2

I have a single board computer with a 64bit ARM CPU and AES instruction set. The provided image of Debian 8 Jessie Mate Desktop uses OpenSSL 1.0.1k build that can't use that acceleration.

I've built OpenSSL 1.0.2n from source with that acceleration enabled and installed it to /usr/local.

This answer explains how to access it from command line which works fine but how do I force all programs and daemons using this /usr/local version?

The original OpenSSL package can't be uninstalled because of dependencies (= no symlinking). So what's the correct way of coexisting these two and using the one from /usr/local?

Note: I'm aware of my responsibility of keeping the /usr/local OpenSSL updated.

user681768917
  • 123
  • 1
  • 1
  • 4

2 Answers2

1

Are you sure applications aren't already using it? If you check the output of ldconfig -v, which OpenSSL library is shown first in the output?

By default Debian-based systems (and I'm sure most other Linux systems that follow the FHS) search /usr/local/lib for libraries before searching /usr/lib. This means that any OpenSSL-using applications that you've started since installing your own custom version should be using it ahead of the version in /usr/lib.

You can confirm this by using ldd on a binary linked against OpenSSL. For example:

$ ldd /usr/sbin/nginx
...
        libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007fd50f80b000)
...

Note the path of libssl - that's the version it'll use, even if multiple copies are on the system.

If your custom version of OpenSSL is in a directory below /usr/local/lib (eg, /usr/local/lib/ssl) and you see that it isn't being found by ld, you can add that directory to a new file in /etc/ld.so.conf.d and re-run ldconfig (be sure to use the -v option so that it displays the names of all the libraries in the defined search paths).

mjturner
  • 7,300
0

To force using any library present on /usr/local the environment variable LD_LIBRARY_PATH can be used as follow:

export LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:/usr/lib

This can be verified with

ldd /usr/bin/target-application
ldd /usr/bin/target-application | grep ssl
export LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:/usr/lib
ldd /usr/bin/target-application
ldd /usr/bin/target-application | grep ssl

After setting LD_LIBRARY_PATH and verification, when we start the application (from the same shell) it will be using the library located at /usr/local.

Also, another environment variable we can use is LD_PRELOAD if he target application is still using the wrong libraries.

Alternatively if the targeted application is build from source, it can be linked to the targeted library during the build time, here is an example how to build an application against a different Openssl version installed on /usr/local (this is was tested with PHP and Openwall John vs Openssl v1.1.1x)

./configure --with-openssl=/usr/local CFLAGS=-I/usr/local/include 
LDFLAGS=-L/usr/local/lib64 LIBS="-lpthread" \
OPENSSL_LIBS="-L/usr/local/lib64 -l:libssl.a -l:libcrypto.a -ldl -lpthread" \
OPENSSL_CFLAGS="-I/usr/local/include"
intika
  • 14,406