Shimming OpenSSL

Out of Necessity

Braden Ganetsky

C++ on Sea 2025 Lightning Talk

## This talk * Requested by Damien Buhl * May not be advisable to do what I'm showing * I take no responsibility

OpenSSL

## Transport Layer Security (TLS) * Cryptographic protocol for secure communication * Used in email, IM, VOIP, HTTPS * TLS 1.2 and TLS 1.3 are supported * All older versions (including all SSL verions) are not

## OpenSSL * C implementation of SSL and TLS * Ubiquitous * Many people using unsupported old versions * Newer versions _should_ be source-compatible with older versions

OpenSSL Vulnerabilities

<iframe src="https://openssl-library.org/news/vulnerabilities" />

<iframe src="https://en.wikipedia.org/wiki/Heartbleed" />

## OpenSSL 1.0.2 * https://openssl-library.org/news/vulnerabilities-1.0.2/ * Out of support on 2019-12-31

OpenSSL 1.0.2

## OpenSSL 1.1.1 * https://openssl-library.org/news/vulnerabilities-1.1.1/ * Out of support on 2023-09-11

OpenSSL 1.1.1

OpenSSL Vulnerabilities

For the sake of security, update your OpenSSL

😬

The problem

## The problem * Linking against a 3rd party library * No access to their source code * It was built to link against OpenSSL 1.1.1 * We have OpenSSL 3.X on our machines * We can't _downgrade_ our OpenSSL for this one case

The problem

"undefined reference to SSL_library_init"

SSL_library_init

• https://docs.openssl.org/master/man3/SSL_library_init/
• "The SSL_library_init() and OpenSSL_add_ssl_algorithms() functions were deprecated in OpenSSL 1.1.0 by OPENSSL_init_ssl()."

• Macros are not symbols in the compiled binary
• Preprocessor only

## `SSL_library_init` * The 3rd party binary looks for `SSL_library_init` as a function name in the OpenSSL dynamic library * Other functions too, not shown here * In our OpenSSL 3.X, these symbols do not exist * Linker error

The solution

## The solution * Provide a definition for the symbol * As a macro? * As a function?

Setup

As a macro

❌

As a function

✔️

## The solution * Must provide the symbol as a function * Repeat for all affected functions

Conclusion

## Conclusion * The binary, compiled with OpenSSL pre 1.1.0, can be used with OpenSSL 3.X * We only need a few shims * Is this advisable? * 🤷 * But it works for now

Thank you!

Braden Ganetsky

braden@ganets.ky

GitHub @k3DW