Downgrade OpenSSL to support SSLv3, Heartbeats, MD2, Idea, MDC2, RC5 and old / weak / legacy SSL ciphers and protocols.
You will be able in 10 minutes:
- Setup OpenSSL to enable support of SSLv3 and other system wide and in apache2 and nginx.
Fully explained commands following. You can copy-paste it to terminal to get the goals.
Should be compatible with other Debian versions.
# command - for privileged commands (invoke from root).
$ command - non-privileged commands (invoke from non-root).
# command - for privileged commands (invoke from root).
$ command - non-privileged commands (invoke from non-root).
This recommendations is ONLY to make backward compatible environment.
This is unstable and NOT secured since outdated ciphers/protocols used.
AS-IS. Only if you know what you are really doing.
If you have corrections - please speak up in the bottom.
This is unstable and NOT secured since outdated ciphers/protocols used.
AS-IS. Only if you know what you are really doing.
If you have corrections - please speak up in the bottom.
Append to apt source list SRC lines / source entries.
vi /etc/apt/sources.list Paste the following content: deb http://httpredir.debian.org/debian/ buster main contrib non-free deb http://httpredir.debian.org/debian/ buster-updates main contrib non-free deb http://security.debian.org/ buster/updates main contrib non-free deb-src http://httpredir.debian.org/debian/ buster main contrib non-free deb-src http://httpredir.debian.org/debian/ buster-updates main contrib non-free deb-src http://security.debian.org/ buster/updates main contrib non-free Invoke: # apt-get update
Rebuild current OpenSSL.
Actually you can rebuild any package in a same way.
Including apache2 if needed.
On the Debian 10 machine invoke:
Including apache2 if needed.
# openssl list -disabled #keep output to compare # mkdir /_apt # chown _apt: /_apt/ # apt install devscripts #'devscripts' needs for 'debuild'. # su -s/bin/bash - _apt $ mkdir /_apt/openssl-current/ $ cd /_apt/openssl-current/ $ apt-get source openssl #this will get current openssl version source. $ exit; # #under root # apt-get build-dep openssl #*This dependencies for CONFARGS below. #*If we change no-zlib ->to-> enable-zlib - build will fail. #*So keep it as 'no-zlib' but installing it anyway. # apt-get install zlib1g-dev zlib1g apt-get install build-essential make zlib1g-dev libxml2-dev #*This dependencies to 'enable-weak-ssl-ciphers' below. # su -s/bin/bash - _apt $ cd /_apt/openssl-current/openssl-1.1.1d #ver. may change. $ vi debian/rules Chage line started with CONFARGS From: CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib no-ssl3 enable-unit-test no-ssl3-method enable-rfc3779 enable-cms To: CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) enable-heartbeats enable-md2 enable-weak-ssl-ciphers enable-idea enable-mdc2 enable-rc5 no-zlib enable-ssl2 enable-ssl3 enable-unit-test enable-ssl3-method enable-rfc3779 enable-cms #*Actual buid. $ debuild -b -uc -us $ exit; # cd /_apt/openssl-current/ # dpkg -i ./libssl-dev_1.1.1d-0+deb10u3_amd64.deb ./libssl1.1_1.1.1d-0+deb10u3_amd64.deb ./libssl-doc_1.1.1d-0+deb10u3_all.deb ./openssl_1.1.1d-0+deb10u3_amd64.deb #*Versions may change, tune to yours. # apt-mark hold libssl-dev libssl1.1 libssl-doc openssl # openssl list -disabled #compare it with original # openssl list -cipher-algorithms # openssl list -digest-algorithms # openssl ciphers -v |fgrep --color=yes SSLv3Now you build and installed OpenSSL with old ciphers / protocols enabled.
But for apache2 and nginx this is not enough.
You need to re-build libssl1.0.0 libraty from previous OpenSSL package. You can get prev. OpenSSL version from Debian 8.
$ openssl version OpenSSL 1.0.1t 3 May 2016Note:
Use:
# openssl ciphers -v '-ALL:MD5' to show all supported MD5 ciphers.
# openssl ciphers -v 'ALL' gives you all possible values for
apache's SSLCipherSuite and nginx's ssl_ciphers directives.
You can also use Mozilla SSL Configuration Generator https://ssl-config.mozilla.org/
# openssl ciphers -v '-ALL:MD5' to show all supported MD5 ciphers.
# openssl ciphers -v 'ALL' gives you all possible values for
apache's SSLCipherSuite and nginx's ssl_ciphers directives.
You can also use Mozilla SSL Configuration Generator https://ssl-config.mozilla.org/
Rebuild previous OpenSSL - part 1.
Note:
You can install libssl1.0.0 on Debian 10 from jessie-backports but it lack for what we need.
# apt-get install libssl1.0.0 -t jessie-backports
On the Debian 8 machine invoke:
# apt-get install libssl1.0.0 -t jessie-backports
# vi /etc/apt/sources.list deb http://httpredir.debian.org/debian/ jessie main contrib non-free deb http://security.debian.org/ jessie/updates main contrib non-free deb-src http://httpredir.debian.org/debian/ jessie main contrib non-free deb-src http://security.debian.org/ jessie/updates main contrib non-free # apt-get update # mkdir openssl-previous # cd openssl-previous # apt-get source openssl #will get 1.0.1t ver. # tar zcpf openssl-previous.tar.gz openssl-previous Transfer openssl-previous.tar.gz to the Debian 10 machine.
Rebuild previous OpenSSL - part 2.
On the Debian 10 machine invoke:
# cd /_apt # tar zxpf /root/openssl-previous.tar.gz # chown -R _apt: ./openssl-previous/ # su -s/bin/bash - _apt $ cd /_apt/openssl-previous/openssl-1.0.1t #ver. may change. $ vi debian/rules Chage line started with CONFARGS From: CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib enable-tlsext no-ssl2 no-ssl3 To: CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) enable-heartbeats enable-md2 enable-weak-ssl-ciphers enable-idea enable-mdc2 enable-rc5 no-zlib enable-tlsext no-ssl2 enable-ssl3 enable-ssl3-method Below comment out: #MAKE_TEST = make test #ifneq (,$(findstring nocheck,$(DEB_BUILD_OPTIONS))) # MAKE_TEST = : #endif and add right after it append: MAKE_TEST = : $ debuild -b -uc -us #*Actual buid. $ exit; # cd /_apt/openssl-previous/ # dpkg -i ./libssl1.0.0_1.0.1t-1+deb8u12_amd64.deb ./openssl_1.0.1t-1+deb8u12_amd64.deb #*Versions may change, tune to yours. # apt-mark hold libssl1.0.0 openssl
All done.
Now invoke:
Now invoke:
# systemctl restart apache2 nginxto make SSLv3 and others work.
Tested with:
- Debian 10.5.
- apache2=2.4.38-3+deb10u3
- nginx=1.18.0-1~buster
Apache2 SSLv3 (and other) note regarding mod_ssl.
After you installed new and old versions of OpenSSL you should
rebuild Apache2 to upgrade mod_ssl regarding current SSL libs.
You can do in in a same manner as rebuilding current OpenSSL.
rebuild Apache2 to upgrade mod_ssl regarding current SSL libs.
You can do in in a same manner as rebuilding current OpenSSL.
# apachectl -t AH00526: Syntax error on line 67 of /etc/apache2/mods-enabled/ssl.conf: SSLv3 not supported by this version of OpenSSL Action '-t' failed. The Apache error log may have more information.
Nginx SSLv3 (and other) note.
Just restart nginx to apply changes regarding SSLv3 and others.
The ca-certificates package note.
ca-certificates can be depend from the previous OpenSSL variant.
To test it invoke:
rebuild this package (get it from Debian 8) too.
After build and install do not forget to hold it:
To test it invoke:
# apt autoremoveIf you see unmet dependencies message, then
rebuild this package (get it from Debian 8) too.
After build and install do not forget to hold it:
# apt-mark hold ca-certificates
To revert changes.
On the Debian 10 machine invoke:
apt-mark unhold libssl-dev libssl1.1 libssl-doc openssl apt-mark unhold libssl1.0.0 openssl apt-mark unhold apache2 apache2-bin apache2-data apache2-utils apt-mark unhold ca-certificates apt-mark unhold nginx apt-get install openssl apt-get remove --purge libssl1.0.0 apt-get reinstall openssl libssl1.1 libssl-doc libssl-dev apt-get remove --purge apache2 apache2-bin apache2-data apache2-utils
Install brief.
dpkg -i ./libssl-dev_1.1.1d-0+deb10u3_amd64.deb ./libssl1.1_1.1.1d-0+deb10u3_amd64.deb ./libssl-doc_1.1.1d-0+deb10u3_all.deb ./openssl_1.1.1d-0+deb10u3_amd64.deb dpkg -i ./libssl1.0.0_1.0.1t-1+deb8u12_amd64.deb ./openssl_1.0.1t-1+deb8u12_amd64.deb dpkg -i ./apache2-bin_2.4.38-3+deb10u3_amd64.deb ./apache2-data_2.4.38-3+deb10u3_all.deb ./apache2_2.4.38-3+deb10u3_amd64.deb ./apache2-utils_2.4.38-3+deb10u3_amd64.deb dpkg -i ca-certificates_20141019+deb8u4_all.deb
Files
Use this URL https://drive.google.com/file/d/1v6kERpN1yKO25yrINCEmHX9ydcdtBB3X
to get debian-10-downgrade-openssl.tar.xz.zip, password is: [withheld].
*You can request password from me with a form below.
to get debian-10-downgrade-openssl.tar.xz.zip, password is: [withheld].
*You can request password from me with a form below.