How to install openssl 1.1.1 on CentOS 7

how-to-install-openssl-1.1.1-on-centos-7.md

How To Install OpenSSL 1.1.1 on CentOS 7

This tutorial goes through how to install openssl 1.1.1 on CentOS 7, since the yum repo only installs up to openssl 1.0.

Requirements

Upgrade the system

yum -y update

Install required packages

yum install -y make gcc perl-core pcre-devel wget zlib-devel

Download the latest version of OpenSSL source code

wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz

Configure, build and install OpenSSL

Uncompress the source file

tar -xzvf openssl-1.1.1k.tar.gz

Change to the OpenSSL directory

cd openssl-1.1.1k

Configure the package for compilation

./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic

Compile package

make

Test compiled package

make test

Install compiled package

make install

Export library path

Create environment variable file

vim /etc/profile.d/openssl.sh

Add the following content

export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64

Load the environment variable

source /etc/profile.d/openssl.sh

Verify the OpenSSL version

openssl version

Ok. Ok.

Ok.

You have to build ssh also then it seems:

FROM centos:7

RUN yum update -y \
 && yum install -y make gcc perl-core pcre-devel wget zlib-devel git automake

# openssl
RUN wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz \
 && tar xf openssl*.gz \
 && cd openssl* \
 && ./config --prefix=/usr --openssldir=/etc/ssl zlib-dynamic \
 && make -j$(nproc) \
 && make install

# openssh
RUN git clone https://github.com/openssh/openssh-portable \
 && pushd openssh-portable \
 && autoreconf \
 && ./configure --prefix=/usr --sysconfdir=/etc \
 && make -j$(nproc) \
 && make install

$ docker run --rm sslos ssh -V
OpenSSH_9.4p1, OpenSSL 1.1.1k  25 Mar 2021

Many thanks, I'll try it and update you again
P.S
Does it means I have to update any other applications in the system that still uses old openssl?
Although I updated the system openssl it looks like I still have applications like Vertica that is still using libraries fro the old version

Like this alert from Nessus report on Vertica
"/opt/vertica/lib/libcrypto.so.1.1"
Reported version : 1.1.1d
Fixed version : 1.1.1p

or for example here from Nessus report
Path : /usr/lib64/libcrypto.so.1.0.2k
Reported version : 1.0.2k
Fixed version : 1.0.2ze

Sorry for bothering you but I'm not that professional on Linux
Your comments are greatly appreciated

It seems like that you have to rebuild, yes. Didn't know that apps seem to be linked to libssl.so.10 which is not getting replaced if you rebuild it like this. If you just replace it, stuff stops working, so it seems you need to rebuild packages with the new version.

How can I uninstall it once I don't need it

when i did make test i got this report

Test Summary Report
-------------------
../test/recipes/80-test_cms.t                    (Wstat: 1280 Tests: 6 Failed: 5)
  Failed tests:  1-5
  Non-zero exit status: 5
../test/recipes/80-test_ssl_new.t                (Wstat: 256 Tests: 29 Failed: 1)
  Failed test:  12
  Non-zero exit status: 1
Files=158, Tests=2432, 123 wallclock secs ( 1.02 usr  0.31 sys + 92.55 cusr 36.78 csys = 130.66 CPU)
Result: FAIL
make[1]: *** [_tests] Error 1
make[1]: Leaving directory `/root/openssl-1.1.1k'
make: *** [tests] Error 2

is it save to proceed?

Just update i end up installing SSL 3

openssl version
OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)

But still I get below error - ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with OpenSSL 1.0.2k-fips 26 Jan 2017. See: urllib3/urllib3#2168

I made this work by executing

export LD_LIBRARY_PATH=<openssl-1.1.1k>

Very useful. Thanks a lot!

End up updating to version 3 by following your procedure.

This worked like a charm for me on Oracle 7.9. Thanks!

This worked like a charm on Centos 8 Vagrant Box .

Thank you

After installing using your guide, I can't rebuild my curl now. it's always showing ld error. I don't know where have you put the libraries of openssl in your command?

Hello, how do I install it as a devel package? thanks;

Really helpful, thanks a lot.

And for anyone who encountered: "openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory", check if libssl.so.1.1 is actually under /usr/lib (my case). If so, modify /etc/profile.d/openssl.sh as follows and source again:

export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64:/usr/lib:/usr/lib64

At 2024 Oct, https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz is no more available

Please use this command instead:

wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz