Using OpenSSL for testing purposes has become more difficult recently because, paradoxically, OpenSSL itself got better. In the aftermath of Heartbleed, the OpenSSL developers undertook a great overhaul, one aspect of which was removal of obsolete cryptography. That is great news for everyone, of course, but does make our lives more difficult. To test for a wide variety of conditions, we may need to use two versions: one recent and one old. The recent one is useful to test modern features (e.g., TLS 1.3), but the old one is what you need to test obsolete functionality.
At the time of writing, the new version will most definitely be from the 1.1.1 branch. As for the old, after some research, I settled on OpenSSL 1.0.2g, configured so that the removal of some obsolete features is reverted:
$ ./config \ --prefix=/opt/openssl-1.0.2g \ --openssldir=/opt/openssl-1.0.2g \ no-shared \ enable-ssl2 \ enable-ssl3 \ enable-weak-ssl-ciphers
Throughout this chapter, I will refer to these two versions of OpenSSL as new and old. That’s how you’ll know which version to use for the testing. Refer to the previous chapter for more information on how to configure and install OpenSSL.