Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Upgrading OpenSSL

To prevent dependency problems during the installation and improve system security, upgrade OpenSSL to 1.1.1a or later.

  • The built-in OpenSSL versions of CentOS 8.1, openEuler 20.03, and openEuler 22.03 are later than 1.1.1a. Therefore, you do not need to upgrade OpenSSL. Skip this section.
  • The built-in OpenSSL version of CentOS 7.6 is 1.0.2k-fips. You need to upgrade OpenSSL.

Check the OpenSSL version.

openssl version
The following describes how to upgrade OpenSSL to 1.1.1a on CentOS 7.6.

Upgrading OpenSSL (Installing Nginx by Compiling Source Code)

  1. Obtain the OpenSSL source code.
    1. Download the OpenSSL source package using the local browser.

      Download address: https://codeload.github.com/openssl/openssl/tar.gz/OpenSSL_1_1_1a

    2. Upload the source package to the /home directory on the server.

      If the server is connected to the Internet, you can run the wget command on the server to download the source code.

      1. Go to the /home directory and download the source package. 
        1
2
        		 
        cd /home
wget https://codeload.github.com/openssl/openssl/tar.gz/OpenSSL_1_1_1a --no-check-certificate
      2. Rename the downloaded source package.
        The name of the OpenSSL source package downloaded using a local browser is different from that downloaded using the wget command. In this section, the OpenSSL source package is obtained by using a local browser. If you obtain it using the wget command, rename the downloaded source package. 
        1
        		 
        mv OpenSSL_1_1_1a openssl-OpenSSL_1_1_1a.tar.gz
  2. Decompress the OpenSSL source package.
    1
    		 
    tar -xvf openssl-OpenSSL_1_1_1a.tar.gz

  3. Go to the openssl-OpenSSL_1_1_1a directory and run the ls command to query the files in the directory.
    1
2
    		 
    cd openssl-OpenSSL_1_1_1a/
ls

  4. Configure OpenSSL.
    1
    		 
    ./config

  5. Perform the compilation and installation.
    1
    		 
    make -j60 && make -j60 install

    The -j 60 parameter takes full advantage of multi-core CPUs to speed up compilation. The number following the -j parameter indicates the number of CPU cores. You can run the lscpu command to view the number of CPU cores.

  6. Configure the ld.so.conf file.
    1
2
    		 
    echo "/usr/local/lib/" >> /etc/ld.so.conf
ldconfig -v
  7. Make OpenSSL take effect.
    1. Add OpenSSL to the environment variables. 
      1
      		 
      echo export PATH=/usr/local/bin:\$PATH >> /etc/profile
    2. Make the environment variables take effect. 
      1
      		 
      source /etc/profile
  8. View the OpenSSL version.
    • Method 1: 
      1
2
      		 
      hash -r
openssl version
    • Method 2: 
      1
2
3
      		 
      hash -r
which openssl
/usr/local/bin/openssl version
  9. View the OpenSSL installation directory.
    1
    		 
    openssl version -a

    In the command output, the path following OPENSSLDIR is the OpenSSL installation directory.

  10. Optional: To uninstall OpenSSL installed in the current mode, use the following commands in either of the methods:
    • Method 1: 
      1
2
3
4
5
      		 
      cd /home/openssl-OpenSSL_1_1_1a
make uninstall
hash -r
openssl version
openssl version -a
    • Method 2: 
      1
2
3
4
5
6
7
      		 
      openssl version -a
rm -rf /usr/local/ssl
rm -rf /usr/local/lib/engines-1.1
rm -rf /usr/local/bin/openssl
hash -r
openssl version
openssl version -a

Upgrading OpenSSL (Installing Nginx Using the RPM Package of the Mirror Site)

  1. Obtain the OpenSSL RPM package.
    1. Download the RPM package using a local browser.

      Download address:

      https://mirrors.huaweicloud.com/kunpeng/yum/el/7/aarch64/Packages/web/openssl-libs-1.1.1a-3.el7.aarch64.rpm

      https://mirrors.huaweicloud.com/kunpeng/yum/el/7/aarch64/Packages/web/openssl-1.1.1a-3.el7.aarch64.rpm

      https://mirrors.huaweicloud.com/kunpeng/yum/el/7/aarch64/Packages/web/openssl-devel-1.1.1a-3.el7.aarch64.rpm

    2. Copy the RPM package to the /home directory on the server.

      If the server is connected to the Internet, you can run the wget command on the server to download the RPM package.

      1
2
3
4
      		 
      cd /home
wget https://mirrors.huaweicloud.com/kunpeng/yum/el/7/aarch64/Packages/web/openssl-libs-1.1.1a-3.el7.aarch64.rpm --no-check-certificate
wget https://mirrors.huaweicloud.com/kunpeng/yum/el/7/aarch64/Packages/web/openssl-1.1.1a-3.el7.aarch64.rpm --no-check-certificate
wget https://mirrors.huaweicloud.com/kunpeng/yum/el/7/aarch64/Packages/web/openssl-devel-1.1.1a-3.el7.aarch64.rpm --no-check-certificate
  2. Install OpenSSL.
    1
    		 
    rpm -ivh openssl-libs-1.1.1a-3.el7.aarch64.rpm openssl-1.1.1a-3.el7.aarch64.rpm  openssl-devel-1.1.1a-3.el7.aarch64.rpm --force --nodeps
  3. Configure the ld.so.conf file.
    1
2
    		 
    echo "/usr/local/lib/" >> /etc/ld.so.conf
ldconfig -v
  4. Make OpenSSL take effect.
    1
2
    		 
    echo export PATH=/usr/local/bin:\$PATH >> /etc/profile
source /etc/profile

  5. View the OpenSSL version.
    • Method 1: 
      1
2
      		 
      hash -r
openssl version
    • Method 2: 
      1
2
3
      		 
      hash -r
which openssl
/usr/local/bin/openssl version
  6. View the OpenSSL installation directory.
    1
    		 
    openssl version -a

    In the command output, the path following OPENSSLDIR is the OpenSSL installation directory.

  7. Optional: To uninstall OpenSSL, run the following command:
    1
2
3
4
5
6
    		 
    rpm -qa | grep openssl
rpm -e --nodeps openssl-devel-1.1.1a openssl-1.1.1a openssl-libs-1.1.1a
rpm -qa | grep openssl
hash -r
openssl version
openssl version -a