No. That won't work. Most likely your stunnel 5.x will segfault. Even if it finds the OpenSSL 0.9.8 so library, it won't find required symbols there.
Saludos Jose Alfredo Diaz > On Apr 19, 2017, at 10:20 AM, Kenway Ng <[email protected]> wrote: > > So lets say I was able to compile stunnel 5.x with openssl 1.02 on a brand > new box RH6. Could I take the newly compiled version of stunnel 5.x and use > it on my RH5 box that currently running 0.98 openssl ? Will that work ? > >> On Fri, Apr 14, 2017 at 9:56 AM, Josealf.rm <[email protected]> wrote: >> I backported the redhat/centos 6.x OpenSSL rpm package to 5.x. It is running >> fine on centos 5 32bits. I can provide you the source rpm and you can >> recompile on your 64bit Os. >> >> Saludos >> Jose Alfredo Diaz >> Cerrejón >> >> >>> On Apr 13, 2017, at 5:08 PM, Rob Lockhart <[email protected]> wrote: >>> >>> One more good link: >>> https://wiki.openssl.org/index.php/Compilation_and_Installation >>> Be sure to read the parts about the --prefix and --openssldir compiler >>> directives. The FIPS mode puts restrictions on some keys (prohibiting weak >>> ones), but IIRC you can do the same with proper config files too. >>> >>> Good luck! >>> >>>> On Thu, Apr 13, 2017 at 5:32 PM, Kenway Ng <[email protected]> wrote: >>>> Thanks Rob. Appreciate the information. >>>> >>>>> On Thu, Apr 13, 2017, 4:28 PM Rob Lockhart <[email protected]> wrote: >>>>> According to this: >>>>> https://access.redhat.com/support/policy/updates/errata >>>>> >>>>> RHEL5 is out of support as of 3/31/2017 for patches, except for security >>>>> patching. No new features will be added to RHEL5, to include TLS v1.1 >>>>> support (requires OpenSSL 1.0.x). >>>>> >>>>> First compile OpenSSL 1.0.2 (in a different path), then compile Stunnel >>>>> (5.41) using the /usr/local for the prefix (per previous links), and >>>>> perhaps some other switches too (based on info from those URLs). >>>>> >>>>> From the links I found, you can have multiple versions of OpenSSL, but >>>>> you have to link to one when compiling Stunnel. The one you choose when >>>>> compiling Stunnel will want to be the newer one you compiled. IMHO, I >>>>> would migrate your RHEL5 to RHEL6 or RHEL7, but that may be considerably >>>>> more difficult than just compiling OpenSSL and Stunnel. >>>>> >>>>> -Rob >>>>> >>>>>> On Thu, Apr 13, 2017 at 4:15 PM, Kenway Ng <[email protected]> wrote: >>>>>> Please let me know if I am completely off. The version of openssl we >>>>>> are running is 0.9.8e-fips-rhel5 01 Jul 2008. So if we want version >>>>>> TLS1.1+ then we need to recompile the STUNNEL src with an updated >>>>>> version of openssl we are running on our server. Something higher than >>>>>> 0.9.8. Is that right ? Is it possible to find a version that was >>>>>> already compiled with a higher version of openssl ? >>>>>> >>>>>>> On Wed, Apr 12, 2017 at 5:49 PM, Rob Lockhart <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>> >>>>>>>> On Wed, Apr 12, 2017 at 5:22 PM, Kenway Ng <[email protected]> wrote: >>>>>>>> >>>>>>>> I am trying to upgrade our version of stunnel. Our SME left and now I >>>>>>>> am trying to upgrade stunnel to fix a vulnerability . I am being told >>>>>>>> to use TLS1.1 or higher >>>>>>>> >>>>>>>> $ ./stunnel -version >>>>>>>> >>>>>>>> stunnel 4.15 on x86_64-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 >>>>>>>> 01 Jul 2008 >>>>>>>> >>>>>>>> Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> I don't have RHEL5 64-bit but these links may help: >>>>>>> >>>>>>> https://miteshshah.github.io/linux/centos/how-to-enable-openssl-1-0-2-a-tlsv1-1-and-tlsv1-2-on-centos-5-and-rhel5/ >>>>>>> >>>>>>> http://serverfault.com/questions/296765/cannot-find-ssl-libraries-when-configuring-stunnel >>>>>>> >>>>>>> These links involve re-compiling OpenSSL and Stunnel, in that order. I >>>>>>> would opt for OpenSSL 1.0.2k (latest as of 20170412) since 1.0.1 and >>>>>>> below are all EOL as of 12/31/2016. OpenSSL 0.9.8 supports only TLS >>>>>>> v1.0, whereas OpenSSL 1.0.1 supports TLS v1.0, v1.1 and v1.2. >>>>>>> >>>>>>> -Rob >>>>>> >>>>> >>>>> _______________________________________________ >>>>> stunnel-users mailing list >>>>> [email protected] >>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >>> >>> _______________________________________________ >>> stunnel-users mailing list >>> [email protected] >>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
