Linux HOWTOs

About | Home | Search


HOWTO: openssl
Description: The Open Source toolkit for SSL/TLS
Click here for ChangeLog
NOTE: I use GNU tar >= 1.13.25 so it's -j for .tar.bz2 files,
it's safe to assume that make, gcc, binutils, fileutils/coreutils, gawk, sed, and grep are prerequisites for almost everything


# OpenSSL
# =======
# Slackware 13.37: openssl, openssl-solibs 0.9.8r
# Slackware 14.0: openssl, openssl-solibs 1.0.1c
# Slackware 14.1: openssl, openssl-solibs 1.0.1e
# Slackware 14.2: openssl, openssl-solibs 1.0.2h
#
# Check Slackware's 'patches' directory for security upgrades if you
# decide against installing it from source.

# Go here for news about security advisories and new releases:
# https://www.openssl.org/news/

# man and HTML format man pages will be installed locally below, but you
# can also view OpenSSL man pages online here:
# https://www.openssl.org/docs/manpages.html

# Keep in mind, if you upgrade OpenSSL, which is used by every SSL/TLS using
# piece of software (unless it uses GnuTLS instead), you may have some
# serious issues.  For example, you could get yourself kicked out of the
# OpenSSH connection you're using to upgrade it.  If you can't be local, in
# person, you may want to temporarily enable telnet and use that - even
# though, normally, you should never, ever use that.

# There are several versions of OpenSSL included below.  The latest in the
# 1.0.2, 1.1.0, and 1.1.1 branches.

# If you did not specify a prefix in releases prior to 1.1.0, everything
# would end up under /usr/local/ssl
#
# From 1.1.0 onward, prefix /usr/local is used by default, and openssldir is
# prefix/ssl, so here is before:
#
#   /usr/local/ssl/bin
#   /usr/local/ssl/certs
#   /usr/local/ssl/include/openssl
#   /usr/local/ssl/lib
#   /usr/local/ssl/lib/engines
#   /usr/local/ssl/lib/pkgconfig
#   /usr/local/ssl/man
#   /usr/local/ssl/misc
#   /usr/local/ssl/private
#
# and here is after:
#
#   /usr/local/bin
#   /usr/local/include/openssl
#   /usr/local/lib
#   /usr/local/lib/engines-1.1
#   /usr/local/lib/pkgconfig
#   /usr/local/share/doc/openssl
#   /usr/local/share/man
#   /usr/local/ssl/certs
#   /usr/local/ssl/misc
#   /usr/local/ssl/private

# If you have trouble with the download URL below, either find a mirror
# in the list:
# http://www.openssl.org/source/mirror.html
# or try this mirror:
# http://mirrors.ibiblio.org/openssl/source/

# If you get an error about certificate verification when downloading with
# wget, you can use 'wget --no-check-certificate URL', but you're better off
# fixing/implementing certificates for verification.  If you have Slackware's
# 'ca-certificates' package, for example, making /usr/local/ssl/certs a
# symlink to /etc/ssl/certs will take care of that problem.

# I always get the checksums used below from the announce mailing list, make
# sure it is the same on the web site Source page, and/or verify the tarball
# with gpg (GnuPG).

# If you upgrade from one full version (1.0.1x) to another (1.0.2x), there
# may be old shared library files left behind from the old version in
# /usr/local/ssl/lib (or .../lib64).  Some binaries may be linked to the
# old version's shared library files (i.e. libcrypto.so.1.0.0) instead of
# non-specific symlink (libcrypto.so or libcrypto.so.1), so be aware that
# if you remove the old ones, some things may break until you re-compile
# them.  Running this as root:
#   lsof /usr/local/ssl/lib*/libssl.so* | awk '{ print $1 }' | sort | uniq
# and the same with /usr/lib*/libssl.so* if replacing a Slackware package,
# should give you an idea of some OpenSSL-linked daemons that are currently
# running on your system.  If replacing a Slackware or other distribution
# package, you should check /usr/lib*/libssl.so* too.
#
# There is a list of OpenSSL-using applications at the bottom of this page
# that may help if some command-line programs stop working.  To see if
# a particular binary is linked with an OpenSSL shared library or not, run
# ldd on it (ldd /bin/foo), looking for libcrypto or libssl in the output.
# The safe solution would be to just leave the old files there until you're
# positive that nothing is using them.

# Note:
# As of 1.0.1s and 1.0.2g, SSLv2 is disabled
# As of 1.1.0, SSLv2 support was removed
# As of 1.1.1, TLSv1.3 was added

# Prerequisites:
# Perl
# bc (for certain 'make test' tests)


# OpenSSL 1.1.1c (LTS version)
# ==============
# OpenSSL 1.1.1 will be supported until 2023-09-11

# Get it
cd
test -f installed/openssl-1.1.1c.tar.gz &&
 mv installed/openssl-1.1.1c.tar.gz .
test ! -f openssl-1.1.1c.tar.gz &&
 wget https://www.openssl.org/source/openssl-1.1.1c.tar.gz

# Verify tarball w/ sha256sum:
# (if already installed, this works too: openssl sha256 openssl-1.1.1c.tar.gz)
echo "f6fb3079ad15076154eda9413fed42877d668e7069d9b87396d0804fdb3f4c\
90  openssl-1.1.1c.tar.gz" | sha256sum -c

# Verify tarball w/ gpg:
( gpg --list-keys 7DF9EE8C > /dev/null 2>&1 || gpg --recv-keys 7DF9EE8C ) &&
 wget -nc http://openssl.org/source/openssl-1.1.1c.tar.gz.asc &&
  gpg --verify openssl-1.1.1c.tar.gz.asc && rm openssl-1.1.1c.tar.gz.asc

# Extract it
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "openssl-*" -exec rm -r {} \;
tar xzvf ~/openssl-1.1.1c.tar.gz
cd openssl-1.1.1c
test $UID = 0 && chown -R root:root .

## Configure and then build it

# Be aware, OpenSSL does _not_ use autoconf, automake, libtool, etc.  See
# here for more info:
# less ./INSTALL
# https://www.openssl.org/docs/faq.html#MISC6
# https://wiki.openssl.org/index.php/Compilation_and_Installation

# If you run config with --libdir=lib64, anywhere lib is shown will become
# lib64.
#
# If you want to go with the default, don't specify --prefix or
# --openssldir, or use --prefix=/usr/local and --openssldir=/usr/local/ssl
#
# If you want to stick with everything going under /usr/local/ssl, use
# --prefix=/usr/local/ssl --openssldir=/usr/local/ssl
#
# If you want to install it where Slackware does, use --prefix=/usr
# --openssldir=/etc/ssl

# As of 1.1.0, shared (.so) builds are default, prior to that static (.a)
# libraries were the default, './config shared' is no longer needed (but
# still works).  If you do _not_ want shared libraries, use 'no-shared'.

# If you are upgrading from 1.0.x to 1.1.1, shared library files go from
# libcrypto.so.1.0.0 and libssl.so.1.0.0 to .1.1  There are symlinks like
# libssl.so and libssl.so.1, but anything linked to the real filenames
# like libssl.so.1.0.0 will be broken if you remove those old files.

# Configure it for 64-bit systems
test $(uname -m) = "x86_64" && ./config --libdir=lib64

# Configure it for anything else
test $(uname -m) != "x86_64" && ./config

# Do this if you want to change the man page location from $prefix/share/man
# to $prefix/man (/usr/local/man) and the doc location from $prefix/share/doc
# to $prefix/doc (/usr/local/doc).  If you have /usr/local/share/{doc,man} ->
# /usr/local/{doc,man} symlinks, not necessary.  You can also pass
# DOCDIR and MANDIR to 'make install'
#
# I use the wildcard matching only so it will fit on an 80 character line.
# Verify the changes by running:
# diff -u Makefile.old Makefile
sed -i.old Makefile \
-e 's%^MANDIR=\(.*\)/share/man$%MANDIR=\1/man%' \
-e 's%^DOCDIR=\(.*\)/share/doc/\(.*\)$%DOCDIR=\1/doc/\2%'

# Build it
# 'make depend' is no longer necessary for >= 1.1.0
make

# Test the build
make test

# Now become root to install it
su

## Remove the Slackware package, if there is one
# If you are installing OpenSSL from source using the default prefix,
# and you have a bunch of things running using a /usr prefix OpenSSL such
# as the Slackware package, the safer bet while still being able to use
# the new one would probably be to only remove the openssl package, leaving
# the openssl-solibs package installed.  If you know for sure that nothing
# is using the shared libraries from openssl-solibs, then remove that
# as well.
test -x /sbin/removepkg && /sbin/removepkg openssl

# Remove old doc files before installing new ones
test -d /usr/local/doc/openssl && rm -r /usr/local/doc/openssl
test -d /usr/local/share/doc/openssl && rm -r /usr/local/share/doc/openssl
test -d /usr/local/ssl/share/doc && rm -r /usr/local/ssl/share/doc
test -d /usr/local/ssl/doc && find /usr/local/ssl/doc -type f -exec rm {} \;

# If you have an old distribution-installed OpenSSL with a /etc/ssl
# configuration directory, back that up and remove it.
# Skip this if you have symlinked /usr/local/ssl/certs to /etc/ssl/certs
# to use the certs in Slackware's ca-certificates package.
# (or back up and remove everything other than certs in there)
test ! -f /var/adm/packages/ca-certificates* &&
 test -d /etc/ssl &&
  ( mkdir -p -m 0700 ~/backup/etc-ssl-$(date +%Y%m%d)
    cp -a /etc/ssl/* ~/backup/etc-ssl-$(date +&Y%m%d)/
    rm -r /etc/ssl )

# If /usr/local/ssl/certs is a symlink, remove it temporarily
# ('make install' failed in previous releases)
test -L /usr/local/ssl/certs && rm /usr/local/ssl/certs

# Install the new version
# If you altered the Makefile above, 'make install' is fine
# If not, add this after 'make install'
#  DOCDIR=/usr/local/doc/openssl MANDIR=/usr/local/man
make install

## If your paths changed as with upgrading from OpenSSL 1.0.x to 1.1.x:

# If your bin directory changed from /usr/local/ssl/bin to /usr/local/bin,
# you can zap /usr/local/ssl/bin:
test -x /usr/local/bin/openssl -a -x /usr/local/ssl/bin/openssl &&
 rm -r /usr/local/ssl/bin

# If your includes directory changed from /usr/local/ssl/include/openssl to
# /usr/local/include/openssl, you can zap the old location:
test -d /usr/local/ssl/include -a -d /usr/local/include/openssl &&
 rm -r /usr/local/ssl/include

# If your library directory changed from /usr/local/ssl/lib* to
# /usr/local/lib*, copy the old library files in the former to the latter
#
# NOTE: you may need to leave /usr/local/ssl/lib*/engines there if you
# continue to use things linked with libssl.so.1.0 and libcrypto.so.1.0

FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/${FOO}/libcrypto.so.1.1 &&
 test -d /usr/local/ssl/${FOO} &&
 ( cd /usr/local/ssl/${FOO}
   cp -ai lib*.so.* /usr/local/${FOO}/ &&
    rm -r /usr/local/ssl/${FOO} )
unset FOO

# If the library path changed, update /etc/ld.so.conf if necessary, and run
# ldconfig

# If you used --prefix=/usr this time, you do not need to update
# /etc/ld.so.conf for the library files to be located

# If you used the default OpenSSL prefix (/usr/local), which would put
# library files in /usr/local/ssl/lib*/, make sure that /usr/local/lib* is
# set in /etc/ld.so.conf
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/${FOO}/libcrypto.so.1.1 &&
 ( cd /usr/local/${FOO}
   ln -sf libcrypto.so.1.1 libcrypto.so.1
   ln -sf libssl.so.1.1 libssl.so.1
   egrep -q "^/usr/local/${FOO}$" /etc/ld.so.conf ||
     echo "/usr/local/${FOO}" >> /etc/ld.so.conf )
unset FOO

# If you used /usr/local/ssl for everything this time, make sure that
# /usr/local/ssl/lib* (lib or lib64) is set in /etc/ld.so.conf
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/ssl/${FOO}/libcrypto.so.1.1 &&
 ( cd /usr/local/ssl/${FOO}
   ln -sf libcrypto.so.1.1 libcrypto.so.1
   ln -sf libssl.so.1.1 libssl.so.1
   egrep -q "^/usr/local/ssl/${FOO}$" /etc/ld.so.conf ||
     echo "/usr/local/ssl/${FOO}" >> /etc/ld.so.conf )
unset FOO

# If you upgraded from a 0.x.x version to a 1.x.x one, you may find
# old libssl.so.1.x.x shared library files in prefix/lib*/.  Make very,
# very sure that nothing else is using those before removing them.

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# You may want to install certwatch as the Slackware package does, run
# out of /etc/cron.daily:
# ftp://ftp.slackware.com/pub/slackware/slackware-current/source/n/openssl/certwatch.gz

# Depending on what prefix you went with, you can read the HTML version of
# all of the OpenSSL man pages with lynx like so.
# The SEE ALSO links in them will be broken because they are using
# localhost, unless you make that copy accessible via a web server on
# localhost of course.  During 'make install', pod2html is run out of
# util/process_docs.pl if you want to delve in to that.
lynx /usr/local/doc/openssl/html/

# You can also read the man pages for 1.1.0 here:
# https://www.openssl.org/docs/man1.1.0/

# Become your non-root user again
exit

# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/openssl-*.tar.*
mv openssl-1.1.1c.tar.gz installed/

# Skip down to the bottom for a few more things to set up


# OpenSSL 1.1.0k
# ==============
# OpenSSL 1.1.0 will be supported until 2019-09-11

# The following versions of ISC BIND (and older) can not build against
# this version of OpenSSL:
# 9.9.9-P3
# 9.10.4-P3
# 9.11.0rc3
#
# Cyrus IMAP does not fully support OpenSSL 1.1.0 until version 3.0.0

# Get it
cd
test -f installed/openssl-1.1.0k.tar.gz &&
 mv installed/openssl-1.1.0k.tar.gz .
test ! -f openssl-1.1.0k.tar.gz &&
 wget https://www.openssl.org/source/openssl-1.1.0k.tar.gz

# Verify tarball w/ sha256sum:
# (if already installed, this works too: openssl sha256 openssl-1.1.0k.tar.gz)
echo "efa4965f4f773574d6cbda1cf874dbbe455ab1c0d4f906115f867d30444470\
b1  openssl-1.1.0k.tar.gz" | sha256sum -c

# Verify tarball w/ gpg:
( gpg --list-keys 7DF9EE8C > /dev/null 2>&1 || gpg --recv-keys 7DF9EE8C ) &&
 wget -nc http://openssl.org/source/openssl-1.1.0k.tar.gz.asc &&
  gpg --verify openssl-1.1.0k.tar.gz.asc && rm openssl-1.1.0k.tar.gz.asc

# Extract it
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "openssl-*" -exec rm -r {} \;
tar xzvf ~/openssl-1.1.0k.tar.gz
cd openssl-1.1.0k
test $UID = 0 && chown -R root:root .

## Configure and then build it

# Be aware, OpenSSL does _not_ use autoconf, automake, libtool, etc.  See
# here for more info:
# less ./INSTALL
# https://www.openssl.org/docs/faq.html#MISC6
# https://wiki.openssl.org/index.php/Compilation_and_Installation

# If you run config with --libdir=lib64, anywhere lib is shown will become
# lib64.
#
# If you want to go with the new default, don't specify --prefix or
# --openssldir, or use --prefix=/usr/local and --openssldir=/usr/local/ssl
#
# If you want to stick with everything going under /usr/local/ssl, use
# --prefix=/usr/local/ssl --openssldir=/usr/local/ssl
#
# If you want to install it where Slackware does, use --prefix=/usr
# --openssldir=/etc/ssl

# As of 1.1.0, shared (.so) builds are default, prior to that static (.a)
# libraries were the default, './config shared' is no longer needed (but
# still works).  If you do _not_ want shared libraries, use 'no-shared'.

# If you are upgrading from 1.0.x to 1.1.0, shared library files go from
# libcrypto.so.1.0.0 and libssl.so.1.0.0 to .1.1  There are symlinks like
# libssl.so and libssl.so.1, but anything linked to the real filenames
# like libssl.so.1.0.0 will be broken if you remove those old files.

# Configure it for 64-bit systems
test $(uname -m) = "x86_64" && ./config --libdir=lib64

# Configure it for anything else
test $(uname -m) != "x86_64" && ./config

# Do this if you want to change the man page location from $prefix/share/man
# to $prefix/man (/usr/local/man) and the doc location from $prefix/share/doc
# to $prefix/doc (/usr/local/doc).  If you have /usr/local/share/{doc,man} ->
# /usr/local/{doc,man} symlinks, not necessary.  You can also pass
# DOCDIR and MANDIR to 'make install'
#
# I use the wildcard matching only so it will fit on an 80 character line.
# Verify the changes by running:
# diff -u Makefile.old Makefile
sed -i.old Makefile \
-e 's%^MANDIR=\(.*\)/share/man$%MANDIR=\1/man%' \
-e 's%^DOCDIR=\(.*\)/share/doc/\(.*\)$%DOCDIR=\1/doc/\2%'

# Build it
# 'make depend' is no longer necessary for >= 1.1.0
make

# Test the build
make test

# Now become root to install it
su

## Remove the Slackware package, if there is one
# If you are installing OpenSSL from source using the default prefix,
# and you have a bunch of things running using a /usr prefix OpenSSL such
# as the Slackware package, the safer bet while still being able to use
# the new one would probably be to only remove the openssl package, leaving
# the openssl-solibs package installed.  If you know for sure that nothing
# is using the shared libraries from openssl-solibs, then remove that
# as well.
test -x /sbin/removepkg && /sbin/removepkg openssl

# Remove old doc files before installing new ones
test -d /usr/local/doc/openssl && rm -r /usr/local/doc/openssl
test -d /usr/local/share/doc/openssl && rm -r /usr/local/share/doc/openssl
test -d /usr/local/ssl/share/doc && rm -r /usr/local/ssl/share/doc
test -d /usr/local/ssl/doc && find /usr/local/ssl/doc -type f -exec rm {} \;

# If you have an old distribution-installed OpenSSL with a /etc/ssl
# configuration directory, back that up and remove it.
# Skip this if you have symlinked /usr/local/ssl/certs to /etc/ssl/certs
# to use the certs in Slackware's ca-certificates package.
# (or back up and remove everything other than certs in there)
test ! -f /var/adm/packages/ca-certificates* &&
 test -d /etc/ssl &&
  ( mkdir -p -m 0700 ~/backup/etc-ssl-$(date +%Y%m%d)
    cp -a /etc/ssl/* ~/backup/etc-ssl-$(date +&Y%m%d)/
    rm -r /etc/ssl )

# If /usr/local/ssl/certs is a symlink, remove it temporarily
# ('make install' failed in previous releases)
test -L /usr/local/ssl/certs && rm /usr/local/ssl/certs

# Install the new version
# If you altered the Makefile above, 'make install' is fine
# If not, add this after 'make install'
#  DOCDIR=/usr/local/doc/openssl MANDIR=/usr/local/man
make install

## If your paths changed as with upgrading from OpenSSL 1.0.x to 1.1.x:

# If your bin directory changed from /usr/local/ssl/bin to /usr/local/bin,
# you can zap /usr/local/ssl/bin:
test -x /usr/local/bin/openssl -a -x /usr/local/ssl/bin/openssl &&
 rm -r /usr/local/ssl/bin

# If your includes directory changed from /usr/local/ssl/include/openssl to
# /usr/local/include/openssl, you can zap the old location:
test -d /usr/local/ssl/include -a -d /usr/local/include/openssl &&
 rm -r /usr/local/ssl/include

# If your library directory changed from /usr/local/ssl/lib* to
# /usr/local/lib*, copy the old library files in the former to the latter
#
# NOTE: you may need to leave /usr/local/ssl/lib*/engines there if you
# continue to use things linked with libssl.so.1.0 and libcrypto.so.1.0

FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/${FOO}/libcrypto.so.1.1 &&
 test -d /usr/local/ssl/${FOO} &&
 ( cd /usr/local/ssl/${FOO}
   cp -ai lib*.so.* /usr/local/${FOO}/ &&
    rm -r /usr/local/ssl/${FOO} )
unset FOO

# If the library path changed, update /etc/ld.so.conf if necessary, and run
# ldconfig

# If you used --prefix=/usr this time, you do not need to update
# /etc/ld.so.conf for the library files to be located

# If you used the default OpenSSL prefix (/usr/local), which would put
# library files in /usr/local/ssl/lib*/, make sure that /usr/local/lib* is
# set in /etc/ld.so.conf
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/${FOO}/libcrypto.so.1.1 &&
 ( cd /usr/local/${FOO}
   ln -sf libcrypto.so.1.1 libcrypto.so.1
   ln -sf libssl.so.1.1 libssl.so.1
   egrep -q "^/usr/local/${FOO}$" /etc/ld.so.conf ||
     echo "/usr/local/${FOO}" >> /etc/ld.so.conf )
unset FOO

# If you used /usr/local/ssl for everything this time, make sure that
# /usr/local/ssl/lib* (lib or lib64) is set in /etc/ld.so.conf
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/ssl/${FOO}/libcrypto.so.1.1 &&
 ( cd /usr/local/ssl/${FOO}
   ln -sf libcrypto.so.1.1 libcrypto.so.1
   ln -sf libssl.so.1.1 libssl.so.1
   egrep -q "^/usr/local/ssl/${FOO}$" /etc/ld.so.conf ||
     echo "/usr/local/ssl/${FOO}" >> /etc/ld.so.conf )
unset FOO

# If you upgraded from a 0.x.x version to a 1.x.x one, you may find
# old libssl.so.1.x.x shared library files in prefix/lib*/.  Make very,
# very sure that nothing else is using those before removing them.

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# You may want to install certwatch as the Slackware package does, run
# out of /etc/cron.daily:
# ftp://ftp.slackware.com/pub/slackware/slackware-current/source/n/openssl/certwatch.gz

# Depending on what prefix you went with, you can read the HTML version of
# all of the OpenSSL man pages with lynx like so.
# The SEE ALSO links in them will be broken because they are using
# localhost, unless you make that copy accessible via a web server on
# localhost of course.  During 'make install', pod2html is run out of
# util/process_docs.pl if you want to delve in to that.
lynx /usr/local/doc/openssl/html/

# You can also read the man pages for 1.1.0 here:
# https://www.openssl.org/docs/man1.1.0/

# Become your non-root user again
exit

# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/openssl-*.tar.*
mv openssl-1.1.0k.tar.gz installed/

# Skip down to the bottom for a few more things to set up


# OpenSSL 1.0.2s (previous LTS version)
# ==============
# OpenSSL 1.0.2 will be supported until 2019-12-31
# It is considered a LTS (long term support) release

# Release notes for 1.0.2

# Get it
cd
test -f installed/openssl-1.0.2s.tar.gz &&
 mv installed/openssl-1.0.2s.tar.gz .
test ! -f openssl-1.0.2s.tar.gz &&
 wget https://www.openssl.org/source/openssl-1.0.2s.tar.gz

# Verify tarball w/ sha256sum:
# (if already installed, this works too: openssl sha256 openssl-1.0.2s.tar.gz)
echo "cabd5c9492825ce5bd23f3c3aeed6a97f8142f606d893df216411f07d1abab\
96  openssl-1.0.2s.tar.gz" | sha256sum -c

# Verify tarball w/ gpg:
( gpg --list-keys 7DF9EE8C > /dev/null 2>&1 || gpg --recv-keys 7DF9EE8C ) &&
 wget -nc https://www.openssl.org/source/openssl-1.0.2s.tar.gz.asc &&
  gpg --verify openssl-1.0.2s.tar.gz.asc && rm openssl-1.0.2s.tar.gz.asc

# Extract it
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "openssl-*" -exec rm -r {} \;
tar xzvf ~/openssl-1.0.2s.tar.gz
cd openssl-1.0.2s
test $UID = 0 && chown -R root:root .

## Configure and then build it
# You can install it where Slackware does by passing --prefix=/usr
#  and --openssldir=/etc/ssl to configure
#
# You can install it where OpenSSL >= 1.1.0 does by passing
# --prefix=/usr/local and --openssldir=/usr/local/ssl to configure

# Configure it, here using /usr/local/ssl/lib64 for 64-bit systems,
# /usr/local/ssl/lib otherwise
test $(uname -m) = "x86_64" && ./config shared --libdir=lib64
test $(uname -m) != "x86_64" && ./config shared

# Build it
make depend
make

# Test the build
make test

# Now become root to install it
su

## Remove the Slackware package, if there is one
# If you have a bunch of things linked with a Slackware-installed
# version of OpenSSL, you may want to skip this step until everything
# has been recompiled to use the new version.
test -x /sbin/removepkg && /sbin/removepkg openssl-solibs openssl

# If you have an old distribution-installed OpenSSL with a /etc/ssl
# configuration directory, back that up and remove it.
# Skip this if you have symlinked /usr/local/ssl/certs to /etc/ssl/certs
# due to Slackware's ca-certificates package.
test -d /etc/ssl &&
 ( mkdir -p -m 0700 ~/backup/ssl
   cp -a /etc/ssl/* ~/backup/ssl/
   rm -r /etc/ssl )

# If /usr/local/ssl/certs is a symlink, remove it temporarily
# (have not checked lately, but 'make install' would fail)
test -L /usr/local/ssl/certs && rm /usr/local/ssl/certs

# Install the new version
make install

# Make sure the libraries are visible, use /usr/local/ssl/lib64 for 64-bit
# systems, /usr/local/ssl/lib otherwise
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
( cd /usr/local/ssl/${FOO}
  ln -sf libcrypto.so.1.0.0 libcrypto.so.1
  ln -sf libssl.so.1.0.0 libssl.so.1
  egrep -q "^/usr/local/ssl/${FOO}$" /etc/ld.so.conf ||
    echo "/usr/local/ssl/${FOO}" >> /etc/ld.so.conf )
ldconfig
unset FOO

# If you upgraded from a 0.x.x version to a 1.x.x one, you may find
# old libssl.so.0.x.x shared library files in /usr/local/ssl/lib*/.  You
# might want to leave them there because there are probably many things
# linked to them.

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# You may want to install certwatch as the Slackware package does, run
# out of /etc/cron.daily:
# ftp://ftp.slackware.com/pub/slackware/slackware-current/source/n/openssl/certwatch.gz

# Become your non-root user again
exit

# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/openssl-*.tar.*
mv openssl-1.0.2s.tar.gz installed/

# Skip down to the bottom for a few more things to set up


# Post-install setup
# ==================
# If you installed >= 1.1.0 into the /usr prefix, then you don't need to do
# anything related to setting PATH, MANPATH, PKG_CONFIG_PATH, the
# symlink to /etc/ssl/certs, etc.  Do continue to the list of thigns you may
# need to restart or rebuild though.

# Become root
# su, sudo bash, whatever your preference
su -

# If you had previously used prefix /usr/local/ssl and upgraded to >= 1.1.0
# using prefix /usr/local, you should not need an /etc/profile.d/openssl.sh
# to update PATH, MANPATH, and PKG_CONFIG_PATH any more.  If you do remove
# it, you will need to log out and back in to see the changes (or source it).
#
# If you use --prefix=/usr/local/ssl (default < 1.1.0), create an
# /etc/profile.d/openssl.sh that will set up the correct directories in PATH
# and MANPATH and with the update to PKG_CONFIG_PATH, the pkg-config program
# will be able to find libcrypto.pc, libssl.pc, and openssl.pc  If you use
# other shells like csh, create a /etc/profile.d/openssl.csh too.
cat << EOF > /etc/profile.d/openssl.sh
#!/bin/sh
test -d /usr/local/ssl/bin &&
 export PATH=/usr/local/ssl/bin:\$PATH
test -d /usr/local/ssl/man &&
 export MANPATH=/usr/local/ssl/man:\$MANPATH
if [ -d /usr/local/ssl/lib64/pkgconfig ]; then
  SSLPCDIR=/usr/local/ssl/lib64/pkgconfig
elif [ -d /usr/local/ssl/lib/pkgconfig ]; then
  SSLPCDIR=/usr/local/ssl/lib/pkgconfig
fi
if [ -n "\$SSLPCDIR" -a -d "\$SSLPCDIR" -a ! -L "\$SSLPCDIR" ]; then
  if [ -n "\$PKG_CONFIG_PATH" ]; then
    PKG_CONFIG_PATH="\$PKG_CONFIG_PATH:\${SSLPCDIR}"
  else
    PKG_CONFIG_PATH="\$SSLPCDIR"
  fi
  export PKG_CONFIG_PATH
fi
unset SSLPCDIR
EOF
chmod 755 /etc/profile.d/openssl.sh 

# If you have Slackware's ca-certificates package installed, do this to keep
# an updated list that the new OpenSSL will be aware of.  You can also
# update ETCCERTSDIR in update-ca-certificates to avoid having to create the
# symlink.  If you used --prefix=/usr and --openssldir=/etc/ssh, you don't
# need a symlink because that is the real path used already.
test -d /usr/local/ssl/certs && rmdir /usr/local/ssl/certs
test ! -d /etc/ssl/certs && mkdir -p /etc/ssl/certs
ln -s /etc/ssl/certs /usr/local/ssl/certs
test -x /usr/sbin/update-ca-certificates &&
 /usr/sbin/update-ca-certificates --verbose

## If there are security fixes in the new version, you should immediately
## rebuild any apps that linked with the static libraries (.a) and you should
## restart any apps that are linked with the shared libraries (.so) - which
## will only help if they are binary compatible with the new version
## libraries.  To find apps that are currently running that are linked with
## the shared libraries, try running this as root for libssl and libcrypto.
## If you changed prefixes while upgrading and you have not restarted
## anything yet, use the path to the old version.
# find /usr/local/lib*/ -name "libssl.so*" -exec lsof {} \;
# find /usr/local/ssl/lib*/ -name "libssl.so*" -exec lsof {} \;
# find /usr/lib*/ -name "libssl.so*" -exec lsof {} \;

# If you're not sure if a particular binary is linked to OpenSSL or not, run
# ldd on it.  If it is linked with the shared libraries it will output
# something like this:
# libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0xb75a1000)
# libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0xb744c000)
# or this:
# libssl.so.1.0.0 => /usr/local/ssl/lib64/libssl.so.1.0.0 (0x00007f92f53d9000)
# libcrypto.so.1.0.0 => /usr/local/ssl/lib64/libcrypto.so.1.0.0 (0x00007f92f4ffa000)
# or this:
# libcrypto.so.1.1 => /usr/local/lib64/libcrypto.so.1.1 (0x00007f7ad294a000)
# libssl.so.1.1 => /usr/local/lib64/libssl.so.1.1 (0x00007f3100efd000)

# If you run BIND named in a chroot jail, you may need to copy the
# shared library files there

# Become your non-root user again
exit

# If you created a /etc/profile.d/openssl.sh, source it to add the
# appropriate directories to your current shell's PATH, MANPATH, and
# PKG_CONFIG_PATH
test -f /etc/profile.d/openssl.sh && . /etc/profile.d/openssl.sh

# Here are some daemon-type apps that are commonly linked with OpenSSL
# libraries:
# Apache 2.x's httpd (named 'apache2' in Ubuntu)
# BIND's named (and dig, host, ...)
# CUPS' cupsd
# Cyrus IMAP's master, fud, imapd, lmtpd, pop3d
# Cyrus SASL's saslauthd
# fetchmail (when running as a daemon)
# IMAP Proxy's in.imapproxyd
# MySQL's mysqld
# NTP's ntpd
# NUT's upsd, upsmon, usbhid-ups, ...
# OpenLDAP's slapd and slurpd
# OpenSSH's sshd
# Postfix's master, qmgr, pickup
# ProFTPD
# Python (e.g. Mailman)
# Samba's smbd and nmbd
# sendmail
# stunnel
# syslog-ng
# ucd/net-snmp's snmpd
# vsftpd
#
# Here are some non-daemon apps that may be linked with openssl:
#
# curl
# lftp
# links
# lynx
# nail, mailx's /bin/mail
# neon
# Pine/Alpine/Re-Alpine
# Python
# tcpdump
# wget


# Creating SSL certs for an application to use
# ============================================#
# Make sure /usr/local/ssl/bin is in your PATH (or whatever directory has
# the openssl binary in it):
echo $PATH | grep -q "/usr/local/ssl/bin" ||
 export PATH=$PATH:/usr/local/ssl/bin

# OpenSSL installed from source is installed under /usr/local/ssl by
# default, leaving the openssl binary in /usr/local/ssl/bin.  If you are
# using a distribution package, or it was installed from source under the
# /usr prefix, your openssl binary will be in /usr/bin, which is usually
# in the PATH by default.  In /usr prefix installations, CA.pl may be
# in /etc/ssl/misc as in Slackware or /usr/lib/ssl/misc as in Ubuntu.

# I typically modify CA.pl with these changes:
# - Change $DAYS if you want (self-signed) certificates longer than 1 year
# - Change $CADAYS if you want the CA to exist longer than 3 years
# - Change $CATOP if you want the CA files to go somewhere other than
#   ~/demoCA/
# - This is not an issue with recent releases, but if your OpenSSL uses a
#   default of 1024 bits, to change the CA from 1024 to 2048 bits, somewhere
#   around row 114 you'll find something like this:
#     print "Making CA certificate ...\n";
#     system ("$REQ -new -keyout " .   
#         "${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
#   Replace "-new" with "-newkey rsa:2048"

# And I modify /usr/local/ssl/openssl.cnf with a few:
# - Any paths I need changed, including demoCA (dir = ) as changed in CA.pl
# - default_days to whatever is set in CA.pl
# - default_bits if using something other than 1024 bit CSRs
# - If you want to pre-fill your country, state, town, etc. for certs you
#   can do that in there

# Move any old files out of the way if creating a new CA or keys, certs
cd
test -d ./demoCA.old2 && rm -r ./demoCA.old2/
test -d ./demoCA.old && mv -f ./demoCA.old ./demoCA.old2
test -d ./demoCA && mv -f ./demoCA ./demoCA.old
test -f newcert.pem && mv -f newcert.pem newcert.pem.old
test -f newreq.pem && mv -f newreq.pem newreq.pem.old
test -f newkey.pem && mv -f newkey.pem newkey.pem.old

# Create a CA - certificate authority, to self-sign certificates
/usr/local/ssl/misc/CA.pl -newca
# <enter>
# <CA password - make up one>
# <CA password again>
# Country Code (US)
# State or Province (New Jersey)
# City, Town, Borough, whatever (Fooville)
# Organization Name (foo.org)
# Organizational Unit name (root)
# Common Name (foo.org CA)
# E-mail address (root@foo.org)
# <enter>
# <enter>
# <CA password>

# Create a CSR (certificate signing request) and a new private key with
# no password (so you don't have to enter the password when you start
# Apache or whatever it is).  Output files will be newreq.pem and newkey.pem
/usr/local/ssl/misc/CA.pl -newreq-nodes
# Country Code (US)
# State or Province Name (New Jersey)
# City, Town, Borough, whatever (Fooville)
# Organization (foo.org)
# Organizational Unit Name (root, postmaster, webmaster, etc.)
# Certificate name (serverhostnameorappropriatecname.foo.org)
# E-mail address (root@foo.org)
# <enter>
# <enter>

# Now if you need to get a certificate from CAcert or another
# certificate authority, you will probably need to go to their web site and
# cut and paste the contents of the newreq.pem file in order for them to
# create your certificate, which they then generally e-mail to you, or e-mail
# you to go to a web page to download it.  Just be aware that if you
# modified $DAYS above, that will have no effect on whoever you pay to
# sign your SSL certificate, that would only matter if you self-sign yours.
#
# Save the certificate, for now, as newcert.pem

# If you are not using a non-free CA or CAcert, you can self-sign the
# CSR to get you a newcert.pem
/usr/local/ssl/misc/CA.pl -sign
# <CA password>
# y
# y

# If you will be using your own CA to sign and verify certificates, you
# will need to keep everything in ./demoCA/  Otherwise, you can remove that,
# but I would recommend backing it up first.  You may find that you need
# it later...  Same goes for the CSR, key, and cert files.  You may find
# too that you need to convert from one format to another depending on
# what you are using it for.

# The files that OpenSSL uses to verify certificates that it has signed and
# to create CRLs 
# Once you copy the *.pem files to whatever location is configured for the
# application (Apache, sendmail, Cyrus-IMAP, whatever), you can remove the
# originals after maybe saving a backup copy and ./demoCA/ if you won't be
# using your own CA again.

Back to the list


Last updated: Tue, 07 Aug 2018 12:06:17 -0400
Jason Englander <jason at englanders dot us>