On Wed, Oct 30, 2002 at 05:36:46PM +0100, Michael Bell wrote: > David L. Zoll wrote: > > > > Hi, I'm working on deploying OpenCA on a Debian system, and I'm > > really impressed with it so far. I am, however, running into a > > stumbling block, the dependency on OpenSSL 0.9.7 (still > > unreleased). Many Debian packages are compiled against the libssl > > and libcrypto from 0.9.6, and by having 0.9.7-beta3 in place I > > keep finding I have to recompile key programs (eg. ssh and > > apache's mod-ssl), making it difficult to use this system in a > > production environment; security updates on this machine are > > likely to be too time consuming with all the hand compiled > > software. > > Ooops, this is not necessary. If Debian installed it's OpenSSL 0.9.6 > in /usr/local/ssl (OpenSSL's default place) then simply install > OpenSSL 0.9.7 in /usr/local/ssl-0.9.7 and set openssl-prefix during > OpenCA's ./configure to /usr/local/ssl-0.9.7.
OK, I can do something along these lines (BTW, Debian installs its openssl files alongside all the other packaged files: /usr/bin/openssl, /usr/lib/libssl.so.0.9.6, etc). > > Meanwhile, the only 0.9.7 dependency I could find mentioned on the > > lists is a requirement for the -pubkey interface on the openssl > > command line utility. > > No, there are some other issues. We use more then only this special > new option. Also we compile some code which uses OpenSSL 0.9.7. I was afraid that was the case. Thanks. > > My question is this, can I safely get away with giving OpenCA a > > statically linked openssl 0.9.7, and leave the Debian 0.9.6 > > packages in place? If none of the code directly uses new features > > of libssl or libcrypto I would think that should be safe, and it > > would make it much easier for me to use this software. > > This is not possible because we compile some programs which need > OpenSSL 0.9.7 but you can install OpenSSL 0.9.7 in a special > directory like described above without damaging your other software. Hmm, I have one concern about this. If mod-ssl is compiled with 0.9.6, and OpenCA Perl scripts use 0.9.7, and they occupy the same process, you are likely to have a problem. If I recall correctly, this doesn't actually happen when using plain CGI, but mod-perl is on the feature list for the next release, and I believe mod-perl does load scripts up in the same process. I don't know for sure that there is a problem there, but it might be worth looking into. Regardless, thanks a lot for your help, I think this will make the machine much more manageable. Sincerely, -David Zoll (Gleef) NYS Credit Union League ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
