Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to install openssl 1.1.1 on CentOS 7

How To Install OpenSSL 1.1.1 on CentOS 7

This tutorial goes through how to install openssl 1.1.1 on CentOS 7, since the yum repo only installs up to openssl 1.0.

Requirements

Upgrade the system

yum -y update

Install required packages

yum install -y make gcc perl-core pcre-devel wget zlib-devel

Download the latest version of OpenSSL source code

wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz

Configure, build and install OpenSSL

Uncompress the source file

tar -xzvf openssl-1.1.1k.tar.gz

Change to the OpenSSL directory

cd openssl-1.1.1k

Configure the package for compilation

./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic

Compile package

make

Test compiled package

make test

Install compiled package

make install

Export library path

Create environment variable file

vim /etc/profile.d/openssl.sh

Add the following content

export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64

Load the environment variable

source /etc/profile.d/openssl.sh

Verify the OpenSSL version

openssl version
@lain0
Copy link

lain0 commented Sep 27, 2021

Thanks!
It works - OpenSSL 1.1.1k 25 Mar 2021 now.

But what consequences i am supposed to expect for ruby and php modules compiled with openssl 1.0.2 ?

@shunut
Copy link

shunut commented Oct 14, 2021

I'm having issue with make test. Does it matter what directory I start in when I download and unpack openssl-1.1.1k.tar.gz?

@mavaddat
Copy link

mavaddat commented Nov 8, 2021

I'm having issue with make test.

The make test command should be run in the openssl repository root.

cd ~
git clone git://git.openssl.org/openssl.git
cd openssl/
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib shared zlib-dynamic -Wl,-rpath=/usr/local/ssl/lib -Wl,--enable-new-dtags
make
make test
make install
ldconfig
openssl version -a

Does it matter what directory I start in when I download and unpack openssl-1.1.1k.tar.gz?

It depends on what flags you provide the configure and make. Depending on the paths, it is possible to invoke catastrophic recursion or symlink labyrinth. A natural place to start the clone and build is $HOME.

There's no place like home

@w2u-dev
Copy link

w2u-dev commented Jan 26, 2022

Bravo!

@leiless
Copy link

leiless commented Jan 27, 2022

@mavaddat, it worked! thanks!
It's recommended to build from stable release: https://www.openssl.org/source/

@thomasm2film
Copy link

thomasm2film commented Feb 3, 2022

Working beautifully - can this be "easily" packaged into an RPM?

@thomasm2film
Copy link

thomasm2film commented Feb 3, 2022

This one installs, but not as openssl, but openssl11
https://download-ib01.fedoraproject.org/pub/epel/7/x86_64/Packages/o/openssl11-1.1.1k-2.el7.x86_64.rpm

root ~ $ openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

root ~ $ openssl11 version
OpenSSL 1.1.1k FIPS 25 Mar 2021

@Mayank-Rk-Gupta
Copy link

Mayank-Rk-Gupta commented Mar 29, 2022

I was having issue with wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz . I manually download with the link https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz and then import to my docker. Rest I followed the same, worked for me :)

@pi-webdev
Copy link

pi-webdev commented May 8, 2022

Very nice, thank you!

@davidcheungo123
Copy link

davidcheungo123 commented May 16, 2022

I successfully upgraded the version, however, the openssl version of response header is still the old version, does anyone know how to solve this issue? many thanks

@mavaddat
Copy link

mavaddat commented May 17, 2022

I successfully upgraded the version, however, the openssl version of response header is still the old version, does anyone know how to solve this issue? many thanks

Your system has more than one version of OpenSSL and/or the application you're using has its own OpenSSL module pre-packaged inside the application.

Which OpenSSL binaries does your system have?

Using which:

which openssl

Using pkgconfig:

pkg-config --debug --list-all   | grep 'openssl'

Using pkgconf-pkg-config:

pkgconf --debug --list-all   | grep 'openssl'

Get the openssl version:

openssl version

Get the openssl version in ssh:

ssh -V

Get the openssl version in curl:

curl --version

These commands will tell you what OpenSSL they are using and built with.

Please check the documentation for the relevant application to learn how to build it with OpenSSL 1.1.1.

@davidcheungo123
Copy link

davidcheungo123 commented May 17, 2022

I tried uninstalling default openssl version and followed this tutorial and still no hope, and the output of openssl version is indeed OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021), according to a related article, someone suggested that we can use apxs to compile a new version of mod_ssl to point to different openssl version, but I am still finding some materials to do so, it will be great if somone have hand on experience of these apxs stuff specifically for mod_ssl installation issue.

@mavaddat
Copy link

mavaddat commented May 17, 2022

someone suggested that we can use apxs to compile a new version of mod_ssl to point to different openssl version

Try reading the discussion here: Build mod_ssl.so using OpenSSL from non-standard location.

apxs2 -c *.c
sudo apxs2 -i mod_ssl.la

@Shikhar0051
Copy link

Shikhar0051 commented May 25, 2022

I am trying to uninstall openssl 1.1.1o i installed using the above method.
It was successfully installed but didnt give me results I wished for. So I want to revert back to openssl version which was pre installed.

I tried make clean and make uninstall.
make uninstall is giving error while removing directories which i really dont want to delete.

On trying to check version it showed me : OpenSSL 1.1.1o 3 May 2022

Then I removed the environment variable which was set during installation which game me the following error:
openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory

For above solution:
i checked version using ssh -V in the same linux server it showed me the following:
[root@osboxes openssl-1.1.1o]# ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
and curl --version showed:
[root@osboxes openssl-1.1.1o]# curl --version curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.36 zlib/1.2.7 libidn/1.28 libssh2/1.4.3

what I suspect is that both openssl version 1.1.1o and 1.0.2k are installed in my machine but somewhere the linking is affecting the version check

I have already tried yum reinstall openssl but it is of no help

@charlielin
Copy link

charlielin commented Jul 15, 2022

Does it need to rm /usr/lib64/libcrypto.so && ln -s /usr/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so

@Scifideity
Copy link

Scifideity commented Jul 29, 2022

Followed these steps to install 1.1.1q on CentOS7 but get the following error during the 'make install' step :

install ./include/openssl/txt_db.h -> /usr/include/openssl/txt_db.h
install ./include/openssl/ui.h -> /usr/include/openssl/ui.h
install ./include/openssl/uierr.h -> /usr/include/openssl/uierr.h
install ./include/openssl/whrlpool.h -> /usr/include/openssl/whrlpool.h
install ./include/openssl/x509.h -> /usr/include/openssl/x509.h
install ./include/openssl/x509_vfy.h -> /usr/include/openssl/x509_vfy.h
install ./include/openssl/x509err.h -> /usr/include/openssl/x509err.h
install ./include/openssl/x509v3.h -> /usr/include/openssl/x509v3.h
install ./include/openssl/x509v3err.h -> /usr/include/openssl/x509v3err.h
install libcrypto.a -> /usr/lib/libcrypto.a
install libssl.a -> /usr/lib/libssl.a
basename: missing operand
Try 'basename --help' for more information.
make: *** [install_dev] Error 1

Am I missing a step somewhere?

@mavaddat
Copy link

mavaddat commented Jul 29, 2022

Am I missing a step somewhere?

@Scifideity , you need to run make install as root or using sudo. See OpenSSL wiki on compilation

@Scifideity
Copy link

Scifideity commented Aug 1, 2022

Hi Mavaddat, I am using root. I tried using sudo just in case but got the same results.

make works & make test is successful:

All tests successful.
Files=158, Tests=2437, 146 wallclock secs ( 1.52 usr 0.40 sys + 93.09 cusr 64.38 csys = 159.39 CPU)
Result: PASS
Tests are not supported with your chosen Configure options
make[1]: Leaving directory `/root/openssl-1.1.1q'

make install fails

basename: missing operand
Try 'basename --help' for more information.
make: *** [install_dev] Error 1

@mavaddat
Copy link

mavaddat commented Aug 1, 2022

@Scifideity Please see openssl/openssl#13933 . The INSTALL_SHLIB_INFO is missing the third component, which eventually gets parsed into fn3. The specific fix is here: openssl/openssl@c66c92a

@Scifideity
Copy link

Scifideity commented Aug 2, 2022

@Scifideity Please see openssl/openssl#13933 . The INSTALL_SHLIB_INFO is missing the third component, which eventually gets parsed into fn3. The specific fix is here: openssl/openssl@c66c92a

@mavaddat Is there a particular build of openssl that has this file already?
I'm using 1.1.1q but the unix-Makefile.tmpl doesn't resemble the code on that fix page and the line numbers don't sync up. I did find the area the code looked like it belonged in by referencing the unchanged parts around each edit and made the updates but that just lead to a new error so I'm guessing my edits weren't entirely successful.
I then fell back and tried 1.1.1k thinking the file may be from that package since it's the one used in the instructions above but that too was unsuccessful.

@mavaddat
Copy link

mavaddat commented Aug 2, 2022

@mavaddat Is there a particular build of openssl that has this file already?

@Scifideity The aforementioned merge appears to have been made 22 Jan 2021, so I would expect that releases after then would include the fix.

Here is a portion of the release table from OpenSSL source:

KBytes  Date   File 
9629  2022-Jun-21 14:03:44  openssl-1.1.1p.tar.gz  (SHA256) (PGP sign) (SHA1)
9625  2022-May-03 14:02:38  openssl-1.1.1o.tar.gz  (SHA256) (PGP sign) (SHA1)
9619  2022-Mar-15 15:24:36  openssl-1.1.1n.tar.gz  (SHA256) (PGP sign) (SHA1)

So it looks like n, o, p are going to have the fix in it.

@Scifideity
Copy link

Scifideity commented Aug 2, 2022

@mavaddat First off, thank you so much for the assistance. I really appreciate it.

I pulled down those versions and so far have not been able to find any trace of that fix in the unix-Makefile.tmpl file. It looks like in openssl-1.1.1k the file size was 54704 but that changed to a smaller size starting in openssl-1.1.1l when it went down to 54686. While the fix did remove some stuff, it added more than it removed so I would expect the file to have increased in size. The file appears unchanged since openssl-1.1.1l

I searched every version of the unix-Makefile.tmpl for the new fn3 value and none of them have any reference to it.

[root@]# cat openssl-1.1.1k/Configurations/unix-Makefile.tmpl | grep fn3
[root@
]#
[root@]# cat openssl-1.1.1l/Configurations/unix-Makefile.tmpl | grep fn3
[root@
]#
[root@]# cat openssl-1.1.1m/Configurations/unix-Makefile.tmpl | grep fn3
[root@
]#
[root@]# cat openssl-1.1.1n/Configurations/unix-Makefile.tmpl | grep fn3
[root@
]#
[root@]# cat openssl-1.1.1o/Configurations/unix-Makefile.tmpl | grep fn3
[root@
]#
[root@]# cat openssl-1.1.1p/Configurations/unix-Makefile.tmpl | grep fn3
[root@
]#
[root@]# cat openssl-1.1.1q/Configurations/unix-Makefile.tmpl | grep fn3
[root@
]#

The first fn1=basename $$s1; \ entry is on line 627 in the files instead of 657 like the fix page shows so I'm wondering if the fix got merged at all.

I will give making the edits manually another go. I tried using the entire file as shown on the fix page but that introduced a whole new set of issues. I'm speculating that it is doing other things that require updates to additional files or something like that.

@mavaddat
Copy link

mavaddat commented Aug 2, 2022

The first fn1=basename $$s1; \ entry is on line 627 in the files instead of 657 like the fix page shows so I'm wondering if the fix got merged at all.

I think you're right, @Scifideity . The merge openssl/openssl@d9c22dd was actually made on 25 Jan 2021 for the v3 branch. I don't think this fix was merged into the v1 branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment