I have CentOS 6 server and still running with OpenSSL 1.0.1e (openssl-1.0.1e-30) that vulnerable to a remote attacker to access parts of memory on systems using vulnerable versions of OpenSSL. OpenSSL is a library that provides cryptographic functionality, specifically SSL/TLS for popular applications such as secure web servers (nginx web server, Apache web server) and MySQL database server.
OpenSSL is a library that provides cryptographic functionality, specifically SSL/TLS for popular applications such as secure web servers, MySQL databases and email applications.
I have tried to perform command “yum update openssl” but I receive “No Packages marked for Update” even though the latest version of tar version has been published.
The following steps describe how to install and update OpenSSL on CentOS 6 and CentOS 7.
Install and Update OpenSSL on CentOS 6 / CentOS 7
1. Get the current version with “openssl version” and “yum info openssl” command :
# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013
# yum info openssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* Webmin: download.webmin.com
* base: centos.netonboard.com
* epel: ftp.cuhk.edu.hk
* extras: centos.netonboard.com
* updates: ossm.utm.my
Installed Packages
Name : openssl
Arch : x86_64
Version : 1.0.1e
Release : 30.el6_6.7
Size : 4.0 M
Repo : installed
From repo : updates
Summary : A general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
: machines. OpenSSL includes a certificate management tool and shared
: libraries which provide various cryptographic algorithms and
: protocols.
Available Packages
Name : openssl
Arch : i686
Version : 1.0.1e
Release : 30.el6_6.7
Size : 1.5 M
Repo : updates
Summary : A general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
: machines. OpenSSL includes a certificate management tool and shared
: libraries which provide various cryptographic algorithms and
: protocols.
2. To download the latest version of OpenSSL, do as follows:
# cd /usr/src # wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz # tar -zxf openssl-1.0.2-latest.tar.gz
3. To manually compile OpenSSL and install/upgrade OpenSSL, do as follows:
# cd openssl-1.0.2a # ./config # make # make test # make install
4. If the old version is still displayed or installed before, please make acopy of openssl bin file :
# mv /usr/bin/openssl /root/ # ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
5. Verify the OpenSSL version :
# openssl version
Output :
OpenSSL 1.0.2a 19 Mar 2015
Kris Armstrong
I followed your article. which seemed to work great. My next step was to install FreeRadius V3.0.8. And I receive the following message after compiling and installing
Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 0x1000105f (1.0.1e release) (in range 1.0.1 dev – 1.0.1f release)
Security advisory CVE-2014-0160 (Heartbleed)
For more information see http://heartbleed.com
Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = ‘CVE-2014-0160′
So based on this its still pointed to the old version since hte new one is installed. I thought ok its probably a library issue.
So I did the following:
./configure –with-openssl-lib-dir=/usr/src/openssl-1.0.2c/ –with-openssl-include-dir=/usr/src/openssl-1.0.2c/
Which produces the following error message:
checking for OpenSSL version >= 0.9.7… yes
checking OpenSSL library and header version consistency… library: 1000203f header: 1000105f… no
configure: error: in `/usr/src/freeradius-server-3.0.8′:
configure: error: OpenSSL library version does not match header version
See `config.log’ for more details
[root@freeradius freeradius-server-3.0.8]#
So I’m not sure if i’m pointing to the right libraries and or headers or not. And why does the system still believe the 1.0.1 is still there.
Suggestions ideas?
Should I remove openssl and openssl-develop? and redo the process above again?
Oh and i’m running CentOS7.1
Kris Armstrong
checking for OpenSSL version >= 0.9.7… yes
checking OpenSSL library and header version consistency… library: 1000203f header: 1000105f… no
configure: error: in `/usr/src/freeradius-server-3.0.8′:
configure: error: OpenSSL library version does not match header version
See `config.log’ for more details
[root@freeradius freeradius-server-3.0.8]#
sidgrafix
This works but is incomplete in making it stick!
Apache needs to be rebuilt after with openSSL in order for it to be active in PHP. Problem is the openSSL gets reverted to the rpm distributed with cPanel and or CloudLinux when rebuilding apache for those of us that use either, in turn overriding anything you just did!
As the log shows:
–!! Warning: ‘openssl-devel’ has been modified, reinstalling… !!
Loaded plugins: fastestmirror, rhnplugin
Setting up Install Process
Loading mirror speeds from cached hostfile
* cloudlinux-x86_64-server-6: xmlrpc.cln.cloudlinux.com
Resolving Dependencies
–> Running transaction check
—> Package openssl-devel.x86_64 0:1.0.1e-48.el6_8.1 will be installed
–> Finished Dependency Resolution
Total download size: 1.2 M
Installed size: 0
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : openssl-devel-1.0.1e-48.el6_8.1.x86_64 1/1
Verifying : openssl-devel-1.0.1e-48.el6_8.1.x86_64 1/1
Complete!
!! Done reinstalling ‘openssl-devel’ !!
============================================================
Do you have a solution for that?
I haven’t been able to find one!
Navd
hi,
I followed the steps , it installed the latest version. Even moved the old openssl to other directory and created a link to the new installed version.
when I run the openssl version command , still shows older version :
Description: Red Hat Enterprise Linux Server release 6.7 (Santiago)
Release: 6.7
Codename: Santiago
openssl version
OpenSSL 0.9.8zf-fips 19 Mar 2015
can you please help in this regards ?
Thanks
Kevin Siji
Thanks
John
I have followed all steps but but for the 4th step openssl directory is not found. Can you please suggest what i need to check for?
# mv /usr/bin/openssl /root/
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
I’m using centos 7 version.
If i skip this step and run openssl version then it is gives error of no command found.
Robert
On step 3 for me it was:
cd openssl-1.0.2k instead of cd openssl-1.0.2a
cd openssl-1.0.2a doesn’t exist.
Sandra
Thanks so much
vigneshwaran
Even after installing the latest version “sudo yum info openssl” shows same old version as output
Installed Packages
Name : openssl
Arch : x86_64
Epoch : 1
Version : 1.0.1e
Release : 60.el7_3.1
Size : 1.5 M
Repo : installed
From repo : updates
Summary : Utilities from the general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
: machines. OpenSSL includes a certificate management tool and shared
: libraries which provide various cryptographic algorithms and
: protocols.
but “#openssl version” shows
OpenSSL 1.0.2l 25 May 2017″
Javier Ruiz
Hello i have installed update OpenSSL with yours instructions.
In command line the version showed is the new, but in phpinfo and yum info openssl it show old version
How can i repair it ??
thakns