For SP6 the default version of openssl has changed from 1.1.1 to 3.1.4 (https://www.suse.com/support/kb/doc/?id=000019582). While this is a good step, some older clients can no longer connect to services on the machine, because TLS v1 is no longer supported. I noticed that optionally openssl 1.1.1 is still around, as confirmed by the packages list.
However, it is not easily possible to switch between installed openssl versions. Which you normally would expect that update-alternatives would provide an easy way to do that. However, while there are alternatives configured, like for Java, there is none for openssl.
I’d prefer using a safe method that the system is aware of. But even a brutal change like changing the binary of /usr/bin/openssl and the config file in /etc/ssl (along with changes in nginx/apache configs) did not have the desired effect.
I noticed there was a similar post in the past (https://forums.opensuse.org/t/switching-from-openssl-1-to-openssl-3/169916), where the OP wanted to go into the opposite direction, but there were no conclusive answers given.
With SP6 being around for some months, I’d have expected that others may have stumbled over this already. Who could help here?
Thanks,
Looking for the same solution, not found yet.
This helps for apache:
localhost:/usr/share/crypto-policies/LEGACY # diff openssl.txt.orig openssl.txt
1c1
< @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
@SECLEVEL=0:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
localhost:/usr/share/crypto-policies/LEGACY #
localhost:/usr/share/crypto-policies/LEGACY # diff opensslcnf.txt.orig opensslcnf.txt
1c1
< CipherString = @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
CipherString = @SECLEVEL=0:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
localhost:/usr/share/crypto-policies/LEGACY #
update-crypto-policies --set LEGACY
Configure apache accordingly and restart apache → this setup works for me. Not sure yet whether this will survive an update (e.g. normal update or sp7 migration).
Thanks so much Uwe! I was unaware of this crypto policy setting facility. I set up my nginx server to (temporarily) accept TLS v1 and TLS v1.1 and it works for me as well. OP is content:)