OpenSSL on CentOS

How to install latest version of OpenSSL on CentOS?

Hi there, today I would like to show you how to install latest version of OpenSSL (1.1.0g) on CentOS 7

Do I need latest version of OpenSSL?

In general - you don't. Default version is doing great job and it's secure. I needed it for compiling Apache HTTP with HTTP/2 support. Default version of OpenSSL installed on CentOS (1.0.1e) does not support it yet, hence the need of using latest version instead.

If you need it for any other reason, this tutorial is for you:)

How to check current version of OpenSSL?

In order to check current version of installed package you need to execute following command:

openssl version

It will print out version of installed package like OpenSSL 1.0.1e-fips 11 Feb 2013

How to install latest version of OpenSSL?

I compile OpenSSL from source code. In order to compile it successfully you need to install some tools that will help you compile it:

sudo yum install libtool perl-core zlib-devel -y

It will install compiler and few other libraries that are required to compile OpenSSL.

Next download latest version of OpenSSL source code. I like to use releases page on GitHub. I choose the version without FIPS simply because I don't need compatibility with it. And I think that it's a bit more secure to have OpenSSL without FIPS, as fixes are usually included much faster in regular version than in FIPS version. If you want to read more about it, use this link.

In order to download source code, use following command:

curl -O -L

Source code comes in compressed package. In order to decompress it use following command:

tar -zxvf OpenSSL_1_1_0g.tar.gz
cd openssl-OpenSSL_1_1_0g

Now it's time to configure and compile OpenSSL:

./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib
make test

prefix and openssldir sets the output paths for OpenSSL. shared will force crating shared libraries and zlib means that compression will be performed by using zlib library

It is worth to run the tests to see if there are any unexpected errors. If there are any, you need to fix them before installing library.

In order to install library you need to execute:

sudo make install

I usually delete all source files to keep system clean after installation. However sources of OpenSSL are required to compile other tools such us Apache, Nginx etc., so I don't remove them.

Add new version to PATH

After the installation you will probably want to check the version of OpenSSL but it will print out old version. Why? Because it's also installed on your server. I rarely override packages installed via yum. The reason is that when there is new version of OpenSSL and you will install it via yum, it will simply override compiled version, and you will have to recompile it again.

Instead of overriding files I personally like to create new profile entry and force the system to use compiled version of OpenSSL.

In order to do that, create following file:

sudo vi /etc/profile.d/

and paste there following content:

# /etc/profile.d/
pathmunge /usr/local/openssl/bin

Save the file and reload your shell, for instance log out and log in again. Then you can check the version of your OpenSSL client. Or maybe...

Link libraries

Or maybe you will get an error with loading shared libraries? In order to fix that problem we need to create an entry in ldconfig.

Create following file:

sudo vi /etc/

And paste there following contents:

# /etc/

We simply told the dynamic linker to include new libraries. After creating the file you need to reload linker by using following command:

sudo ldconfig -v

And volia! Check the version of your OpenSSL now. It should print out OpenSSL 1.1.0g 2 Nov 2017

  • fernandus fero
    • Krystian

      Hi there,
      Sorry for late reply! I just updated this tutorial to 1.1.0g version. It should get your new version up and running. I checked your questions on experts-exchange and stackexchange and it seems that you are trying to compile PHP with new OpenSSL. I have tutorial here for installing PHP from source: It covers older 5.6.6 version but it should be more or less valid also for 7.2 version. When I find some time I’ll update it with instructions to compile with custom OpenSSL.
      One more thing that can help you with that is to force PHP compiler tu use new libraries. You can try –with-openssl=/usr/src/openssl-OpenSSL_1_1_0g
      Directory I’m using here is directory that contains downloaded sources from GitHub.

      • Justin Gregory

        Do you know if OpenSSL 1.x can be updated/installed on RHEL 5.xx, specifically 5.08?

        • Krystian

          Hi there,
          Sorry for the late reply! I actually have no idea whether it’s possible or not. I started on RHEL 6 so I don’t have much experience with previous versions. However this tutorial shows how to compile OpenSSL from source. You could try to compile it without removing version you already have. If you compile it with success then you will know that it’s possible. If you fail that you won’t break anything, just remove the source code and dependencies you installed for compilation:)

          • 4digitalmasters

            RHEL 6 has Linux Kernel 2.6… I believe? So, I wonder how that works???

            Unless of course you upgraded your kernel to 4.13 or newer…

            If you type:

            # uname -msr

            what does it show?

        • 4digitalmasters

          OpenSSL 1.1.1 needs Linux Kernel 4.13+ for TLS 1.3 to work…

          written by Filippo Valsorda

          Linux 4.13 introduces support for nothing less than… TLS!

          The 1600 LoC patch allows userspace to pass the kernel the encryption keys for an established connection, making encryption happen transparently inside the kernel.
          So, If you manage to upgrade the Linux Kernel to 4.13+ (or newer) and can still boot, then the answer is yes. For the booting to work out well, you also need grub2…

          – the Kernel upgrade works,
          – grub2 install from source works fine and well

          However, on CentOS / RHEL 5 & 6 it can happen that at the next reboot your system will be stuck in grub2… 🙁

          So you might want to save your RHEL 5 instance, then install RHEL 7.5 as a clean install and then migrate your installation from RHEL 5 to 7.5…

          Hope it helps!

  • Aaro Kuusela

    Very nice tutorial. Thank you!

  • Nazareno Anselmi

    Awesome tutorial! it worked perfect on my centos 7.4 and OpenSSL 1.1.1-pre2 (alpha) 27 Feb 2018

  • merv

    Nice tutorial. First time compiling openssl, the test past however, there were a few things. should I be concerned ?
    ../test/recipes/05-test_md2.t ………….. skipped: md2 is not supported by this OpenSSL build
    ../test/recipes/05-test_rc5.t ………….. skipped: rc5 is not supported by this OpenSSL build
    ../test/recipes/30-test_afalg.t ………… skipped: test_afalg not supported for this build
    ../test/recipes/90-test_heartbeat.t …….. skipped: heartbeats is not supported by this build

    • merv

      I have gone ahead with the install and added the profile and link libraries. Regarding future updates, can i use yum or do I recompile the newer version and install over the top of the existing? Thanks

  • E71

    Thanks for the tutorial.

    Zlib wasn’t working for me. It is installed but compiler throws errors. Had to omit it.
    Also, I needed newer compilers and perl to compile openssl-1.1.1-pre8:

    yum install -y centos-release-scl*
    yum install -y devtoolset-7 rh-perl524*
    tar zxvf openssl-1.1.1-pre8.tar.gz
    cd openssl-1.1.1-pre8
    scl enable devtoolset-7 rh-perl524 bash
    ./config –prefix=/opt/openssl –openssldir=/opt/openssl shared

    # they all worked for me except 04_test_err but i think it’s a bug:
    make test

    # install without all the man files:
    make install_sw

    echo “# /etc/” > /etc/
    echo “/opt/openssl/lib” > /etc/

    # leave scl environment

    I was then ready to compile Apache 2.4 with HTTP/2 support.

    • Ray Morris

      04_test fails because of an actual bug in the code. You can find a patch for it inside the CentOS source RPM, or hunt for it in Openssl GitHub. The error return code is being overwritten when it shouldn’t be.

  • Emeka Augustine

    Thank you very much; your a life saver!

  • Randy
  • Chris C

    My “make test” or “sudo make test” fails… 🙁

    I see lots of times this same message:
    Non-zero exit status: 255
    Parse errors: No plan found in TAP output

    Then at the end:
    Files=152, Tests=0, 5 wallclock secs ( 0.41 usr 0.20 sys + 3.02 cusr 0.39 csys = 4.02 CPU)
    Result: FAIL
    make[1]: *** [_tests] Error 1
    make[1]: Leaving directory `/usr/src/openssl-1.1.1a'
    make: *** [tests] Error 2

    I have no problems running the following commands before:

    sudo yum install libtool perl-core zlib-devel -y
    cd /usr/src
    sudo wget
    sudo tar -zxvf openssl-1.1.1a.tar.gz
    cd openssl-1.1.1a
    sudo ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib
    sudo make

    Trying to upgrade from OpenSSL 1.0.1e to 1.1.1a on CentOS 6.10

  • Jacek Przepióra

    Thanks for this incredible article.
    IMO – for build from 2.4.38.tar.gz on CentOS 7 you can modify ./configure command from

    ./configure --enable-ssl --enable-so --enable-http2 --with-mpm=event --with-included-apr --with-ssl=/usr/local/openssl --prefix=/usr/local/apache2


    ./configure --enable-ssl --enable-so --enable-http2 --with-mpm=event --with-included-apr --with-ssl=/usr/local/openssl --enable-layout=RedHat

  • Sinisa Bajsic

    Hi. I have one problem. After building of new version of OpenSSL and linker directive, my apache is still using old openssl library. How to link with new version?

  • Jacek Przepióra

    BTW, some scripts in RPM packages contain explicite path to the openssl binary ( e.g. /usr/bin/openssl ). Solution:
    sudo cp -pv /usr/bin/openssl /usr/bin/openssl.BACKUP
    sudo ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl