Enable SSLv2 and TLSv1.2 in OpenSSL 1.0.1c on Ubuntu 13.04

I've been using Ubuntu client machines for years in addition to using my Mac but only recently have I started using my Ubuntu machine to run cryptonark scans. Ubuntu's OpenSSL 1.0.1c implementation is pretty interesting in that not only does it disable SSLv2 (which seems to be fairly well-known) but it also disables TLSv1.2 for client connections (which was a bit of a surprise).

There are a few, hard to find articles from mailing lists and forum posts out there detailing how to enable SSLv2 on OpenSSL 1.0.1c but there seems to be a slight difference in the steps needed to do it with OpenSSL 1.0.1c on Ubuntu 13.04. I will outline these steps below but, in addition, included below are steps needed to re-enable TLSv1.2 client connectivity as well. It's obvious but enabling SSLv2 is not something you should do unless you have a highly-specific need (like running cryptonark scans!) and be mindful that Ubuntu disabled these for specific reasons, so you shouldn't be develping general purpose applications with this kind of set up.

  1. Run sudo apt-get install build-essential devscripts
  2. Run sudo apt-get build-dep openssl
  3. In your current working directory, run apt-get source openssl. This will download the OpenSSL sources to your current working directory.
  4. Run cd openssl-1.0.1c
  5. Run quilt pop -a, which detaches patches from the source installation.
  6. Edit debian/paches/tls12_workarounds.patch. Remove -DOPENSSL_NO_TLS1_2_CLIENT from the line beginning with +my $debian_cflags
  7. Edit debian/rules and remove the no-ssl2 flag from the line beginning with CONFARGS
  8. Run quilt push -a, which will re-apply patches to your source.
  9. Run dch -n 'Enable SSLv2 and TLSv1.2 client'
  10. Run dpkg-source --commit
  11. Run debuild -uc -us
  12. After the build completes, cd up a level and install with sudo dpkg -i *ssl*.deb

Once completed, I removed Net::SSLeay and IO::Socket:SSL with cpanp, then re-installed Net::SSLeay from source and IO::Socket::SSL from cpan. You should now be able to make SSLv2 connections with openssl s_client and your Net::SSLeay-dependent Perl scripts should be able to communicate with TLSv12.

Finally, keep in mind that if there are new releases of OpenSSL made to your Ubuntu installation, these steps will need to be repeated and it is still to early to tell whether future releases will require additional or other changes in this process.

Creative Commons Attribution-ShareAlike 3.0 Unported