More on TLS and SSL
SUSE has released the “SUSE Linux Enterprise 11 Security Module”, providing enhancements to SUSE Linux Enterprise 11 SP3, which allow customers and partners to build TLS 1.2 compliant infrastructures beyond the https protocol.
Looking back …
As discussed in my former blog about TLS 1.2, we do not provide OpenSSL 1.x in the default packaging of SUSE Linux Enterprise 11, but suggest and support to use the NSS library with Apache’s mod_nss to achieve TLS 1.2 with Perfect Forward Secrecy. This is also the reason, why SUSE Linux Enterprise and our customers were not directly affected by the OpenSSL Heartbleed Vulnerability earlier this year, fortunately.
However, we learned that there are a number of customers and partners who need TLS beyond the Web/HTTPS use case. Specifically we have been approached to support TLS 1.2 powered email environments. Postfix, the preferred secure MTA, does not work with the NSS library, but requires OpenSSL.
Should we simply add a second OpenSSL library to SUSE Linux Enterprise 11?
While this sounds appealing, this would have been a dangerous path to go: people could be tempted to “mix” OpenSSL versions despite the “backward compability nightmare” named OpenSSL (see my last blog). Worst case, existing applications would have crashed unexpectedly. Thus we had to deliver Postfix with a more recent OpenSSL in a way, which clearly separates the new OpenSSL packages from the standard SUSE Linux Enterprise 11 packages.
In addition, we considered that there will be more applications requesting TLS 1.2. Customers and partners have their own applications they want to (re)compile and make ready for TLS 1.2. Thus we should also ship development packages for that more recent OpenSSL, and do this in a way that again is separated from the default OpenSSL, but easy to develop upon, build against and use.
OpenSSL 1.0.1g for SUSE Linux Enterprise 11
Thus we now deliver the OpenSSL 1.0.1g packages for SUSE Linux Enterprise 11 SP3+ in an independent repository called “SUSE Linux Enterprise 11 Security Module”. It is available to all customers with a SUSE Linux Enterprise Server subscription.
We adapted the default OpenSSL for a smooth installation in parallel to the new OpenSSL — at least for the runtime libraries and tools. This was done in a regular OpenSSL maintenance update earlier in 2014.
How to use it
On a SUSE Linux Enterprise Server 11 system which is registered to the Customer Center, first check, if your system already sees the SLE11-Security-Module:
# zypper lr | grep Security 16 | nu_novell_com:SLE11-Security-Module | SLE11-Security-Module | No | Yes
(If this fails,, please make sure your registration has been successful, and the system recently refreshed its repository list from our Customer Center). Afterwards enable the Module:
# zypper mr --enable SLE11-Security-Module
Once you have installed at least the packages “libopenssl1_0_0-1.0.1g” (runtime libraries) and “openssl1-1.0.1g” (tools), the file
/usr/share/doc/packages/openssl1/README.SuSE has more information how to build with libopenssl1. You find background on “Shadow Libraries” as part of the module, and some other technical details, e.g. why you can either compile and link against 0.9.8 or against 1.0.1, but never both.
You get a runtime environment which allows to have both libraries, OpenSSL 0.9.8 and OpenSSL 1.0.1, installed in parallel, but in an environment and framework which helps to prevent “mixed use” within one application or development project.
You get the Postfix MTA as a fully supported application linked against OpenSSL 1.0.1. This postfix package is named
As a developer or system integrator, you will find a number of libraries, which help you to build your own applications.
Please note that adding this channel does not automatically change existing applications to use openssl 1.0.1. Unless ported they will still use the SUSE Linux Enterprise 11 openssl 0.9.8j version.
Don’t hesitate to reach out to us with questions and ideas.
The upcoming SUSE Linux Enterprise 12 product family will include recent versions of OpenSSL, the NSS library and other crypto libraries right from the start.
Will the packages of the SUSE Linux Enterprise 11 Security Module be available in the Open Build Service (OBS)?
To not open a door for mixing the OpenSSL 0.9.8 and 1.0.1 worlds accidentally, packages from the SUSE Linux Enterprise 11 Security Module are not available as part of the standard SUSE Linux Enterprise 11 build target; instead we have published the packages in the “SUSE:SLE-11-SP3:Update” project, repository “security”.
To build against them on OBS, add this line to your repository additionally:
<path project="SUSE:SLE-11:SP3:Update" repository="security"/>
and buildrequire at least the
libopenssl1-devel package. Alternatively, you can direclty build against the repository