The security in the systems is something that should call our attention to those who like or work with Linux. Especially, if it is a server since in this equipment a lot of important data and services are sustained. In general, we can say that Linux is a fairly secure system because it includes fairly good security policies. However, also thanks to the inclusion of libraries specializing in encryption and data protection. Something vital in a job or in very important personal communications. That is why, in this post, we will show you how to install the latest version of OpenSSL on CentOS 7.
In case you do not know what OpenSSL is, we will tell you. OpenSSL is a security library included in all Linux systems. Its main objective is to provide an open source implementation of TLS and SSL protocols that protect and encrypt the transmission of data over a network. It is really important to use it because if our transmitted data falls into the hands of a third party, that person must decrypt it to get the information. This process is not easy to do, so by doing so, we safeguard the data.
So, let us start to install the latest version of OpenSSL on CentOS 7.
1.- Upgrade the system and install required packages
The first step is to update the system completely. This way you will have available all the available security updates.
:~$ su :~# yum update
Then, you have to install some required packages to install OpenSSL.
:~# yum install make gcc perl pcre-devel zlib-devel
2. Install the latest version of OpenSSL on CentOS 7
OpenSSL is included in almost all Linux distributions. The problem is that they include older versions that although maintained by the distribution itself to be safe, are not the most recent. So for that, we will use the safest method which is to install it from its source code. With this, we will get a clean and reliable system.
So, first, you need to download the latest version using wget. Install it first.
:~# yum install wget :~# wget https://ftp.openssl.org/source/old/1.1.1/openssl-1.1.1.tar.gz
Of course, at the time of writing this post, the latest stable version of OpenSSL is 1.1.1.
After that, decompress the file.
:~# tar xvf openssl-1.1.1.tar.gz
Next, navigate to the generated folder.
:~# cd openssl-1.1.1/
Then, you have to start configuring the package compilation using ./configure. Besides that, you have to use some parameters like the prefix where the route will be established.
:~# ./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic
Now, begin compilation.
:~# make :~# make test
Finally, install OpenSSL.
:~# make install
The process may take a few minutes. So you have to wait for it to finish.
Then, so you do not have problems using the library, you need to export the paths.
:~# export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64 :~# echo "export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64" >> ~/.bashrc
Finally, check the OpenSSL version.
:~# openssl version
So, that’s it.
OpenSSL is a very important library of the Linux system. So it’s a good idea to have its latest version installed, to improve system security and data encryption. The installation process from the source code is not difficult and has many advantages.
Please share this post with your friends.
I’ve been pulling my hair out for several days now on how to do it properly, and then you post this. Thanks for sharing.
make install fails
Unix has been around long enough that this kind of deep dive shouldn’t be required. Installer programs should handle it with a click of the mouse.
Maybe, my friend, but remember that Unix-based systems are used on servers and it is not recommended to use a graphical interface there.
Thank you for commenting.
Thanks for the post.
On a CentOS minimal install I had to install the following additional packages to pass the `make test` succesfully
yum install perl-Module-Load-Conditional perl-Test-Harness perl-core
Thanks for your comment
Critical for make test to work, should be added to the original post. Unfortunately make install still fails:
Cannot create directory /usr/include/openssl: No such file or directory
make: *** [install_dev] Error 2
I sudo make install and it works.
After the installation, my openssl is still the old version 1.0.2k. What should I do to make apache using currently version? Thank you very much!
Thanks for the awesome tutorial. Everything installed fine but unfortunately something isn’t quite right.
This shows correct.
$ openssl version
OpenSSL 1.1.1c 28 May 2019
Unfortunately this still shows the old version.
$ yum list installed | grep openssl
openssl.x86_64 1:1.0.2k-16.el7_6.1 installed
openssl-libs.x86_64 1:1.0.2k-16.el7_6.1 installed
This is on a fresh install of Centos 7.6.1810. I’m not sure where I should check.
Thanks again for your awesome tutorial!
Hey, buddy, it’s all right. When you run the openssl command you are using the latest version path. However yum verifies the versions installed as packages.
In this case, you have installed openssl from the source code, not as a package. Therefore, yum will only show the old version which is the default package.
Perfect! I got it, thanks so much.
Thanks to you for your comment.
(it’s a command not a flag)
You are right…thanks!
Thanks for the tutorial.
with openssl version I have “OpenSSL 188.8.131.52d 10 Sep 2019”
but when I want to install Nginx I built with OpenSSL 1.0.2k-fips 26 Jan 2017 and not with OpenSSl 184.108.40.206d I don’t understand why.
I installed successfully following your directions. However, when compiling a new version of nginx, it can’t find openssl. I’ve tried everything I can think of in the .configure statement for nginx, “–with-openssl=” switch, including:
I keep getting the error:
&& make install_sw LIBDIR=lib
/bin/sh: line 2: ./config: No such file or directory
make: *** [/etc/ssl/.openssl/include/openssl/ssl.h] Error 127
(or whatever path I used)
What should I use there? Thanks for any help!
Okay, I used the directory I used for installing, /tmp/openssl-1.1.1, and it worked. I guess I should not have installed into the /tmp directory. Should I reinstall into another directory, or can I just leave it as it is, and go ahead and compile nginx? Or can I just move the openssl-1.1.1 directory, and compile from there? What is the best place to install it?
I only did the nginx ‘make’ command, I have not done ‘make install’ yet, awaiting your response.
Very good instructions. Thanks.
Excellent instructions! Two things to note:
1. make test may fail if perl-core is not installed (yum install perl-core).
2. There is a known issue with test 171 (make test)
I am not totally getting this.
What did you do with the system’s default/old openssl installation (files in /usr/bin/openssl, /etc/pki, /usr/share/doc/openssl-1.0.2k, /usr/share/man/man1/)? and openssl-devel, openssl-lib? no potential conflicts?
where is the binary installed with the new version? did it overwrite the system default version?
The “./config –prefix=/usr –openssldir=/etc/ssl –libdir=lib no-shared zlib-dynamic” fails; what would cause this?
“./config –prefix=/usr –openssldir=/etc/ssl –libdir=lib no-shared zlib-dynamic” fails with the message Pod/Escaped.pm did not return a true value at /usr/share/perl5/Pod/Simple.pm line 8. Any ideas on a fix for this
This was very helpful. There is a big security flaw in the version most of my servers have installed. These instructions are complete and worked the first time in my environment.