Upgrade openssl 1.0.0 to version supporting TLS1.2
Is it possible to upgrade OpenSSL 1.0.0-fips to a version which can support TLS1.2 on my server?
currently running RedHat Enterprise Server 6.4
with kernel 2.6.32-358.el6.x86_64
currently running RedHat Enterprise Server 6.4
with kernel 2.6.32-358.el6.x86_64
Nick Upson
yes, you probably need to update to 6.10 to do it
ASKER
can TLS1.0 run on my current server configuration? What would be required to update?
Better to take a different line of thought.
1) TLSv1.0 + TLSv1.1 have been deprecated for some time now.
2) Eventually all browsers will likely return a suspicious site warning (dev channel conversations) for any sit running #1.
3) PayPal + most Payment gateways now quietly block any site running #1 from initiating any transaction. Errors are quiet, obscure, near impossible to debug.
4) Many Banks are transitioning now too.
5) Most browser projects have announced their dropping of #1 support completely from their browsers.
So the real question relates to what your site does + type of visitors.
If this is a public site, meant to handle normal HTTPS traffic for many years to come, it's time to upgrade to RHEL 8 or Ubuntu Focal.
Running an old 2.6.X Kernel will begin to drain massive time out of your day over the coming years, dealing with similar problems.
1) TLSv1.0 + TLSv1.1 have been deprecated for some time now.
2) Eventually all browsers will likely return a suspicious site warning (dev channel conversations) for any sit running #1.
3) PayPal + most Payment gateways now quietly block any site running #1 from initiating any transaction. Errors are quiet, obscure, near impossible to debug.
4) Many Banks are transitioning now too.
5) Most browser projects have announced their dropping of #1 support completely from their browsers.
So the real question relates to what your site does + type of visitors.
If this is a public site, meant to handle normal HTTPS traffic for many years to come, it's time to upgrade to RHEL 8 or Ubuntu Focal.
Running an old 2.6.X Kernel will begin to drain massive time out of your day over the coming years, dealing with similar problems.
David is 100% correct. The amount of time needed to build OpenSSL from scratch, and then update everything which uses SSL, is not worth the effort. I did it back in January when I had no choice because the target system runs on a Pogoplug and no newer releases are available. I got away with it because only ssh, sftp and Apache face the internet on that system.
At a minimum it would be necessary to rebuild ssh, sftp, Apache and whatever email client is in use. That means downloading source for all of them (5 minutes), and then trying to coax them to build (20 eight-hour days.)
And if you miss even one utility linked against openSSL chaos will ensue because executables expect version X and if only version Y is present, anywhere from an error message to a kernel halt can be expected.
Chaos will ensue anyway, because the version of openSSL built from the kit does not end up in the locations where the linux distribution keeps and expects it. Rebuilding utilities then means finding out what magic switches must be specified to say "Use the new SSL and not the old one", e.g. "--with-open-ssl=/usr/lib --use-ssl-dynamic-link --prefer-newer-ssl" and so on. And those are different for each utility's build kit.
It just is not worth the effort. Bring up a newer distribution.
At a minimum it would be necessary to rebuild ssh, sftp, Apache and whatever email client is in use. That means downloading source for all of them (5 minutes), and then trying to coax them to build (20 eight-hour days.)
And if you miss even one utility linked against openSSL chaos will ensue because executables expect version X and if only version Y is present, anywhere from an error message to a kernel halt can be expected.
Chaos will ensue anyway, because the version of openSSL built from the kit does not end up in the locations where the linux distribution keeps and expects it. Rebuilding utilities then means finding out what magic switches must be specified to say "Use the new SSL and not the old one", e.g. "--with-open-ssl=/usr/lib --use-ssl-dynamic-link --prefer-newer-ssl" and so on. And those are different for each utility's build kit.
It just is not worth the effort. Bring up a newer distribution.
Aside: Expanding Dr. Klahn's OpenSSL source building notes...
Remember, going from OpenSSL 1.0.0x to 1.1.0x will require far more than just building OpenSSL from source.
You'll also have to rebuild all code using OpenSSL from latest source too, like Apache + PHP (maybe) + curl/wget/httrack + MariaDB/MySQL...
Because 1.1.1x changes the internal APIs, so just building OpenSSL + using a trick like LD_LIBRARY_PATH or relinking, will fail with code accessing OpenSSL doing a hard abort.
So if you build from source, you'll be OpenSSL software along with all OpenSSL dependent software.
Remember, going from OpenSSL 1.0.0x to 1.1.0x will require far more than just building OpenSSL from source.
You'll also have to rebuild all code using OpenSSL from latest source too, like Apache + PHP (maybe) + curl/wget/httrack + MariaDB/MySQL...
Because 1.1.1x changes the internal APIs, so just building OpenSSL + using a trick like LD_LIBRARY_PATH or relinking, will fail with code accessing OpenSSL doing a hard abort.
So if you build from source, you'll be OpenSSL software along with all OpenSSL dependent software.
ASKER
Thank you all for weighing in. The server only is used to access an API with POST command to verify and standardize addresses. That company stopped providing the service. To use the USPS API requires TLS 1.0 as a minimum for a few months, then requires TLS 1.2. I was looking for an easy way to upgrade our SSLv3 to TLS1.x so I can continue running. Eventually we are looking at getting a new server.
I appreciate any further information I can convey to management about updating our current server, or the need for immediately going to a new server.
I appreciate any further information I can convey to management about updating our current server, or the need for immediately going to a new server.
you should be able to do "yum update" to get to version 6.10, take a backup / image first
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.