News, tips, partners, and perspectives for the Oracle Solaris operating system

OpenSSL on Oracle Solaris 11.3

As with Solaris 11.2,
Solaris 11.3 delivers two versions of OpenSSL: the non-FIPS 140 version
(default) and the FIPS 140 version.  They are both based on OpenSSL 1.0.1o (as of July 7th, 2015).

There are no major features added to Solaris 11.3 OpenSSL; however,
there are a couple of things that I would like to note.

EOL SSLv2 Support

SSLv2 protocol has been known to have issues for a while. Therefore, we
have decided it's about time to remove SSLv2 support from Solaris
OpenSSL. This should not be an issue for most applications out there, as
nobody should be using SSLv2 protocols these days.  If your application
still does, please consider moving on to more secure TLS protocols.

With Solaris 11.3, SSLv2 entry points are replaced with stub functions,
and they are declared 'deprecated'.  Thus, if you are building an
application which has references to the SSLv2 entry points, be prepared
to see some compiler warnings like:

        warning:  "SSLv2_client_method" is deprecated, declared in : "/usr/include/openssl/ssl.h", line 2035

Now, some of you may wonder: why are we not removing SSLv3 from Solaris
OpenSSL as well?

Unfortunately, there are some 3rd party applications which still only
support the SSLv3 protocol, thus, we feel that it's not time to remove
SSLv3 support from the OpenSSL library just yet. That's not to say SSLv3
protocol is an acceptable protocol.  RFC 7568 Deprecating Secure Sockets Layer Version 3.0 was just published stating that "SSLv3 MUST NOT be used. Negotiation
of SSLv3 from any version of TLS
MUST NOT be permitted."  Fortunately,
Oracle has already been implementing compliance with this RFC for a
while now, and most applications supported by Oracle Solaris
11.3 disable SSLv2 and SSLv3 by default.  If you own an application
which only supports SSLv3, it is time to move onto the newer and more
secure protocols such as TLS 1.2.  We won't be supporting SSLv3
protocols for too much longer.

OpenSSL Thread and Fork Safety (Part 2)

With S11.2, we attempted to make OpenSSL thread and fork safe by
default.  (See "OpenSSL Thread and Fork Safety" under "OpenSSL on
Solaris 11.2

However, the fix apparently wasn't complete, and we needed to extend the

With Solaris 11.3 OpenSSL, the following functions are now replaced with
stub functions.  Instead of allowing other applications/libraries to
specify their own locking and thread identification callback functions,
Solaris now has an internal implementation of locking and thread
identification within Solaris OpenSSL that's not visible by the API
caller.  Applications may still call those functions, but supplied
callback functions will not be used by Solaris OpenSSL.








What does that mean for you?

OpenSSL is now thread and fork safe by default, finally.  You don't need
to make any modification to

your application nor to your library.  You can relax and have a beer or two

That's all I have for now.

Join the discussion

Comments ( 7 )
  • Terence Lim Monday, April 1, 2019

    How do i enable TLS1.2 on Solaris 11.3?
  • Alan Coopersmith Saturday, April 6, 2019
    There is no global switch for TLS version support in Solaris. You need to read the docs for the application or API you are using to see how to configure it for that specific code base.
  • Ajit Ranganathan Wednesday, May 29, 2019
    What is the latest version of openSSL supported on 11.3 - is it 1.0.2. If so, is there a plan to support openSSL 1.1.1 in the near future?
  • Darren J Moffat - Oracle Solaris Engineering Monday, June 17, 2019
    We're working on providing OpenSSL 1.1.x. Given the API and ABI changes and the dependencies on OpenSSL for various upstream FOSS and core Oracle Solaris components it will take a while to make sure it's complete and tested. It is likely that initially this will be a parallel delivery with 1.0.2.

    Note that any release of 1.1.x will be for the latest release of Oracle Solaris at the time, currently Oracle Solaris 11.4. We do not intend to release it for previous versions such as Oracle Solaris 11.3 or indeed Oracle Solaris 10.
  • Eduardo Sanchez Thursday, May 21, 2020
    Do you have any plan to support openSSL 1.1.1 in the near future, to Solaris 11.3 to 11.4?
  • Alan Coopersmith Wednesday, June 3, 2020
    Eduardo - OpenSSL 1.1.1 is available in Solaris 11.4 SRU 21 - a blog post is coming with more details on that soon. Solaris 11.3 support is winding down now and new features are not being backported to it.
  • Alan Coopersmith Thursday, July 9, 2020
    https://blogs.oracle.com/solaris/multiple-openssl-versions-on-solaris covers the addition of OpenSSL 1.1.1 alongside 1.0.2 in Solaris 11.4 SRU 21 and later.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.