OpenSSL is a library that provides cryptographic functionality, specifically SSL/TLS for popular applications such as secure web servers, MySQL databases and email applications. It was released in 1998 and available for Linux, Windows, macOS, and BSD systems. OpenSSL allows users to perform various SSL related tasks, including CSR (Certificate Signing Request), private keys generation and SSL certificate installation.
If you ever tried performing the command “update openssl” you’ll receive “No Packages marked for Update” even though the latest version has been published on OpenSSL.org. In this section we’ll explain how to update OpenSSL to the latest version.
1. Get your current OpenSSL version by the following command:
# yum info openssl
2. OpenSSL requires some dependencies to work, most of these functionalities come along with the Linux x86_64 distribution, if this not the case. You can go ahead and install those:
# yum install make gcc perl pcre-devel zlib-devel
3. We will use the safest method which is to install it from its source code. With this, we will get a clean and reliable system.
# wget https://www.openssl.org/source/openssl-1.1.1-latest.tar.gz
4. Extract the package and open the folder:
# tar -zxf openssl-1.1.1-latest.tar.gz # cd openssl-1.1.1g/
5. Next, you have to start configuring the package compilation using ./Configure along with parameters like prefix where the route will be established.
The yellow highlighted text represents your Operating System. If you do not know, you can leave it blank as the system will throw a os/compiler problem, it’ll show a list of supported systems as you can choose your OS from there.
The orange highlight is optional and applicable to linux-x86_64 only. It makes Diffie-Hellman run 2x to 4x faster. The option has some restrictions, so be careful when using it. It is also worth mentioning that OpenSSL libraries are in different paths depending on the OS; in our linux example, this is under /usr/lib64/openssl/
# ./Configure linux-x86_64 enable-ec_nistp_64_gcc_128 --prefix=/usr/lib64 --openssldir=/usr/local/lib64
You can also simply run
6. Start compiling the package, this may take a bit.
7. At last; you can install OpenSSL.
# make install
8. Last but not least, export the path so you can use OpenSSL’s libraries.
# sudo bash -c "echo '/usr/local/lib64' >> /etc/ld.so.conf" sudo ldconfig
That’s all, restart the web-server and see the current openssl version. (view step 1).
Note: Restart Apache or Nginx and clear the ldconfig cache should be executed regularly if intentions to troubleshoot.
1. Most likely you’ll get the “openssl: error while loading shared libraries” fault. This is because we installed openssl from a external source, and compiled it in the local copy. Move it:
1.1) You can simply copy (or move) libcrypto.so.1.1, libssl.so, libssl.so.1.1, libcrypto.a and libssl.a from /usr/local/lib64 to both /usr/lib64/openssl/engines/ and /etc/ld.so.conf.d/ directories.
# ln -s libcrypto.so.1.1 libcrypto.so # ln -s libssl.so.1.1 libssl.so # ldconfig
2.OpenSSL is correctly installed and configured, yet it shows the old version. In this case you want to update the libraries to the root, and create symbolic links. Use the following commands:
# ln -s /usr/local/lib64/openssl /usr/lib64/openssl # mv /usr/lib64/openssl /root/ # ldconfig
You’ll be asked to overwrite the directory, simply press enter, and done.
3. You may find that some of the symlinks are pointing to older versions. You want to update those to our newer version (1.1). We can check this by running: (these are the files you copied in troubleshooting (1)
# ls -l libcrypto* # ls -l libssl*
It should point to libcrypto.so.1.1. If not, run:
# sudo rm libcrypto.so # sudo ln -s libcrypto.so.1.1 libcrypto.so
Creates a new symlink to the corresponding file. Do the same for libssl.so
Uncommon error? Comment below and we’ll have a look!