How to upgrade OpenSSL in CentOS 6.5 / Linux / Unix from source?

Question

How do I upgrade OpenSSL in CentOS 6.5?

I have used these commands, but nothings happens:

 cd /usr/src
 wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
 tar -zxf openssl-1.0.1g.tar.gz
 cd openssl-1.0.1g
 ./config
 make
 make test
 make install
 cd /usr/src
 rm -rf openssl-1.0.1g.tar.gz
 rm -rf openssl-1.0.1g

After using this command, I get the old version

openssl version

Don't they have an official binary package (that still gets security updates)? — Thilo, Apr 09 '14 at 03:40
Now I have, OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Tue Apr 8 02:39:29 UTC 2014, Is it patched version or not, please? — Mostafa, Apr 10 '14 at 17:40

score 49 · Answer 1 · edited May 08 '14 at 09:41

49

The fix for the heartbleed vulnerability has been backported to 1.0.1e-16 by Red Hat for Enterprise Linux see, and this is therefore the official fix that CentOS ships.

Replacing OpenSSL with the latest version from upstream (i.e. 1.0.1g) runs the risk of introducing functionality changes which may break compatibility with applications/clients in unpredictable ways, causes your system to diverge from RHEL, and puts you on the hook for personally maintaining future updates to that package. By replacing openssl using a simple make config && make && make install means that you also lose the ability to use rpm to manage that package and perform queries on it (e.g. verifying all the files are present and haven't been modified or had permissions changed without also updating the RPM database).

I'd also caution that crypto software can be extremely sensitive to seemingly minor things like compiler options, and if you don't know what you're doing, you could introduce vulnerabilities in your local installation.

edited May 08 '14 at 09:41

chriz

1,339
2
16
32

answered Apr 09 '14 at 06:16

Alex Butcher

591
1
3
4

4

Your suggestion is better. I was just trying to tell him how to build the code within the context of his question. He listed build steps and asked what was wrong. Also, here is the link to the notification of the fix: https://rhn.redhat.com/errata/RHSA-2014-0376.html You left that out of your post. – jmq Apr 09 '14 at 15:21
Thanks Alex, What can I do now? Can I undo ? – Mostafa Apr 10 '14 at 01:17
I have reinstalled openssl by this command "yum reinstall openssl", Should I do anything now ? – Mostafa Apr 10 '14 at 01:23
My openssl version now : OpenSSL 1.0.1e-fips 11 Feb 2013, My OS : CENTOS 6.5 x86_64 standard – Mostafa Apr 10 '14 at 01:25
OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Tue Apr 8 02:39:29 UTC 2014 – Mostafa Apr 10 '14 at 04:46

score 42 · Accepted Answer · edited Apr 20 '16 at 12:19

42

./config --prefix=/usr --openssldir=/usr/local/openssl shared

Try this config line instead to overwrite the default. It installs to prefix /usr/local/ssl by default in your setup when you leave off the prefix. You probably have "/usr/local/ssl/bin/openssl" instead of overwriting /usr/bin/openssl. You can also use /usr/local for prefix instead, but you would need to adjust your path accordingly if that is not already on your path. Here is the INSTALL documentation:

  $ ./config
  $ make
  $ make test
  $ make install

 [If any of these steps fails, see section Installation in Detail below.]

This will build and install OpenSSL in the default location, which is (for
historical reasons) /usr/local/ssl. If you want to install it anywhere else,
run config like this:

  $ ./config --prefix=/usr/local --openssldir=/usr/local/openssl

https://github.com/openssl/openssl/blob/master/INSTALL http://heartbleed.com/

edited Apr 20 '16 at 12:19

Sumit Lubal

329
2
13

answered Apr 09 '14 at 04:22

jmq

10,110
16
58
71

Thanks a lot, jmq I have tested again by your code, And I get successfully – Mostafa Apr 09 '14 at 04:46
Now I have, OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Tue Apr 8 02:39:29 UTC 2014, Is it patched version or not, please? – Mostafa Apr 10 '14 at 17:41
Affected versions are from 1.0.1-1.0.1f, that means 1.0.1e is still affected with Heartbleed bug. – O.O May 10 '14 at 04:01
Check using `rpm -qa openssl` instead of using `openssl version`, and see if you have `_5.7` at the end of the version, if it's there then you're safe. Refer to this: http://www.centosblog.com/critical-openssl-vulnerability-heartbleed-openssl-1-0-1-1-0-1f-patch-bug-centos-system/ – O.O May 10 '14 at 04:07
At least on my Centos 6.5 I had to add another `-fPIC` switch to the `config` command. – nimrodm Mar 01 '16 at 09:39

Olaitan Mayowa · Answer 3 · 2014-10-12T16:51:37.763

42

To manually compile OpenSSL, do as follows:

$ cd /usr/src

$ wget https://www.openssl.org/source/openssl-1.0.1g.tar.gz -O openssl-1.0.1g.tar.gz

$ tar -zxf openssl-1.0.1g.tar.gz

$ cd openssl-1.0.1g

$ ./config

$ make

$ make test

$ make install

$ openssl version

If it shows the old version, do the steps below.

$ mv /usr/bin/openssl /root/

$ ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
openssl version
OpenSSL 1.0.1g 7 Apr 2014

http://olaitanmayowa.com/heartbleed-how-to-upgrade-openssl-in-centos/

edited Oct 12 '14 at 16:51

answered Apr 10 '14 at 00:24

Olaitan Mayowa

703
6
10

Best answer! Works perfectly. – PRVS May 03 '17 at 09:19
Did not work well while installing openssl 1.1 due to "Permission Denied" errors. Worked well when I provided permission `chmod 777` to openssl directory and all child objects. make install required me to use `sudo` – Pavan Kumar May 16 '17 at 16:59
Indeed making a symbolic link is way easier to do afterwards than doing a new build operation – Ogier Schelvis Jun 08 '17 at 08:10

Jonathon Reinhart · Answer 4 · 2014-04-09T18:07:50.957

9

sudo yum update openssl is all you need.

This will bring you up to openssl-1.0.1e-16.el6_5.7.

You need to restart Apache after the update. Or better yet, reboot the box if possible, so that all applications that use OpenSSL will load the new version.

edited Apr 09 '14 at 18:07

answered Apr 09 '14 at 17:41

Jonathon Reinhart

132,704
33
254
328

2

Note doing sudo yum update openssl does not work in CentOS 5. To quote from another SO post: CentOS 5 does not have an official package of openssl newer than 0.9.8 so you cannot upgrade the system package to 1.0.1. If you need 1.0.1 on the CentOS 5 server you can compile/package it yourself but you cannot replace the 0.9.8 package/files without recompiling everything else on the system as well. – captainhero70 Mar 12 '16 at 03:36
`No repos enabled`. Nevertheless, I do have an OpenSSL version. Then what should I do to use the `yum`? – Pathros Mar 14 '17 at 21:36
@Pathros You need to [configure your yum repos](https://www.google.com/search?q=how+to+configure+yum+repos). – Jonathon Reinhart Mar 15 '17 at 03:02

score 7 · Answer 5 · answered Apr 09 '14 at 18:35

7

The only thing you have to do is perform an yum update.

It will automatically download and update a backported version of openssl-1.0.1e-16.el6_5.7 which has been patched by RedHat with heartbeat disabled.

To verify the update simply check the changelog:
# rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
you should see the following:
* Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

Make sure you reboot the server because important services such as Apache and SSH use openSSL.

answered Apr 09 '14 at 18:35

Toshe

766
4
15

Thank you. This is the most correct answer. Do not manually update openSSL. – Moe Apr 10 '14 at 11:31
Using that command, you are simply told that the obsolete version is the latest version available, due to Red Hat's extensions updating policy. – andreszs Aug 03 '17 at 20:23

score 2 · Answer 6 · answered Mar 22 '15 at 14:57

2

My approach was:

openssl version
OpenSSL 1.0.1e 11 Feb 2013

wget https://www.openssl.org/source/openssl-1.0.2a.tar.gz
wget http://www.linuxfromscratch.org/patches/blfs/svn/openssl-1.0.2a-fix_parallel_build-1.patch
tar xzf openssl-1.0.2a.tar.gz
cd openssl-1.0.2a
patch -Np1 -i ../openssl-1.0.2a-fix_parallel_build-1.patch
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib shared zlib-dynamic
make
make install

openssl version
OpenSSL 1.0.2a 19 Mar 2015

answered Mar 22 '15 at 14:57

Garistar

363
3
8

getting a 404 on http://www.linuxfromscratch.org/patches/blfs/svn/openssl-1.0.2a-fix_parallel_build-1.patch – random-forest-cat Nov 25 '16 at 22:23

score 1 · Answer 7 · answered Jul 02 '17 at 03:12

I agree that in 95% of cases, all you need is sudo yum update openssl

However, if you need a specific version of openssl or specific functionality, which is not in CentOS repository, you probably need to compile from source. The other answers here were incomplete. Below is what worked (CentOS 6.9), although this may introduce incompatibilities with installed software, and will not auto-update the openssl.

Choose openssl version from https://www.openssl.org/source/

At the time of this writing July 1, 2017, the needed version was dated 2017-May-25 13:09:51, openssl-1.1.0f.tar.gz
Copy the desired link, and use below, in our case ( https://www.openssl.org/source/openssl-1.1.0f.tar.gz )

Log-in as root:

cd /usr/local/src/

# OPTIONALLY CHANGE openssl-1.1.0f.tar.gz to the version which you want
wget https://www.openssl.org/source/openssl-1.1.0f.tar.gz

sha256sum openssl-1.1.0f.tar.gz  #confirm this matches the published hash

tar -zxf openssl-1.1.0f.tar.gz

cd /usr/local/src/openssl-1.1.0f

./config --prefix=/usr/local --openssldir=/usr/local/openssl
make
make test
make install

export LD_LIBRARY_PATH=/usr/local/lib64

#make export permanent
echo "export LD_LIBRARY_PATH=/usr/local/lib64" > /etc/profile.d/ld_library_path.sh
chmod ugo+x /etc/profile.d/ld_library_path.sh

openssl version  #confirm it works

#recommended reboot here

openssl version  #confirm it works after reboot

tvfun · Answer 8 · 2014-04-15T00:39:08.660

0

rpm -qa openssl yum clean all && yum update "openssl*" lsof -n | grep ssl | grep DEL cd /usr/src wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz tar -zxf openssl-1.0.1g.tar.gz cd openssl-1.0.1g ./config --prefix=/usr --openssldir=/usr/local/openssl shared ./config make make test make install cd /usr/src rm -rf openssl-1.0.1g.tar.gz rm -rf openssl-1.0.1g

and

openssl version

edited Apr 15 '14 at 00:39

answered Apr 14 '14 at 20:24

tvfun

11
1

score 0 · Answer 9 · answered Jan 19 '15 at 07:11

it is easy! you are downloading the binary file?. download the rpm latest package openssl-1.0.1e-30.el6.x86_64 check what was the current version using rpm -q openssl. if this is older then do rpm -U openssl-1.0.1e-30.el6.x86_64 . if yum is configured updated this package in the repo and do yum update openssl if your repo in RHN do simply yum update openssl-1.0.1g is very old and valnuarable

score 0 · Answer 10 · answered Mar 05 '15 at 03:49

You can also check the local changelog to verify whether or not OpenSSL is patched against the vulnerability with the following command:

rpm -q --changelog openssl | grep CVE-2014-0224

If a result is not returned, then you must patch OpenSSL.

http://www.liquidweb.com/kb/update-and-patch-openssl-for-the-ccs-injection-vulnerability/

score -1 · Answer 11 · edited Apr 14 '14 at 18:32

-1

You should replace the old OpenSSL binary file by the new one via a symlink:

sudo ln -sf /usr/local/ssl/bin/openssl `which openssl`

Remember that after this procedure you should reboot the server or restart all the services related to OpenSSL.

edited Apr 14 '14 at 18:32

Peter Mortensen

30,738
21
105
131

answered Apr 09 '14 at 20:59

Agli Panci

494
1
9
21

How to upgrade OpenSSL in CentOS 6.5 / Linux / Unix from source?

11 Answers11

Linked