I wanted to check out the latest release of OpenSSL (3.5) because it has support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA). I was trying to figure out how to build it and put it in /opt so i wouldn't wipe out my system :) I could only seem to find "don't install a different version on Debian"
The issue is with shared library versions, Debian 12 has OpenSSL 3.0.15 3 Sep 2024.. So if you build 3.5 the shared libraries will
also be version 3.
$ ldd /usr/bin/openssl
linux-vdso.so.1 (0x00007ff5df4e5000)
libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (0x00007ff5df320000)
libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007ff5dee00000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff5dec1f000)
/lib64/ld-linux-x86-64.so.2 (0x00007ff5df4e7000)
So building 3.5 will automatically link to 3.0 shared libraries which is a disaster. It's possible to build a static version, however the documentation says static builds don't work on Linux. no joy.
I know on FreeBSD you can install various versions without blowing up the system install. in ports currently is version 1.11, 3.1, 3.2, 3.3, 3.4, 3.5.. So I took a look at that they do...
===> Applying FreeBSD patches for openssl35-3.5.0 from /usr/ports/security/openssl35/files
/usr/bin/sed -i.bak 's|SHLIB_VERSION=3|SHLIB_VERSION=17|' /usr/ports/security/openssl35/work/openssl-3.5.0/VERSION.dat
they change the hard-coded shared library version to "17". this is somewhat arbitrary, it doesn't correspond to the actual version but the port release... for example openssl3.4 is version 16 and when 3.6 is a thing it will be version 18. There's a file in the port directory named "version.mk" that sets the shared library version. That way the various versions can all live happily together, I suppose.
# cat version.mk
OPENSSL_SHLIBVER?= 17
So the solution for Debian is to edit the VERSION.dat file in the openssl source.
MAJOR=3
MINOR=5
PATCH=0
PRE_RELEASE_TAG=
BUILD_METADATA=
RELEASE_DATE="8 Apr 2025"
SHLIB_VERSION=3
change SHLIB_VERSION to 35 (or 17 or whatever lol)
then you can ./config --prefix=/opt/openssl35 / make / make install
$ ./bin/openssl version
OpenSSL 3.5.0 8 Apr 2025 (Library: OpenSSL 3.5.0 8 Apr 2025)
$ ldd bin/openssl
linux-vdso.so.1 (0x00007f40e2176000)
libssl.so.35 => /opt/openssl35/lib64/libssl.so.35 (0x00007f40e1f33000)
libcrypto.so.35 => /opt/openssl35/lib64/libcrypto.so.35 (0x00007f40e1800000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f40e161f000)
/lib64/ld-linux-x86-64.so.2 (0x00007f40e2178000)
Now it's linked to the correct libraries, and the original system openssl is not destroyed :)
