Upgrade OpenSSL on Ubuntu 20.04

Nov 21, 2020

Check OpenSSL version and installation directory

openssl version -a
OpenSSL 1.1.1f  31 Mar 2020
built on: Mon Apr 20 11:53:50 2020 UTC
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-P_ODHM/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific

Backup current ssl directory

sudo cp -R /usr/lib/ssl /usr/lib/ssl-1.1.1h

Get latest SSL version

wget https://www.openssl.org/source/openssl-1.1.1h.tar.gz

Download sha256

wget https://www.openssl.org/source/openssl-1.1.1h.tar.gz.sha256

Check

echo "$(cat openssl-1.1.1h.tar.gz.sha256) openssl-1.1.1h.tar.gz" | sha256sum --check

Install

tar -zxf openssl-1.1.1h.tar.gzcd openssl-1.1.1h./configmakemake testsudo make install

Change symbolic link

sudo mv /usr/bin/openssl /usr/bin/openssl-1.1.1fsudo ln -s /usr/local/bin/openssl /usr/bin/openssl
sudo ldconfig

Check current version

openssl version
OpenSSL 1.1.1h  22 Sep 2020

Troubleshoot

There seems to be a certificate configuration issues when I run wget

wget https://www.google.com
--2020-11-22 20:20:45--  https://www.google.com/
Resolving www.google.com (www.google.com)... 216.58.196.36, 2404:6800:4001:804::2004
Connecting to www.google.com (www.google.com)|216.58.196.36|:443... connected.
ERROR: cannot verify www.google.com's certificate, issued by ‘CN=GTS CA 1O1,O=Google Trust Services,C=US’:
  Unable to locally verify the issuer's authority.
To connect to www.google.com insecurely, use `--no-check-certificate'.

Checking openssl version -d I realized the installation directory have changed to /usr/local/ssl

/usr/lib/ssl (original)

lrwxrwxrwx 1 root root   14 Apr 20  2020 certs -> /etc/ssl/certs
drwxr-xr-x 2 root root 4096 Apr 23  2020 misc
lrwxrwxrwx 1 root root   20 Apr 20  2020 openssl.cnf -> /etc/ssl/openssl.cnf
lrwxrwxrwx 1 root root   16 Apr 20  2020 private -> /etc/ssl/private

/usr/local/ssl (new)

drwxr-xr-x 2 root root  4096 Nov 21 13:02 certs
-rw-r--r-- 1 root root   412 Nov 21 13:02 ct_log_list.cnf
-rw-r--r-- 1 root root   412 Nov 21 13:02 ct_log_list.cnf.dist
drwxr-xr-x 2 root root  4096 Nov 21 13:02 misc
-rw-r--r-- 1 root root 10909 Nov 21 13:02 openssl.cnf
-rw-r--r-- 1 root root 10909 Nov 21 13:02 openssl.cnf.dist
drwxr-xr-x 2 root root  4096 Nov 21 13:02 private

NOTE: certs abd private are empty directory.

Fix

cd /usr/local/sslsudo rmdir certssudo ln -s /etc/ssl/certssudo rmdir private/sudo ln -s /etc/ssl/privatesudo mv openssl.cnf openssl.cnf.originalsudo ln -s /etc/ssl/openssl.cnf

Test

wget https://www.google.com
--2020-11-22 20:29:25--  https://www.google.com/
Resolving www.google.com (www.google.com)... 172.217.27.228, 2404:6800:4001:807::2004
Connecting to www.google.com (www.google.com)|172.217.27.228|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html              [ <=>                ]  12.92K  --.-KB/s    in 0.001s  

2020-11-22 20:29:25 (10.4 MB/s) - ‘index.html’ saved [13229]

❤️ Is this article helpful?

Buy me a coffee ☕ or support my work via PayPal to keep this space 🖖 and ad-free.

Do send some 💖 to @d_luaz or share this article.

✨ By Desmond Lua

A dream boy who enjoys making apps, travelling and making youtube videos. Follow me on @d_luaz

👶 Apps I built

Travelopy - discover travel places in Malaysia, Singapore, Taiwan, Japan.