Since I haven't got any helpful answer to solve that issue, I'd like to share what I've done on it.
First you should get the tools for building software and the dependencies for OpenSSL.(e.g. On Debian-like distros)
apt install build-essential make zlib1g-dev libxml2-dev
Then get the latest release of OpenSSL, verify the signature and compile it with the option enable-weak-ssl-ciphers
, if you want to regain the support of obsolete SSLv3 for the GOD D**N Microsoft IE6, enable-ssl3
andenable-ssl3-method
should also be append to the compile option.
Don't forgot the shared
flag or libssl.so
and libcrypto.so
won't be built, and use -Wl,-rpath=
to tell the linker(ld
) to link shared libraries in which directory.
wget https://www.openssl.org/source/openssl-1.0.2o.tar.gz
sha256sum openssl-1.0.2o.tar.gz
curl https://www.openssl.org/source/openssl-1.0.2o.tar.gz.sha256
tar -zxvf openssl-1.0.2o.tar.gz
cd openssl-1.0.2o/
./config --prefix=/opt/openssl-1.0.2 \
--openssldir=/etc/ssl \
shared enable-weak-ssl-ciphers \
-Wl,-rpath=/opt/openssl-1.0.2/lib
make
make install
After that, your custom version of OpenSSL will be installed into /opt/openssl-1.0.2
(rather than cover the version shipped with your OS).
Your applications may also have to be re-compiled, with these options to force the linker to link your custom version of OpenSSL libraries (Override the config from /etc/ld.so.conf
or PKGCONFIG
variable)
LDFLAGS="-L/opt/openssl-1.0.2/lib -lssl -lcrypto -Wl,-rpath=/opt/openssl-1.0.2/lib"
You can also try OpenSSL 1.1.0, since most of applications are now support the API of it.
Surely WinXP supports more than just 3DES? – user1686 – 2017-02-16T07:39:55.773