How to Install and Update OpenSSL on CentOS 6 / CentOS 7

Install and Update OpenSSL

I have CentOS 6 server and still running with OpenSSL 1.0.1e (openssl-1.0.1e-30) that vulnerable to a remote attacker to access parts of memory on systems using vulnerable versions of OpenSSL. OpenSSL is a library that provides cryptographic functionality, specifically SSL/TLS for popular applications such as secure web servers (nginx web server, Apache web server) and MySQL database server.

OpenSSL is a library that provides cryptographic functionality, specifically SSL/TLS for popular applications such as secure web servers, MySQL databases and email applications.

I have tried to perform command “yum update openssl” but I receive “No Packages marked for Update” even though the latest version of tar version has been published.

The following steps describe how to install and update OpenSSL on CentOS 6 and CentOS 7.

READ  How to Start, Stop, Restart PostgreSQL Database Server on Linux CentOS 6.2 Server

Install and Update OpenSSL on CentOS 6 / CentOS 7

1. Get the current version with “openssl version” and “yum info openssl” command :

# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
# yum info openssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * Webmin: download.webmin.com
 * base: centos.netonboard.com
 * epel: ftp.cuhk.edu.hk
 * extras: centos.netonboard.com
 * updates: ossm.utm.my
Installed Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 30.el6_6.7
Size        : 4.0 M
Repo        : installed
From repo   : updates
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
            : machines. OpenSSL includes a certificate management tool and shared
            : libraries which provide various cryptographic algorithms and
            : protocols.

Available Packages
Name        : openssl
Arch        : i686
Version     : 1.0.1e
Release     : 30.el6_6.7
Size        : 1.5 M
Repo        : updates
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
            : machines. OpenSSL includes a certificate management tool and shared
            : libraries which provide various cryptographic algorithms and
            : protocols.

2. To download the latest version of OpenSSL, do as follows:

# cd /usr/src
# wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz
# tar -zxf openssl-1.0.2-latest.tar.gz

3. To manually compile OpenSSL and install/upgrade OpenSSL, do as follows:

# cd openssl-1.0.2a
# ./config
# make
# make test
# make install

4. If the old version is still displayed or installed before, please make acopy of openssl bin file :

# mv /usr/bin/openssl /root/
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

5. Verify the OpenSSL version :

# openssl version

Output :

OpenSSL 1.0.2a 19 Mar 2015

 

10 Replies to “How to Install and Update OpenSSL on CentOS 6 / CentOS 7”

  1. I followed your article. which seemed to work great. My next step was to install FreeRadius V3.0.8. And I receive the following message after compiling and installing

    Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 0x1000105f (1.0.1e release) (in range 1.0.1 dev – 1.0.1f release)

    Security advisory CVE-2014-0160 (Heartbleed)

    For more information see http://heartbleed.com

    Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = ‘CVE-2014-0160′

    So based on this its still pointed to the old version since hte new one is installed. I thought ok its probably a library issue.

    So I did the following:

    ./configure –with-openssl-lib-dir=/usr/src/openssl-1.0.2c/ –with-openssl-include-dir=/usr/src/openssl-1.0.2c/

    Which produces the following error message:

    checking for OpenSSL version >= 0.9.7… yes

    checking OpenSSL library and header version consistency… library: 1000203f header: 1000105f… no

    configure: error: in `/usr/src/freeradius-server-3.0.8′:

    configure: error: OpenSSL library version does not match header version

    See `config.log’ for more details

    [root@freeradius freeradius-server-3.0.8]#

    So I’m not sure if i’m pointing to the right libraries and or headers or not. And why does the system still believe the 1.0.1 is still there.

    Suggestions ideas?
    Should I remove openssl and openssl-develop? and redo the process above again?

    Oh and i’m running CentOS7.1

  2. checking for OpenSSL version >= 0.9.7… yes

    checking OpenSSL library and header version consistency… library: 1000203f header: 1000105f… no

    configure: error: in `/usr/src/freeradius-server-3.0.8′:

    configure: error: OpenSSL library version does not match header version

    See `config.log’ for more details

    [root@freeradius freeradius-server-3.0.8]#

  3. This works but is incomplete in making it stick!

    Apache needs to be rebuilt after with openSSL in order for it to be active in PHP. Problem is the openSSL gets reverted to the rpm distributed with cPanel and or CloudLinux when rebuilding apache for those of us that use either, in turn overriding anything you just did!

    As the log shows:
    –!! Warning: ‘openssl-devel’ has been modified, reinstalling… !!
    Loaded plugins: fastestmirror, rhnplugin
    Setting up Install Process
    Loading mirror speeds from cached hostfile
    * cloudlinux-x86_64-server-6: xmlrpc.cln.cloudlinux.com
    Resolving Dependencies
    –> Running transaction check
    —> Package openssl-devel.x86_64 0:1.0.1e-48.el6_8.1 will be installed
    –> Finished Dependency Resolution

    Total download size: 1.2 M
    Installed size: 0
    Downloading Packages:
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction

    Installing : openssl-devel-1.0.1e-48.el6_8.1.x86_64 1/1

    Verifying : openssl-devel-1.0.1e-48.el6_8.1.x86_64 1/1

    Complete!
    !! Done reinstalling ‘openssl-devel’ !!
    ============================================================

    Do you have a solution for that?

    I haven’t been able to find one!

  4. hi,

    I followed the steps , it installed the latest version. Even moved the old openssl to other directory and created a link to the new installed version.

    when I run the openssl version command , still shows older version :

    Description: Red Hat Enterprise Linux Server release 6.7 (Santiago)
    Release: 6.7
    Codename: Santiago

    openssl version
    OpenSSL 0.9.8zf-fips 19 Mar 2015

    can you please help in this regards ?

    Thanks

  5. I have followed all steps but but for the 4th step openssl directory is not found. Can you please suggest what i need to check for?
    # mv /usr/bin/openssl /root/
    # ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

    I’m using centos 7 version.

    If i skip this step and run openssl version then it is gives error of no command found.

  6. Even after installing the latest version “sudo yum info openssl” shows same old version as output

    Installed Packages
    Name : openssl
    Arch : x86_64
    Epoch : 1
    Version : 1.0.1e
    Release : 60.el7_3.1
    Size : 1.5 M
    Repo : installed
    From repo : updates
    Summary : Utilities from the general purpose cryptography library with TLS implementation
    URL : http://www.openssl.org/
    License : OpenSSL
    Description : The OpenSSL toolkit provides support for secure communications between
    : machines. OpenSSL includes a certificate management tool and shared
    : libraries which provide various cryptographic algorithms and
    : protocols.

    but “#openssl version” shows
    OpenSSL 1.0.2l 25 May 2017″

  7. Hello i have installed update OpenSSL with yours instructions.

    In command line the version showed is the new, but in phpinfo and yum info openssl it show old version

    How can i repair it ??

    thakns

Leave a Reply

Your email address will not be published. Required fields are marked *