Do I need latest version of OpenSSL?
In general – you don’t. Default version is doing great job and it’s secure. I needed it for compiling Apache HTTP with HTTP/2 support back then and now I’m using new version every time it’s released. If you need it for any other reason, this tutorial is for you:)
How to check current version of OpenSSL?
In order to check current version of installed package you need to execute following command:
It will print out version of installed package like OpenSSL 1.0.2k-fips 26 Jan 2017
How to install latest version of OpenSSL?
I compile OpenSSL from source code. In order to compile it successfully you need to install some tools that will help you compile it:
sudo yum install libtool perl-core zlib-devel -y
It will install compiler and few other libraries that are required to compile OpenSSL.
Next download latest version of OpenSSL source code. I like to use releases page on GitHub. I choose the version without FIPS simply because I don’t need compatibility with it. And I think that it’s a bit more secure to have OpenSSL without FIPS, as fixes are usually included much faster in regular version than in FIPS version. If you want to read more about it, use this link.
In order to download source code, use following command:
curl -O -L https://github.com/openssl/openssl/archive/OpenSSL_1_1_1c.tar.gz
Source code comes in compressed package. In order to decompress it use following command:
tar -zxvf OpenSSL_1_1_1c.tar.gz cd openssl-OpenSSL_1_1_1c
Now it’s time to configure and compile OpenSSL:
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib make make test
openssldir sets the output paths for OpenSSL.
shared will force crating shared libraries and
zlib means that compression will be performed by using zlib library
It is worth to run the tests to see if there are any unexpected errors. If there are any, you need to fix them before installing library.
In order to install library you need to execute:
sudo make install
Once the OpenSSL is installed, you can remove the sources and tar.gz package.
Add new version to PATH
After the installation you will probably want to check the version of OpenSSL but it will print out old version. Why? Because it’s also installed on your server. I rarely override packages installed via yum. The reason is that when there is new version of OpenSSL and you will install it via yum, it will simply override compiled version, and you will have to recompile it again.
Instead of overriding files I personally like to create new profile entry and force the system to use compiled version of OpenSSL.
In order to do that, create following file:
sudo vi /etc/profile.d/openssl.sh
and paste there following content:
# /etc/profile.d/openssl.sh pathmunge /usr/local/openssl/bin
Save the file and reload your shell, for instance log out and log in again. Then you can check the version of your OpenSSL client. Or maybe…
Or maybe you will get an error with loading shared libraries? In order to fix that problem we need to create an entry in ldconfig.
Create following file:
sudo vi /etc/ld.so.conf.d/openssl-1.1.1c.conf
And paste there following contents:
# /etc/ld.so/conf.d/openssl-1.1.1c.conf /usr/local/openssl/lib
We simply told the dynamic linker to include new libraries. After creating the file you need to reload linker by using following command:
sudo ldconfig -v
And volia! Check the version of your OpenSSL now. It should print out OpenSSL 1.1.1c 28 May 2019
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl ln -s /usr/local/openssl/include/openssl /usr/include/openssl