking, will fail with code accessing OpenSSL doing a hard abort.

So if you build from source, you'll be OpenSSL software along with all OpenSSL dependent software.
Thank you all for weighing in. The server only is used to access an API with POST command to verify and standardize addresses. That company stopped providing the service. To use the USPS API requires TLS 1.0 as a minimum for a few months, then requires TLS 1.2. I was looking for an easy way to upgrade our SSLv3 to TLS1.x so I can continue running. Eventually we are looking at getting a new server.
I appreciate any further information I can convey to management about updating our current server, or the need for immediately going to a new server.
you should be able to do "yum update" to get to version 6.10, take a backup / image first
ASKER CERTIFIED SOLUTION
Avatar of David Favor
David Favor
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer