Thursday, June 15, 2017

How to update openssl and/or install openssl 1.1.0 in centos 7 from sources

Updating openssl


After deploying new centos 7 distro, I checked version of openssl and it appeared to be very old (2013!!). To check openssl version, you can use this command:
openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
or this:
yum info openssl
Name        : openssl
Arch        : x86_64
Epoch       : 1
Version     : 1.0.1e
Release     : 60.el7_3.1

Then if you want to update it, simply run:
sudo yum update openssl
And if you check it again, it will show updated version:
openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
So this should include all security fixes and you're good to go.

But if you still want to install newer openssl alongside with the current one, below I will show how.


Install openssql 1.1.0 from sources


1. Download and extract:
cd ~
wget https://www.openssl.org/source/openssl-1.1.0f.tar.gz
tar -xzf openssl-1.1.0f.tar.gz

2. Compile and install:
cd openssl-1.1.0f
./config
make
sudo make install
Now if you try to run openssl, you will get this error:
/usr/local/bin/openssl version
/usr/local/bin/openssl: error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: No such file or directory
To fix it, we need to do the next step.

3. Create links to libssl:
sudo ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/
sudo ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/

4. Finally create link to new openssl

sudo ln -s /usr/local/bin/openssl /usr/bin/openssl_latest
Here I called it 'openssl_latest', you can change it to whatever you want.

5. Now let's check version of our 'openssl_latest', which should be '1.1.0f' at the time of writing:
openssl_latest version
OpenSSL 1.1.0f  25 May 2017

6 comments:

  1. opnessl version outputs "OpenSSL 1.1.0g-dev xx XXX xxxx" but yum info openssl outputs same previous version "1.0.1e" how to overcome this?

    ReplyDelete
    Replies
    1. I saw this on another website:
      "If the old version is still displayed or installed before, please make a copy of openssl bin file :

      # mv /usr/bin/openssl /root/
      # ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
      Now verify the OpenSSL version.

      # openssl version
      OpenSSL 1.0.2e 3 Dec 2015"

      Hope it can help you.

      P.S. Link: https://syslint.com/blog/tutorial/how-to-upgrade-openssl-on-centos-7-or-rhel-7/

      Delete
  2. Bad idea to remove the existing opensssl and then attempt to use wget.

    ReplyDelete
  3. Great article. I was able to compile the OpenSSL 1.1.0 work but when I inspect our website, header response still shows the old OpenSSL. We're using Apache 2.4. Any suggestions?

    ReplyDelete