Enable OpenSSL Legacy Provider on Ubuntu

Enable OpenSSL Legacy Provider on Ubuntu

OpenSSL plays an important role in securing web applications through the implementation of TLS and SSL protocols. In some situations, you may find it necessary to enable the OpenSSL Legacy Provider to ensure compatibility with older applications or specific cryptographic requirements. It can be useful for PHP applications which uses older cryptographic algorithms. This tutorial explains how to enable OpenSSL Legacy Provider on Ubuntu.

It's important to note that on OpenSSL 3, the Legacy Provider is disabled by default. To enable it, we need to modify the OpenSSL configuration file. Open the terminal and execute the following commands:

sudo sed -i '/default = default_sect/a legacy = legacy_sect' /etc/ssl/openssl.cnf
sudo sed -i 's/# activate = 1/activate = 1/' /etc/ssl/openssl.cnf
sudo sed -i '/activate = 1/a [legacy_sect]\nactivate = 1' /etc/ssl/openssl.cnf

These commands use the sed utility to make modifications to the OpenSSL configuration file located at /etc/ssl/openssl.cnf. Here's a brief explanation of each command:

  • First sed - appends a new line (legacy = legacy_sect) after the line containing default = default_sect.
  • Second sed - searches for the line containing # activate = 1 and replaces it with activate = 1, effectively uncommenting and activating the specified configuration.
  • Third sed - appends two lines ([legacy_sect] and activate = 1) after the line containing activate = 1, creating a new section labeled [legacy_sect] and activating it.

After modifications, the configuration file should contain the following lines:

default = default_sect
legacy = legacy_sect

activate = 1
activate = 1

To verify the changes, run the following command to get a list of available OpenSSL providers:

openssl list -providers

The output might look something like this:

    name: OpenSSL Default Provider
    version: 3.0.2
    status: active
    name: OpenSSL Legacy Provider
    version: 3.0.2
    status: active

After modifying the file, we need to restart the application that depends on OpenSSL. For example, if you are running PHP-FPM, use the following command:

sudo service php8.2-fpm restart

If you are using Apache as your web server, restart it using the command:

sudo service apache2 restart

Leave a Comment

Cancel reply

Your email address will not be published.