X

News, tips, partners, and perspectives for the Oracle Solaris operating system

OpenSSL on Oracle Solaris 11.3

As with Solaris 11.2,
Solaris 11.3 delivers two versions of OpenSSL: the non-FIPS 140 version
(default) and the FIPS 140 version.  They are both based on OpenSSL 1.0.1o (as of July 7th, 2015).



There are no major features added to Solaris 11.3 OpenSSL; however,
there are a couple of things that I would like to note.


EOL SSLv2 Support



SSLv2 protocol has been known to have issues for a while. Therefore, we
have decided it's about time to remove SSLv2 support from Solaris
OpenSSL. This should not be an issue for most applications out there, as
nobody should be using SSLv2 protocols these days.  If your application
still does, please consider moving on to more secure TLS protocols.



With Solaris 11.3, SSLv2 entry points are replaced with stub functions,
and they are declared 'deprecated'.  Thus, if you are building an
application which has references to the SSLv2 entry points, be prepared
to see some compiler warnings like:


        warning:  "SSLv2_client_method" is deprecated, declared in : "/usr/include/openssl/ssl.h", line 2035


Now, some of you may wonder: why are we not removing SSLv3 from Solaris
OpenSSL as well?


Unfortunately, there are some 3rd party applications which still only
support the SSLv3 protocol, thus, we feel that it's not time to remove
SSLv3 support from the OpenSSL library just yet. That's not to say SSLv3
protocol is an acceptable protocol.  RFC 7568 Deprecating Secure Sockets Layer Version 3.0 was just published stating that "SSLv3 MUST NOT be used. Negotiation
of SSLv3 from any version of TLS
MUST NOT be permitted."  Fortunately,
Oracle has already been implementing compliance with this RFC for a
while now, and most applications supported by Oracle Solaris
11.3 disable SSLv2 and SSLv3 by default.  If you own an application
which only supports SSLv3, it is time to move onto the newer and more
secure protocols such as TLS 1.2.  We won't be supporting SSLv3
protocols for too much longer.



OpenSSL Thread and Fork Safety (Part 2)



With S11.2, we attempted to make OpenSSL thread and fork safe by
default.  (See "OpenSSL Thread and Fork Safety" under "OpenSSL on
Solaris 11.2
")


However, the fix apparently wasn't complete, and we needed to extend the
fix.



With Solaris 11.3 OpenSSL, the following functions are now replaced with
stub functions.  Instead of allowing other applications/libraries to
specify their own locking and thread identification callback functions,
Solaris now has an internal implementation of locking and thread
identification within Solaris OpenSSL that's not visible by the API
caller.  Applications may still call those functions, but supplied
callback functions will not be used by Solaris OpenSSL.



      CRYPTO_set_locking_callback


      CRYPTO_set_dynlock_create_callback


      CRYPTO_set_dynlock_lock_callback


      CRYPTO_set_dynlock_destroy_callback


      CRYPTO_set_add_lock_callback


      CRYPTO_THREADID_set_callback


      CRYPTO_set_id_callback



What does that mean for you?


OpenSSL is now thread and fork safe by default, finally.  You don't need
to make any modification to


your application nor to your library.  You can relax and have a beer or two




That's all I have for now.

Join the discussion

Comments ( 2 )
  • Terence Lim Monday, April 1, 2019
    Hi,

    How do i enable TLS1.2 on Solaris 11.3?
  • Alan Coopersmith Saturday, April 6, 2019
    There is no global switch for TLS version support in Solaris. You need to read the docs for the application or API you are using to see how to configure it for that specific code base.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha