Enable SSLv2 and TLSv1.2 in OpenSSL 1.0.1c on Ubuntu 13.04
I've been using Ubuntu client machines for years in addition to using my Mac but only recently have I started using my Ubuntu machine to run cryptonark scans. Ubuntu's OpenSSL 1.0.1c implementation is pretty interesting in that not only does it disable SSLv2 (which seems to be fairly well-known) but it also disables TLSv1.2 for client connections (which was a bit of a surprise).
There are a few, hard to find articles from mailing lists and forum posts out there detailing how to enable SSLv2 on OpenSSL 1.0.1c but there seems to be a slight difference in the steps needed to do it with OpenSSL 1.0.1c on Ubuntu 13.04. I will outline these steps below but, in addition, included below are steps needed to re-enable TLSv1.2 client connectivity as well. It's obvious but enabling SSLv2 is not something you should do unless you have a highly-specific need (like running cryptonark scans!) and be mindful that Ubuntu disabled these for specific reasons, so you shouldn't be develping general purpose applications with this kind of set up.
sudo apt-get install build-essential devscripts
sudo apt-get build-dep openssl
- In your current working directory, run
apt-get source openssl. This will download the OpenSSL sources to your current working directory.
quilt pop -a, which detaches patches from the source installation.
-DOPENSSL_NO_TLS1_2_CLIENTfrom the line beginning with
debian/rulesand remove the
no-ssl2flag from the line beginning with
quilt push -a, which will re-apply patches to your source.
dch -n 'Enable SSLv2 and TLSv1.2 client'
debuild -uc -us
- After the build completes, cd up a level and install with
sudo dpkg -i *ssl*.deb
Once completed, I removed Net::SSLeay and IO::Socket:SSL with
cpanp, then re-installed Net::SSLeay from source and IO::Socket::SSL from
cpan. You should now be able to make SSLv2 connections with
openssl s_client and your Net::SSLeay-dependent Perl scripts should be able to communicate with TLSv12.
Finally, keep in mind that if there are new releases of OpenSSL made to your Ubuntu installation, these steps will need to be repeated and it is still to early to tell whether future releases will require additional or other changes in this process.