OpenSSL upgrade?

[Martinwiertz]

Hi all,

I have an application on my Zimbra server and it needs an upgrade to newer version due to LCM-policy. It uses OpenSSL and the new version requires at least OpenSSL 3.0.9. On my current Zimbra server I have 3.0.2 from march 2022 as part of Zimbra 10.1.10.

Zimbra support article indicates not to upgrade OpenSSL independently.
No Standalone OpenSSL Updates:
You generally cannot upgrade OpenSSL independently of Zimbra. The OpenSSL version is tied to the specific Zimbra release and patch you are running.

How to procede?

FOSS Release 10.1.10.INTALIO.20250425 (fully up-to-date and patched)

[ghen]

An upgrade to OpenSSL 3.5.1 is around the corner: https://github.com/Zimbra/packages/pull/224/commits

Not sure why your application links to zimbra-openssl though. Are you sure it's not using the OS-provided openssl library?

[Martinwiertz]

Thanks, on my OS cli -- "openssl version" is 3.0.2. I presume the OS and Zimbra use this.
Or are their independant versions?

I am not in a hurry so I am able to wait.

[ghen]

No, Zimbra ships its own version of openssl (and several other libraries and components) under /opt/zimbra/common.
You can see its version with "/opt/zimbra/common/bin/openssl version", currently that's 3.0.9 (although we are locally running with 3.5.1, and submitted that upgrade to Zimbra in this PR).

You didn't mention your OS, but their OpenSSL 3.0.2 is (most likely) not "just" 3.0.2, but with backported patches and security fixes. As long as your OS is supported, so is their version of OpenSSL, so you should be fine.

[Martinwiertz]

Oke, Ubuntu 22.04. So I would be able to upgrade the OS (OpenSSL) and provide the new version of OpenSSL to the application. Zimbra runs in parallel with its own OpenSSL.

I will perform an backup and test this.

Thanks!