Check OpenSSL version and installation directory
openssl version -a
OpenSSL 1.1.1f 31 Mar 2020
built on: Mon Apr 20 11:53:50 2020 UTC
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-P_ODHM/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific
Backup current ssl directory
sudo cp -R /usr/lib/ssl /usr/lib/ssl-1.1.1h
wget https://www.openssl.org/source/openssl-1.1.1h.tar.gz
Download sha256
wget https://www.openssl.org/source/openssl-1.1.1h.tar.gz.sha256
Check
echo "$(cat openssl-1.1.1h.tar.gz.sha256) openssl-1.1.1h.tar.gz" | sha256sum --check
Install
tar -zxf openssl-1.1.1h.tar.gzcd openssl-1.1.1h./configmakemake testsudo make install
Change symbolic link
sudo mv /usr/bin/openssl /usr/bin/openssl-1.1.1fsudo ln -s /usr/local/bin/openssl /usr/bin/openssl
sudo ldconfig
Check current version
openssl version
OpenSSL 1.1.1h 22 Sep 2020
Troubleshoot
There seems to be a certificate configuration issues when I run wget
wget https://www.google.com
--2020-11-22 20:20:45-- https://www.google.com/
Resolving www.google.com (www.google.com)... 216.58.196.36, 2404:6800:4001:804::2004
Connecting to www.google.com (www.google.com)|216.58.196.36|:443... connected.
ERROR: cannot verify www.google.com's certificate, issued by ‘CN=GTS CA 1O1,O=Google Trust Services,C=US’:
Unable to locally verify the issuer's authority.
To connect to www.google.com insecurely, use `--no-check-certificate'.
Checking openssl version -d
I realized the installation directory have changed to /usr/local/ssl
/usr/lib/ssl
(original)
lrwxrwxrwx 1 root root 14 Apr 20 2020 certs -> /etc/ssl/certs
drwxr-xr-x 2 root root 4096 Apr 23 2020 misc
lrwxrwxrwx 1 root root 20 Apr 20 2020 openssl.cnf -> /etc/ssl/openssl.cnf
lrwxrwxrwx 1 root root 16 Apr 20 2020 private -> /etc/ssl/private
/usr/local/ssl
(new)
drwxr-xr-x 2 root root 4096 Nov 21 13:02 certs
-rw-r--r-- 1 root root 412 Nov 21 13:02 ct_log_list.cnf
-rw-r--r-- 1 root root 412 Nov 21 13:02 ct_log_list.cnf.dist
drwxr-xr-x 2 root root 4096 Nov 21 13:02 misc
-rw-r--r-- 1 root root 10909 Nov 21 13:02 openssl.cnf
-rw-r--r-- 1 root root 10909 Nov 21 13:02 openssl.cnf.dist
drwxr-xr-x 2 root root 4096 Nov 21 13:02 private
NOTE: certs
abd private
are empty directory.
Fix
cd /usr/local/sslsudo rmdir certssudo ln -s /etc/ssl/certssudo rmdir private/sudo ln -s /etc/ssl/privatesudo mv openssl.cnf openssl.cnf.originalsudo ln -s /etc/ssl/openssl.cnf
Test
wget https://www.google.com
--2020-11-22 20:29:25-- https://www.google.com/
Resolving www.google.com (www.google.com)... 172.217.27.228, 2404:6800:4001:807::2004
Connecting to www.google.com (www.google.com)|172.217.27.228|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
index.html [ <=> ] 12.92K --.-KB/s in 0.001s
2020-11-22 20:29:25 (10.4 MB/s) - ‘index.html’ saved [13229]