How to install openssl 1.1.1 on CentOS 7

how-to-install-openssl-1.1.1-on-centos-7.md

How To Install OpenSSL 1.1.1 on CentOS 7

This tutorial goes through how to install openssl 1.1.1 on CentOS 7, since the yum repo only installs up to openssl 1.0.

Requirements

Upgrade the system

yum -y update

Install required packages

yum install -y make gcc perl-core pcre-devel wget zlib-devel

Download the latest version of OpenSSL source code

wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz

Configure, build and install OpenSSL

Uncompress the source file

tar -xzvf openssl-1.1.1k.tar.gz

Change to the OpenSSL directory

cd openssl-1.1.1k

Configure the package for compilation

./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic

Compile package

make

Test compiled package

make test

Install compiled package

make install

Export library path

Create environment variable file

vim /etc/profile.d/openssl.sh

Add the following content

export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64

Load the environment variable

source /etc/profile.d/openssl.sh

Verify the OpenSSL version

openssl version

-bash: vim: command not found [root@***** ~]#

sudo yum install vim

Thanks a bunch for this one @Bill-tran ! Saved me hours of frustration probably 😆 !

Take care!

I followed exact steps -
openssl version
OpenSSL 1.1.1 11 Sep 2018

But still I get below error -
ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with OpenSSL 1.0.2k-fips 26 Jan 2017. See: urllib3/urllib3#2168

@savitafulmali reinstall python?

Just a feedback. It works perfectly on an old CentOS 7.9

Thanks a lot!

what does the path /usr/local/lib:/usr/local/lib64 point to?

I just work in AWS and I don't have such folders, what should I do?

@gary54654576 It's on such moments that I reinforce the benefits of not using AWS. What is the support they provide? Unfortunately, none.

-bash: vim: command not found [root@***** ~]#

you can use nano

The installation of openssl 1.1.1k will not replace the default 1.0.2 the OS have, it is in addition to the existing old one, correct?
I installed the update but Nessus report still see the old version.
In addition if I run ssh -V i see that ssh still using the old version as many other system components depend on

Thanks,

The installation of openssl 1.1.1k will not replace the default 1.0.2 the OS have, it is in addition to the existing old one, correct? I installed the update but Nessus report still see the old version. In addition if I run ssh -V i see that ssh still using the old version as many other system components depend on

Thanks,

The flag --prefix=/usr would replace the existing one, yes. I am not too sure about some stuff, I would skip the "Export library path" stuff and just make and make install with following config, the no-shared could be the culprit if it means that it disables building a shared library:

./config --prefix=/usr --openssldir=/etc/ssl zlib-dynamic

The installation of openssl 1.1.1k will not replace the default 1.0.2 the OS have, it is in addition to the existing old one, correct? I installed the update but Nessus report still see the old version. In addition if I run ssh -V i see that ssh still using the old version as many other system components depend on
Thanks,

The flag --prefix=/usr would replace the existing one, yes. I am not too sure about some stuff, I would skip the "Export library path" stuff and just make and make install with following config, the no-shared could be the culprit if it means that it disables building a shared library:

./config --prefix=/usr --openssldir=/etc/ssl zlib-dynamic

Dear pfandl,
Thank you for the comment, I indeed used ./config --prefix=/usr --openssldir=/etc/ssl zlib-dynamic but ssh -V still shows the old version 1.0.2k-fips

Should I remove th "no-shared" option as it was used as well?
I'm working on CentOS 7.8

Thanks in advance,

Should I remove th "no-shared" option as it was used as well? I'm working on CentOS 7.8

Thanks in advance,

yes, remove it:

no-shared
Do not create shared libraries, only static ones. See "Note
on shared libraries" below.

Should I remove th "no-shared" option as it was used as well? I'm working on CentOS 7.8
Thanks in advance,

yes, remove it:

no-shared
Do not create shared libraries, only static ones. See "Note
on shared libraries" below.

Great,
I'll test it and update you
Thanks so much...

Should I remove th "no-shared" option as it was used as well? I'm working on CentOS 7.8
Thanks in advance,

yes, remove it:

no-shared
Do not create shared libraries, only static ones. See "Note
on shared libraries" below.

Great, I'll test it and update you Thanks so much...

It looks like the make test resault: FAIL
make[1]: *** [_tests] Error 1
make: *** [tests] Error 2

but make install finish and OpenSSL Version show the updated version, 1.1.1v
ssh -V still old version 1.0.2k

Thanks anyway

Ok.
Ok.

Ok.

You have to build ssh also then it seems:

FROM centos:7

RUN yum update -y \
 && yum install -y make gcc perl-core pcre-devel wget zlib-devel git automake

# openssl
RUN wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz \
 && tar xf openssl*.gz \
 && cd openssl* \
 && ./config --prefix=/usr --openssldir=/etc/ssl zlib-dynamic \
 && make -j$(nproc) \
 && make install

# openssh
RUN git clone https://github.com/openssh/openssh-portable \
 && pushd openssh-portable \
 && autoreconf \
 && ./configure --prefix=/usr --sysconfdir=/etc \
 && make -j$(nproc) \
 && make install

$ docker run --rm sslos ssh -V
OpenSSH_9.4p1, OpenSSL 1.1.1k  25 Mar 2021

Ok. Ok.

Ok.

You have to build ssh also then it seems:

FROM centos:7

RUN yum update -y \
 && yum install -y make gcc perl-core pcre-devel wget zlib-devel git automake

# openssl
RUN wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz \
 && tar xf openssl*.gz \
 && cd openssl* \
 && ./config --prefix=/usr --openssldir=/etc/ssl zlib-dynamic \
 && make -j$(nproc) \
 && make install

# openssh
RUN git clone https://github.com/openssh/openssh-portable \
 && pushd openssh-portable \
 && autoreconf \
 && ./configure --prefix=/usr --sysconfdir=/etc \
 && make -j$(nproc) \
 && make install

$ docker run --rm sslos ssh -V
OpenSSH_9.4p1, OpenSSL 1.1.1k  25 Mar 2021

Many thanks, I'll try it and update you again
P.S
Does it means I have to update any other applications in the system that still uses old openssl?
Although I updated the system openssl it looks like I still have applications like Vertica that is still using libraries fro the old version

Like this alert from Nessus report on Vertica
"/opt/vertica/lib/libcrypto.so.1.1"
Reported version : 1.1.1d
Fixed version : 1.1.1p

or for example here from Nessus report
Path : /usr/lib64/libcrypto.so.1.0.2k
Reported version : 1.0.2k
Fixed version : 1.0.2ze

Sorry for bothering you but I'm not that professional on Linux
Your comments are greatly appreciated

It seems like that you have to rebuild, yes. Didn't know that apps seem to be linked to libssl.so.10 which is not getting replaced if you rebuild it like this. If you just replace it, stuff stops working, so it seems you need to rebuild packages with the new version.

How can I uninstall it once I don't need it

when i did make test i got this report

Test Summary Report
-------------------
../test/recipes/80-test_cms.t                    (Wstat: 1280 Tests: 6 Failed: 5)
  Failed tests:  1-5
  Non-zero exit status: 5
../test/recipes/80-test_ssl_new.t                (Wstat: 256 Tests: 29 Failed: 1)
  Failed test:  12
  Non-zero exit status: 1
Files=158, Tests=2432, 123 wallclock secs ( 1.02 usr  0.31 sys + 92.55 cusr 36.78 csys = 130.66 CPU)
Result: FAIL
make[1]: *** [_tests] Error 1
make[1]: Leaving directory `/root/openssl-1.1.1k'
make: *** [tests] Error 2

is it save to proceed?

Just update i end up installing SSL 3

openssl version
OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)

But still I get below error - ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with OpenSSL 1.0.2k-fips 26 Jan 2017. See: urllib3/urllib3#2168

I made this work by executing

export LD_LIBRARY_PATH=<openssl-1.1.1k>

Very useful. Thanks a lot!

End up updating to version 3 by following your procedure.

This worked like a charm for me on Oracle 7.9. Thanks!

This worked like a charm on Centos 8 Vagrant Box .

Thank you