Skip to content

Instantly share code, notes, and snippets.

@Bill-tran
Created September 7, 2021 09:22
Show Gist options
  • Save Bill-tran/5e2ab062a9028bf693c934146249e68c to your computer and use it in GitHub Desktop.
Save Bill-tran/5e2ab062a9028bf693c934146249e68c to your computer and use it in GitHub Desktop.
How to install openssl 1.1.1 on CentOS 7

How To Install OpenSSL 1.1.1 on CentOS 7

This tutorial goes through how to install openssl 1.1.1 on CentOS 7, since the yum repo only installs up to openssl 1.0.

Requirements

Upgrade the system

yum -y update

Install required packages

yum install -y make gcc perl-core pcre-devel wget zlib-devel

Download the latest version of OpenSSL source code

wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz

Configure, build and install OpenSSL

Uncompress the source file

tar -xzvf openssl-1.1.1k.tar.gz

Change to the OpenSSL directory

cd openssl-1.1.1k

Configure the package for compilation

./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic

Compile package

make

Test compiled package

make test

Install compiled package

make install

Export library path

Create environment variable file

vim /etc/profile.d/openssl.sh

Add the following content

export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64

Load the environment variable

source /etc/profile.d/openssl.sh

Verify the OpenSSL version

openssl version
@anibalpacheco
Copy link

-bash: vim: command not found [root@***** ~]#

sudo yum install vim

@bentole
Copy link

bentole commented Mar 7, 2023

Thanks a bunch for this one @Bill-tran ! Saved me hours of frustration probably 😆 !

Take care!

@savitafulmali
Copy link

I followed exact steps -
openssl version
OpenSSL 1.1.1 11 Sep 2018

But still I get below error -
ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with OpenSSL 1.0.2k-fips 26 Jan 2017. See: urllib3/urllib3#2168

@zongren
Copy link

zongren commented Jun 12, 2023

@savitafulmali reinstall python?

@paulocoghi
Copy link

Just a feedback. It works perfectly on an old CentOS 7.9

Thanks a lot!

@gary54654576
Copy link

gary54654576 commented Jul 28, 2023

what does the path /usr/local/lib:/usr/local/lib64 point to?

I just work in AWS and I don't have such folders, what should I do?

@paulocoghi
Copy link

paulocoghi commented Jul 28, 2023

@gary54654576 It's on such moments that I reinforce the benefits of not using AWS. What is the support they provide? Unfortunately, none.

@shmidtelson
Copy link

shmidtelson commented Jul 30, 2023

-bash: vim: command not found [root@***** ~]#

you can use nano

@steveh1973
Copy link

steveh1973 commented Aug 23, 2023

The installation of openssl 1.1.1k will not replace the default 1.0.2 the OS have, it is in addition to the existing old one, correct?
I installed the update but Nessus report still see the old version.
In addition if I run ssh -V i see that ssh still using the old version as many other system components depend on

Thanks,

@pfandl
Copy link

pfandl commented Sep 21, 2023

The installation of openssl 1.1.1k will not replace the default 1.0.2 the OS have, it is in addition to the existing old one, correct? I installed the update but Nessus report still see the old version. In addition if I run ssh -V i see that ssh still using the old version as many other system components depend on

Thanks,

The flag --prefix=/usr would replace the existing one, yes. I am not too sure about some stuff, I would skip the "Export library path" stuff and just make and make install with following config, the no-shared could be the culprit if it means that it disables building a shared library:

./config --prefix=/usr --openssldir=/etc/ssl zlib-dynamic

@steveh1973
Copy link

steveh1973 commented Sep 26, 2023

The installation of openssl 1.1.1k will not replace the default 1.0.2 the OS have, it is in addition to the existing old one, correct? I installed the update but Nessus report still see the old version. In addition if I run ssh -V i see that ssh still using the old version as many other system components depend on
Thanks,

The flag --prefix=/usr would replace the existing one, yes. I am not too sure about some stuff, I would skip the "Export library path" stuff and just make and make install with following config, the no-shared could be the culprit if it means that it disables building a shared library:

./config --prefix=/usr --openssldir=/etc/ssl zlib-dynamic

Dear pfandl,
Thank you for the comment, I indeed used ./config --prefix=/usr --openssldir=/etc/ssl zlib-dynamic but ssh -V still shows the old version 1.0.2k-fips

Should I remove th "no-shared" option as it was used as well?
I'm working on CentOS 7.8

Thanks in advance,

@pfandl
Copy link

pfandl commented Sep 26, 2023

Should I remove th "no-shared" option as it was used as well? I'm working on CentOS 7.8

Thanks in advance,

yes, remove it:

no-shared
Do not create shared libraries, only static ones. See "Note
on shared libraries" below.

@steveh1973
Copy link

Should I remove th "no-shared" option as it was used as well? I'm working on CentOS 7.8
Thanks in advance,

yes, remove it:

no-shared
Do not create shared libraries, only static ones. See "Note
on shared libraries" below.

Great,
I'll test it and update you
Thanks so much...

@steveh1973
Copy link

Should I remove th "no-shared" option as it was used as well? I'm working on CentOS 7.8
Thanks in advance,

yes, remove it:

no-shared
Do not create shared libraries, only static ones. See "Note
on shared libraries" below.

Great, I'll test it and update you Thanks so much...

It looks like the make test resault: FAIL
make[1]: *** [_tests] Error 1
make: *** [tests] Error 2

but make install finish and OpenSSL Version show the updated version, 1.1.1v
ssh -V still old version 1.0.2k

Thanks anyway

@pfandl
Copy link

pfandl commented Sep 26, 2023

Ok.
Ok.

Ok.

You have to build ssh also then it seems:

FROM centos:7

RUN yum update -y \
 && yum install -y make gcc perl-core pcre-devel wget zlib-devel git automake

# openssl
RUN wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz \
 && tar xf openssl*.gz \
 && cd openssl* \
 && ./config --prefix=/usr --openssldir=/etc/ssl zlib-dynamic \
 && make -j$(nproc) \
 && make install

# openssh
RUN git clone https://github.com/openssh/openssh-portable \
 && pushd openssh-portable \
 && autoreconf \
 && ./configure --prefix=/usr --sysconfdir=/etc \
 && make -j$(nproc) \
 && make install
$ docker run --rm sslos ssh -V
OpenSSH_9.4p1, OpenSSL 1.1.1k  25 Mar 2021

@steveh1973
Copy link

steveh1973 commented Sep 27, 2023

Ok. Ok.

Ok.

You have to build ssh also then it seems:

FROM centos:7

RUN yum update -y \
 && yum install -y make gcc perl-core pcre-devel wget zlib-devel git automake

# openssl
RUN wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz \
 && tar xf openssl*.gz \
 && cd openssl* \
 && ./config --prefix=/usr --openssldir=/etc/ssl zlib-dynamic \
 && make -j$(nproc) \
 && make install

# openssh
RUN git clone https://github.com/openssh/openssh-portable \
 && pushd openssh-portable \
 && autoreconf \
 && ./configure --prefix=/usr --sysconfdir=/etc \
 && make -j$(nproc) \
 && make install
$ docker run --rm sslos ssh -V
OpenSSH_9.4p1, OpenSSL 1.1.1k  25 Mar 2021

Many thanks, I'll try it and update you again
P.S
Does it means I have to update any other applications in the system that still uses old openssl?
Although I updated the system openssl it looks like I still have applications like Vertica that is still using libraries fro the old version

Like this alert from Nessus report on Vertica
"/opt/vertica/lib/libcrypto.so.1.1"
Reported version : 1.1.1d
Fixed version : 1.1.1p

or for example here from Nessus report
Path : /usr/lib64/libcrypto.so.1.0.2k
Reported version : 1.0.2k
Fixed version : 1.0.2ze

Sorry for bothering you but I'm not that professional on Linux
Your comments are greatly appreciated

@pfandl
Copy link

pfandl commented Sep 27, 2023

It seems like that you have to rebuild, yes. Didn't know that apps seem to be linked to libssl.so.10 which is not getting replaced if you rebuild it like this. If you just replace it, stuff stops working, so it seems you need to rebuild packages with the new version.

@prashantvidja
Copy link

How can I uninstall it once I don't need it

@Khnaz35
Copy link

Khnaz35 commented Oct 11, 2023

when i did make test i got this report

Test Summary Report
-------------------
../test/recipes/80-test_cms.t                    (Wstat: 1280 Tests: 6 Failed: 5)
  Failed tests:  1-5
  Non-zero exit status: 5
../test/recipes/80-test_ssl_new.t                (Wstat: 256 Tests: 29 Failed: 1)
  Failed test:  12
  Non-zero exit status: 1
Files=158, Tests=2432, 123 wallclock secs ( 1.02 usr  0.31 sys + 92.55 cusr 36.78 csys = 130.66 CPU)
Result: FAIL
make[1]: *** [_tests] Error 1
make[1]: Leaving directory `/root/openssl-1.1.1k'
make: *** [tests] Error 2

is it save to proceed?

@Khnaz35
Copy link

Khnaz35 commented Oct 11, 2023

Just update i end up installing SSL 3

openssl version
OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)

@reznikmm
Copy link

But still I get below error - ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with OpenSSL 1.0.2k-fips 26 Jan 2017. See: urllib3/urllib3#2168

I made this work by executing

export LD_LIBRARY_PATH=<openssl-1.1.1k>

@Dee-OGCIO
Copy link

Very useful. Thanks a lot!

End up updating to version 3 by following your procedure.

@molssongroup
Copy link

This worked like a charm for me on Oracle 7.9. Thanks!

@luiscastillocr
Copy link

This worked like a charm on Centos 8 Vagrant Box .

Thank you

@Nirzak
Copy link

Nirzak commented May 19, 2024

After installing using your guide, I can't rebuild my curl now. it's always showing ld error. I don't know where have you put the libraries of openssl in your command?

@PauloCarvalhoRJ
Copy link

Hello, how do I install it as a devel package? thanks;

@je5sss
Copy link

je5sss commented Jul 13, 2024

Really helpful, thanks a lot.

And for anyone who encountered: "openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory", check if libssl.so.1.1 is actually under /usr/lib (my case). If so, modify /etc/profile.d/openssl.sh as follows and source again:

export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64:/usr/lib:/usr/lib64

@nzzlinh
Copy link

nzzlinh commented Oct 23, 2024

At 2024 Oct, https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz is no more available

Please use this command instead:

wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment