RHEL/CentOS 6 OpenSSL client compatibility after DST Root CA X3 expiration

I was able to successfully build the package after modifying a few things, and it installed without an issue. Programs built against openssl still run, and wget and openssl s_client work correctly and validate the certificate. This success requires you also have either removed the DST Root CA X3 certificate or have the EL6 ELS version of ca-certificates installed.

I picked up the source RPM from https://vault.centos.org/7.9.2009/updates/Source/SPackages/openssl-1.0.2k-21.el7_9.src.rpm

To build, I had to change ALL references in three patches from secure_getenv() to getenv():

  • openssl-1.0.2a-env-zlib.patch
  • openssl-1.0.2j-deprecate-algos.patch
  • openssl-1.0.2a-fips-ctor.patch

I also had to comment out this line (216) from the openssl.spec file:
%patch68 -p1 -b .secure-getenv

These references to secure_getenv() can't be used because glibc in CentOS 6 doesn't have the function. RH blindly added them without checking for support because they knew it was safe to assume CentOS 7 would have it.

Your mileage may vary, of course. Anything that depends on the specific 1.0.1e version might break, or might have incorrect expectations about what security features are available, leading to unexpected bad stuff, but so far I haven't had it happen to me. I'm not giving out any warranties or prebuilt packages, but hopefully this is enough to get people pointed in the right direction.

Edit: Just in case it may also help: To produce an updated version of ca-certificates, you can do something like this. Take these two packages:

Extract certdata.txt from the el7 SRPM and replace the file at SOURCES/certdata.txt for the el6 rpm build. Update the EL6 RPM spec file Version line to 2021.2.50, and build that package.