OpenSSL is an open source toolkit that provides tons of functionalities for Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols for popular applications like secure web server, MySQL Databases and email applications.
While working on a project to setup a certification authority using OpenCA on CentOS 6, found that OpenSSL version that comes by default is v1.0.1e which is out of support and should not be used, according to official OpenSSL webpage. Only 1.0.2 series is being supported as LTS release until 31st Dec 2019!
So, I upgraded the default OpenSSL version to the Long Term Support (LTS) OpenSSL 1.0.2l and here is the step-by-step guide for those who want to do the same.
How to upgrade OpenSSL
Step 1: Verify the current OpenSSL version
Verify the current OpenSSL version and also check the vendors directory for any update available through yum!
# openssl version
# yum info openssl Installed Packages Name : openssl Arch : x86_64 Version : 1.0.1e Release : 57.el6 Size : 4.1 M Repo : installed From repo : base Summary : A general purpose cryptography library with TLS implementation URL : http://www.openssl.org/ License : OpenSSL Description : The OpenSSL toolkit provides support for secure communications between : machines. OpenSSL includes a certificate management tool and shared : libraries which provide various cryptographic algorithms and : protocols. Available Packages Name : openssl Arch : i686 Version : 1.0.1e Release : 57.el6 Size : 1.5 M Repo : base Summary : A general purpose cryptography library with TLS implementation URL : http://www.openssl.org/ License : OpenSSL Description : The OpenSSL toolkit provides support for secure communications between : machines. OpenSSL includes a certificate management tool and shared : libraries which provide various cryptographic algorithms and : protocols.
From the above yum output, we see that there is no version available for upgradation.
Step 2: Download the latest version of OpenSSL
# cd /usr/local/src # wget https://www.openssl.org/source/openssl-1.0.2l.tar.gz # tar -xvzf openssl-1.0.2l.tar.gz
As of writing this article, the latest version of OpenSSL is 1.0.2l
Step 3: How to manually compile and install OpenSSL
We need to manually compile OpenSSL to install/upgrade.
# cd openssl-1.0.2l # ./config # make depend # make # make test # make install
If you don’t get any error messages and complete the above steps, OpenSSL has been installed. Voila!
Can’t locate Test/Harness.pm during the installation? Well, here’s solution for the same.
Can’t locate Module/Load/Conditional.pm and the solution is here.
Step 4: Move the newly installed OpenSSL binary to the PATH
Now, if you check the OpenSSL version, for your surprise, it wouldn’t have changed! So, take a backup of old OpenSSL binary and link the newly installed OpenSSL binary to the /usr/bin/openssl as below:
mv /usr/bin/openssl /root/ # ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
Step 5: Verify the newly installed OpenSSL version
# openssl version OpenSSL 1.0.2l 25 May 2017
Do you get an error Error loading shared libraries libcrypto.so.1.1 while executing openssl command? Then jump to this tutorial to fix it.
Step 6: Generate self signed certificate
Now OpenSSL is upgraded. Try generating self signed certificate as mentioned in this tutorial.
Step 7: Verify SSL certificate.
The next step is to verify the generated certificate as explained in this tutorial.
Step 8: OpenSSL commands
OpenSSL can do plenty. Click here to learn more about OpenSSL commands.
Thank you very much, now I can continue on the same server instead of a new one.
Upgrade to RHEL/CentOS 8. Considering the endless stream of security updates, OpenSSL is the last package you want to remove from YUM version control.
easy to understand