OpenSSL on CentOS

How to install latest version of OpenSSL on CentOS?

Hi there, today I would like to show you how to install latest version of OpenSSL (1.1.0g) on CentOS 7

Do I need latest version of OpenSSL?

In general - you don't. Default version is doing great job and it's secure. I needed it for compiling Apache HTTP with HTTP/2 support. Default version of OpenSSL installed on CentOS (1.0.1e) does not support it yet, hence the need of using latest version instead.

If you need it for any other reason, this tutorial is for you:)

How to check current version of OpenSSL?

In order to check current version of installed package you need to execute following command:

openssl version

It will print out version of installed package like OpenSSL 1.0.1e-fips 11 Feb 2013

How to install latest version of OpenSSL?

I compile OpenSSL from source code. In order to compile it successfully you need to install some tools that will help you compile it:

sudo yum install libtool perl-core zlib-devel -y

It will install compiler and few other libraries that are required to compile OpenSSL.

Next download latest version of OpenSSL source code. I like to use releases page on GitHub. I choose the version without FIPS simply because I don't need compatibility with it. And I think that it's a bit more secure to have OpenSSL without FIPS, as fixes are usually included much faster in regular version than in FIPS version. If you want to read more about it, use this link.

In order to download source code, use following command:

curl -O -L https://github.com/openssl/openssl/archive/OpenSSL_1_1_0g.tar.gz

Source code comes in compressed package. In order to decompress it use following command:

tar -zxvf OpenSSL_1_1_0g.tar.gz
cd openssl-OpenSSL_1_1_0g

Now it's time to configure and compile OpenSSL:

./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib
make
make test

prefix and openssldir sets the output paths for OpenSSL. shared will force crating shared libraries and zlib means that compression will be performed by using zlib library

It is worth to run the tests to see if there are any unexpected errors. If there are any, you need to fix them before installing library.

In order to install library you need to execute:

sudo make install

I usually delete all source files to keep system clean after installation. However sources of OpenSSL are required to compile other tools such us Apache, Nginx etc., so I don't remove them.

Add new version to PATH

After the installation you will probably want to check the version of OpenSSL but it will print out old version. Why? Because it's also installed on your server. I rarely override packages installed via yum. The reason is that when there is new version of OpenSSL and you will install it via yum, it will simply override compiled version, and you will have to recompile it again.

Instead of overriding files I personally like to create new profile entry and force the system to use compiled version of OpenSSL.

In order to do that, create following file:

sudo vi /etc/profile.d/openssl.sh

and paste there following content:

# /etc/profile.d/openssl.sh
pathmunge /usr/local/openssl/bin

Save the file and reload your shell, for instance log out and log in again. Then you can check the version of your OpenSSL client. Or maybe...

Link libraries

Or maybe you will get an error with loading shared libraries? In order to fix that problem we need to create an entry in ldconfig.

Create following file:

sudo vi /etc/ld.so.conf.d/openssl-1.1.0g.conf

And paste there following contents:

# /etc/ld.so/conf.d/openssl-1.1.0g.conf
/usr/local/openssl/lib

We simply told the dynamic linker to include new libraries. After creating the file you need to reload linker by using following command:

sudo ldconfig -v

And volia! Check the version of your OpenSSL now. It should print out OpenSSL 1.1.0g 2 Nov 2017

  • fernandus fero
    • Krystian

      Hi there,
      Sorry for late reply! I just updated this tutorial to 1.1.0g version. It should get your new version up and running. I checked your questions on experts-exchange and stackexchange and it seems that you are trying to compile PHP with new OpenSSL. I have tutorial here for installing PHP from source: https://blacksaildivision.com/php-install-from-source It covers older 5.6.6 version but it should be more or less valid also for 7.2 version. When I find some time I’ll update it with instructions to compile with custom OpenSSL.
      One more thing that can help you with that is to force PHP compiler tu use new libraries. You can try –with-openssl=/usr/src/openssl-OpenSSL_1_1_0g
      Directory I’m using here is directory that contains downloaded sources from GitHub.

      • Justin Gregory

        Do you know if OpenSSL 1.x can be updated/installed on RHEL 5.xx, specifically 5.08?

        • Krystian

          Hi there,
          Sorry for the late reply! I actually have no idea whether it’s possible or not. I started on RHEL 6 so I don’t have much experience with previous versions. However this tutorial shows how to compile OpenSSL from source. You could try to compile it without removing version you already have. If you compile it with success then you will know that it’s possible. If you fail that you won’t break anything, just remove the source code and dependencies you installed for compilation:)

  • Aaro Kuusela

    Very nice tutorial. Thank you!

  • Nazareno Anselmi

    Awesome tutorial! it worked perfect on my centos 7.4 and OpenSSL 1.1.1-pre2 (alpha) 27 Feb 2018

  • merv

    Nice tutorial. First time compiling openssl, the test past however, there were a few things. should I be concerned ?
    ../test/recipes/05-test_md2.t ………….. skipped: md2 is not supported by this OpenSSL build
    ../test/recipes/05-test_rc5.t ………….. skipped: rc5 is not supported by this OpenSSL build
    ../test/recipes/30-test_afalg.t ………… skipped: test_afalg not supported for this build
    ../test/recipes/90-test_heartbeat.t …….. skipped: heartbeats is not supported by this build

    • merv

      I have gone ahead with the install and added the profile and link libraries. Regarding future updates, can i use yum or do I recompile the newer version and install over the top of the existing? Thanks