openssl - The Open Source toolkit for SSL/TLS ChangeLog
Web site:https://openssl.org/
Repository:https://github.com/openssl/openssl
Wikipedia:https://en.wikipedia.org/wiki/OpenSSL

HOWTO


# OpenSSL
# =======
# Slackware 14.0: openssl, openssl-solibs 1.0.1c
# Slackware 14.1: openssl, openssl-solibs 1.0.1e
# Slackware 14.2: openssl, openssl-solibs 1.0.2h
# Slackware 15.0: openssl, openssl-solibs 1.1.1m
#
# Check Slackware's 'patches' directory for security upgrades if you
# decide against installing it from source.

# OpenSSL 3.0.12 announcement

# OpenSSL News
# OpenSSL Mailing Lists
# OpenSSL Wiki
# OpenSSL 3.0 man pages
# OpenSSL GitHub issues
# OpenSSL Vulnerabilities
# OpenSSL Blog

# man and HTML format man pages will be installed locally below, but you
# can also view OpenSSL man pages online here:
# https://www.openssl.org/docs/manpages.html

# Keep in mind, if you upgrade OpenSSL, which is used by every SSL/TLS using
# piece of software (unless it uses GnuTLS or wolfSSL instead), you may have some
# serious issues.  For example, you could get yourself kicked out of the
# OpenSSH connection you're using to upgrade it.  If you can't be local, in
# person, you may want to temporarily enable telnet and use that - even
# though, normally, you should never, ever use that.

# If you are not 100% confident in doing this, you may want to consider
# making your own replacement packages, or using someone else's.
# slackbook: Package Management
# Slackware Linux Essentials: Chapter 18 Slackware Package Management
# Wikipedia: Slackware - Packages
# linux.com: Intro to Slackware Package Management
# SlackWiki: Building A Package
# packages.slackware.com
# slackpkg
# Wikipedia: slapt-get
# slackbuilds.org
# slackware.pkgs.org
# alien-pkg-convert
# rpm2tgz
# ...

# OpenSSL Release Strategy
#
# There may be several versions of OpenSSL included below:
# 1.1.0 - no longer supported
# 1.1.1 - no longer supported, EoL as of 2023-09-11
# 3.0   - current LTS version, supported until 2026-09-07
# 3.1   - previous stable version, supported until 2025-03-14
# 3.2   - latest stable version, supported until 2025-11-23

# If you did not specify a prefix in releases prior to 1.1.0, everything
# would end up under /usr/local/ssl
#
# From 1.1.0 onward, prefix /usr/local is used by default, and openssldir is
# prefix/ssl, so here is before:
#
#   /usr/local/ssl/bin
#   /usr/local/ssl/certs
#   /usr/local/ssl/include/openssl
#   /usr/local/ssl/lib
#   /usr/local/ssl/lib/engines
#   /usr/local/ssl/lib/pkgconfig
#   /usr/local/ssl/man
#   /usr/local/ssl/misc
#   /usr/local/ssl/private
#
# and here is after:
#
#   /usr/local/bin
#   /usr/local/include/openssl
#   /usr/local/lib
#   /usr/local/lib/engines-1.1 (and now: engines-3)
#   /usr/local/lib/pkgconfig
#   /usr/local/share/doc/openssl
#   /usr/local/share/man
#   /usr/local/ssl/certs
#   /usr/local/ssl/misc
#   /usr/local/ssl/private

# If you have trouble with the download URL below, either find a mirror
# in the latest list:
# https://www.openssl.org/source/mirror.html
# or try one of these, which I've used and/or checked in the past and do not
# guarantee to be updated and current:
#
# https://mirrors.ibiblio.org/openssl/source/ (HTTP, US)
# http://artfiles.org/openssl.org/source/ (HTTP, Germany)
# ftp://ftp.fi.muni.cz/pub/openssl/ (FTP, Czech Republic)
# ftp://ftp.kfki.hu/pub/packages/security/openssl/ (FTP, Hungary)
#
# wget and curl support FTP, but if you were going to use your GUI browser
# and your browser has removed FTP support, you can use something like
# FileZilla or gFTP or Konqueror or lynx for those.
# Wikipedia: Comparison of FTP client software

# If you get an error about certificate verification when downloading with
# wget, you can use 'wget --no-check-certificate URL', but you're better off
# fixing/implementing certificates for verification.  If you have Slackware's
# 'ca-certificates' package, for example, making /usr/local/ssl/certs a
# symlink to /etc/ssl/certs will take care of that problem.

# I always get the checksums used below from the announce mailing list, make
# sure it is the same on the web site Source page, and/or verify the tarball
# with gpg (GnuPG).

# If you upgrade from one full version (1.0.1x) to another (1.0.2x), there
# may be old shared library files left behind from the old version in
# /usr/local/ssl/lib (or .../lib64).  Some binaries may be linked to the
# old version's shared library files (i.e. libcrypto.so.1.0.0) instead of
# non-specific symlink (libcrypto.so or libcrypto.so.1), so be aware that
# if you remove the old ones, some things may break until you re-compile
# them.  Running this as root:
#   lsof /usr/local/ssl/lib*/libssl.so* | awk '{ print $1 }' | sort | uniq
#   lsof /usr/local/lib*/lib{crypto,ssl}.so*
# and the same with /usr/lib*/libssl.so* if replacing a Slackware package,
# should give you an idea of some OpenSSL-linked daemons that are currently
# running on your system.  If replacing a Slackware or other distribution
# package, you should check /usr/lib*/libssl.so* too.
#
# There is a list of OpenSSL-using applications at the bottom of this page
# that may help if some command-line programs stop working.  To see if
# a particular binary is linked with an OpenSSL shared library or not, run
# ldd on it (ldd /bin/foo), looking for libcrypto or libssl in the output.
# The safe solution would be to just leave the old files there until you're
# positive that nothing is using them.

# Note:
# As of 1.0.1s and 1.0.2g, SSLv2 is disabled
# As of 1.1.0, SSLv2 support was removed
# As of 1.1.1, TLSv1.3 was added

# Prerequisites:
# Perl
# bc (for certain 'make test' tests)


# OpenSSL 3.0.12 (2023-10-24, current LTS version)
# ==============
# OpenSSL 3.0 will be supported until 2026-09-07

# All 3.x.x releases are API/ABI compatible

# migration_guide

# Get it
cd
test -f installed/openssl-3.0.12.tar.gz &&
mv installed/openssl-3.0.12.tar.gz .
test ! -f openssl-3.0.12.tar.gz &&
wget https://www.openssl.org/source/openssl-3.0.12.tar.gz

# Verify tarball w/ sha256sum:
# (if already installed, this works too: openssl sha256 openssl-3.0.12.tar.gz)
echo "f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b\
61  openssl-3.0.12.tar.gz" | sha256sum -c

# Verify tarball w/ gpg:
( gpg --list-keys 7DF9EE8C > /dev/null 2>&1 || gpg --recv-keys 7DF9EE8C ) &&
wget -nc https://www.openssl.org/source/openssl-3.0.12.tar.gz.asc &&
  gpg --verify openssl-3.0.12.tar.gz.asc && rm openssl-3.0.12.tar.gz.asc

# Extract it
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "openssl-*" -exec rm -r {} \;
tar xzvf ~/openssl-3.0.12.tar.gz
cd openssl-3.0.12
test $UID = 0 && chown -R root:root .

## Configure and then build it

# Be aware, OpenSSL does _not_ use autoconf, automake, libtool, etc.  See
# here for more info:
# less ./README.md
# less ./INSTALL.md
# OpenSSL FAQ - Questions on Building and Testing OpenSSL
# OpenSSL Wiki - Compilation and Installation

# If upgrading, read:
# less ./CHANGES.md for full details and NEWS.md for a brief summary

# If you run configure with --libdir=lib64, anywhere lib is shown will become
# lib64.
#
# If you want to go with the default, don't specify --prefix or
# --openssldir, or use --prefix=/usr/local and --openssldir=/usr/local/ssl
#
# If you want to stick with everything going under /usr/local/ssl as it did with
# versions < 1.1.0, use --prefix=/usr/local/ssl --openssldir=/usr/local/ssl
#
# If you want to install it where Slackware does, use --prefix=/usr
# --openssldir=/etc/ssl

# As of 1.1.0, shared (.so) builds are default, prior to that static (.a)
# libraries were the default, './config shared' is no longer needed (but
# still works).  If you do _not_ want shared libraries, use 'no-shared'.

# If you are upgrading from 1.1.1 to 3.0.x, shared library files go from
# libcrypto.so.1.0.0 and libssl.so.1.0.0 to .3  There are symlinks like
# libssl.so and libssl.so.1, but anything linked to the real filenames
# like libssl.so.1.0.0 will be broken if you remove those old files.
# Safer to not remove the old ones.
#
# If you install OpenSSL 3.0.x and then go to build something using it,
# and see warnings like these:
# warning: libssl.so.1.1, needed by /usr/lib64/libldap-x.x.so.x,
# may conflict with libssl.so.3
# That specific one tells you that you need to rebuild and install OpenLDAP

# Configure it for 64-bit systems
test $(uname -m) = "x86_64" && ./config --libdir=lib64 enable-fips

# Configure it for anything else
test $(uname -m) != "x86_64" && ./config enable-fips

# Do this if you want to change the man page location from $prefix/share/man
# to $prefix/man (/usr/local/man) and the doc location from $prefix/share/doc
# to $prefix/doc (/usr/local/doc).  If you have /usr/local/share/{doc,man}
# -> /usr/local/{doc,man} symlinks, not necessary.  You can also pass
# DOCDIR and MANDIR to 'make install'
#
# I use the wildcard matching only so it will fit on an 80 character line.
# Verify the changes by running:
# diff -u Makefile.old Makefile
sed -i.old Makefile \
-e 's%^MANDIR=\(.*\)/share/man$%MANDIR=\1/man%' \
-e 's%^DOCDIR=\(.*\)/share/doc/\(.*\)$%DOCDIR=\1/doc/\2%'

# Build it
# 'make depend' is no longer necessary for >= 1.1.0
make

# Test the build
make test

# Now become root to install it
su

## Remove the Slackware package, if there is one
# If you are installing OpenSSL from source using the default prefix,
# and you have a bunch of things running using a /usr prefix OpenSSL such
# as the Slackware package, the safer bet while still being able to use
# the new one would probably be to only remove the openssl package, leaving
# the openssl-solibs package installed.  If you know for sure that nothing
# is using the shared libraries from openssl-solibs, then remove that
# as well.
test -x /sbin/removepkg && /sbin/removepkg openssl

# Remove old doc files before installing new ones
test -d /usr/local/doc/openssl && rm -r /usr/local/doc/openssl
test -d /usr/local/share/doc/openssl && rm -r /usr/local/share/doc/openssl
test -d /usr/local/ssl/share/doc && rm -r /usr/local/ssl/share/doc
test -d /usr/local/ssl/doc && find /usr/local/ssl/doc -type f -exec rm {} \;

# If you have an old distribution-installed OpenSSL with a /etc/ssl
# configuration directory, back that up and remove it.
# Skip this if you have symlinked /usr/local/ssl/certs to /etc/ssl/certs
# to use the certs in Slackware's ca-certificates package.
# (or back up and remove everything other than certs in there)
test ! -f /var/adm/packages/ca-certificates* &&
test -d /etc/ssl &&
  ( mkdir -p -m 0700 ~/backup/etc-ssl-$(date +%Y%m%d)
    cp -a /etc/ssl/* ~/backup/etc-ssl-$(date +&Y%m%d)/
    rm -r /etc/ssl )

# If /usr/local/ssl/certs is a symlink, remove it temporarily
# ('make install' failed in previous releases)
test -L /usr/local/ssl/certs && rm /usr/local/ssl/certs

# Install the new version
# If you altered the Makefile above, 'make install' is fine
# If not, add this after 'make install'
#  DOCDIR=/usr/local/doc/openssl MANDIR=/usr/local/man
make install

## If your paths changed as with upgrading from OpenSSL 1.0.x to 1.1.x:

# If your bin directory changed from /usr/local/ssl/bin to /usr/local/bin,
# you can zap /usr/local/ssl/bin:
test -x /usr/local/bin/openssl -a -x /usr/local/ssl/bin/openssl &&
rm -r /usr/local/ssl/bin

# If your includes directory changed from /usr/local/ssl/include/openssl to
# /usr/local/include/openssl, you can zap the old location:
test -d /usr/local/ssl/include -a -d /usr/local/include/openssl &&
rm -r /usr/local/ssl/include

# If your library directory changed from /usr/local/ssl/lib* to
# /usr/local/lib*, copy the old library files in the former to the latter
#
# NOTE: you may need to leave /usr/local/ssl/lib*/engines there if you
# continue to use things linked with libssl.so.1.0 and libcrypto.so.1.0

FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/${FOO}/libcrypto.so.1.1 &&
test -d /usr/local/ssl/${FOO} &&
( cd /usr/local/ssl/${FOO}
   cp -ai lib*.so.* /usr/local/${FOO}/ &&
    rm -r /usr/local/ssl/${FOO} )
unset FOO

# If you used --prefix=/usr this time, you do not need to update
# /etc/ld.so.conf for the library files to be located

# If you used the default OpenSSL prefix (/usr/local), which would put
# library files in /usr/local/lib*/, make sure that /usr/local/lib* is
# set in /etc/ld.so.conf
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/${FOO}/libcrypto.so.1.1 &&
( cd /usr/local/${FOO}
   ln -sf libcrypto.so.1.1 libcrypto.so.1
   ln -sf libssl.so.1.1 libssl.so.1
   egrep -q "^/usr/local/${FOO}$" /etc/ld.so.conf ||
     echo "/usr/local/${FOO}" >> /etc/ld.so.conf )
unset FOO

# If you used /usr/local/ssl for everything this time, make sure that
# /usr/local/ssl/lib* (lib or lib64) is set in /etc/ld.so.conf
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/ssl/${FOO}/libcrypto.so.1.1 &&
( cd /usr/local/ssl/${FOO}
   ln -sf libcrypto.so.1.1 libcrypto.so.1
   ln -sf libssl.so.1.1 libssl.so.1
   egrep -q "^/usr/local/ssl/${FOO}$" /etc/ld.so.conf ||
     echo "/usr/local/ssl/${FOO}" >> /etc/ld.so.conf )
unset FOO

# If the library path changed, and you did not update /etc/ld.so.conf above,
# do so now

# Update /etc/ld.so.cache
ldconfig

# If you upgraded from a 0.x.x version to a 1.x.x one, you may find
# old libssl.so.1.x.x shared library files in prefix/lib*/.  Make very,
# very sure that nothing else is using those before removing them.

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# You may want to install certwatch as the Slackware package does, run
# out of /etc/cron.daily:
# http://ftp.slackware.com/pub/slackware/slackware-current/source/n/openssl/certwatch.gz

# Depending on what prefix you went with, you can read the HTML version of
# all of the OpenSSL man pages with lynx like so.
# The SEE ALSO links in them will be broken because they are using
# localhost, unless you make that copy accessible via a web server on
# localhost of course.  During 'make install', pod2html is run out of
# util/process_docs.pl if you want to delve in to that.
lynx /usr/local/doc/openssl/html/

# You can also read the man pages for 3.0.x here:
# https://www.openssl.org/docs/man3.0/

# Become your non-root user again
exit

# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/openssl-*.tar.*
mv openssl-3.0.12.tar.gz installed/

# Skip down to the bottom for a few more things to set up


# OpenSSL 1.1.1w (previous LTS version)
# ==============
# OpenSSL 1.1.1 will be supported until 2023-09-11

# OpenSSL 1.1.1 End of Life
# OpenSSL 1.1.1 Series Release Notes
# OpenSSL 1.1.1 Series ChangeLog
# Migration Guide (look for "Upgrading from ______")

# Get the source it
cd
test -f installed/openssl-1.1.1w.tar.gz &&
mv installed/openssl-1.1.1w.tar.gz .
test ! -f openssl-1.1.1w.tar.gz &&
wget https://www.openssl.org/source/openssl-1.1.1w.tar.gz

# Verify tarball w/ sha256sum:
# (if already installed, this works too: openssl sha256 openssl-1.1.1w.tar.gz)
# (and this too: shasum -a 256 openssl-1.1.1w.tar.gz)
# (and this too:
#  php -r "echo hash_file('sha256', 'openssl-1.1.1w.tar.gz') . PHP_EOL;")
echo "cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76a\
c8  openssl-1.1.1w.tar.gz" | sha256sum -c

# Verify tarball w/ gpg:
# (the following key, as this is written, is located here:
#  https://keys.openpgp.org/search?q=openssl-omc%40openssl.org)
( gpg --list-keys EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5 > /dev/null 2>&1 ||
gpg --keyserver keys.openpgp.org \
  --recv-keys EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5 ) &&
wget -nc https://www.openssl.org/source/openssl-1.1.1w.tar.gz.asc &&
  gpg --verify openssl-1.1.1w.tar.gz.asc && rm openssl-1.1.1w.tar.gz.asc

# Extract the source
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "openssl-*" -exec rm -r {} \;
tar xzvf ~/openssl-1.1.1w.tar.gz
cd openssl-1.1.1w
test $UID = 0 && chown -R root:root .

## Configure and then build it

# Be aware, OpenSSL does _not_ use autoconf, automake, libtool, etc.  See
# here for more info:
# less ./INSTALL
# OpenSSL FAQ - Questions on Building and Testing OpenSSL
# OpenSSL Wiki - Compilation and Installation

# If you run config with --libdir=lib64, anywhere lib is shown will become
# lib64.
#
# If you want to go with the default, don't specify --prefix or
# --openssldir, or use --prefix=/usr/local and --openssldir=/usr/local/ssl
#
# If you want to stick with everything going under /usr/local/ssl as it did with
# versions < 1.1.0, use --prefix=/usr/local/ssl --openssldir=/usr/local/ssl
#
# If you want to install it where Slackware does, use --prefix=/usr
# --openssldir=/etc/ssl

# As of 1.1.0, shared (.so) builds are default, prior to that static (.a)
# libraries were the default, './config shared' is no longer needed (but
# still works).  If you do _not_ want shared libraries, use 'no-shared'.

# If you are upgrading from 1.1.x to 3.0.x, shared library files go from
# libcrypto.so.1.1.0 and libssl.so.1.1.0 to .3  There are symlinks like
# libssl.so and libssl.so.1, but anything linked to the real filenames
# like libssl.so.1.1.0 will be broken if you remove those old files.

# Configure it for 64-bit systems
test $(uname -m) = "x86_64" && ./config --libdir=lib64

# Configure it for anything else
test $(uname -m) != "x86_64" && ./config

# Do this if you want to change the man page location from $prefix/share/man
# to $prefix/man (/usr/local/man) and the doc location from $prefix/share/doc
# to $prefix/doc (/usr/local/doc).  If you have /usr/local/share/{doc,man}
# -> /usr/local/{doc,man} symlinks, not necessary.  You can also pass
# DOCDIR and MANDIR to 'make install'
#
# I use the wildcard matching only so it will fit on an 80 character line.
# Verify the changes by running:
# diff -u Makefile.old Makefile
sed -i.old Makefile \
-e 's%^MANDIR=\(.*\)/share/man$%MANDIR=\1/man%' \
-e 's%^DOCDIR=\(.*\)/share/doc/\(.*\)$%DOCDIR=\1/doc/\2%'

# Build it
# 'make depend' is no longer necessary for >= 1.1.0
make

# Test the build
make test

# Now become root to install it
su

## Remove the Slackware package, if there is one
# If you are installing OpenSSL from source using the default prefix,
# and you have a bunch of things running using a /usr prefix OpenSSL such
# as the Slackware package, the safer bet while still being able to use
# the new one would probably be to only remove the openssl package, leaving
# the openssl-solibs package installed.  If you know for sure that nothing
# is using the shared libraries from openssl-solibs, then remove that
# as well.
test -x /sbin/removepkg && /sbin/removepkg openssl

# Remove old doc files before installing new ones
test -d /usr/local/doc/openssl && rm -r /usr/local/doc/openssl
test -d /usr/local/share/doc/openssl && rm -r /usr/local/share/doc/openssl
test -d /usr/local/ssl/share/doc && rm -r /usr/local/ssl/share/doc
test -d /usr/local/ssl/doc && find /usr/local/ssl/doc -type f -exec rm {} \;

# If you have an old distribution-installed OpenSSL with a /etc/ssl
# configuration directory, back that up and remove it.
# Skip this if you have symlinked /usr/local/ssl/certs to /etc/ssl/certs
# to use the certs in Slackware's ca-certificates package.
# (or back up and remove everything other than certs in there)
test ! -f /var/adm/packages/ca-certificates* &&
test -d /etc/ssl &&
  ( mkdir -p -m 0700 ~/backup/etc-ssl-$(date +%Y%m%d)
    cp -a /etc/ssl/* ~/backup/etc-ssl-$(date +&Y%m%d)/
    rm -r /etc/ssl )

# If /usr/local/ssl/certs is a symlink, remove it temporarily
# (only because 'make install' failed in previous releases)
test -L /usr/local/ssl/certs && rm /usr/local/ssl/certs

# Install the new version
# If you altered the Makefile above, 'make install' is fine
# If not, add this after 'make install'
#  DOCDIR=/usr/local/doc/openssl MANDIR=/usr/local/man
# (or create symlinks:
#  /usr/local/shared/doc -> /usr/local/doc
#  /usr/local/shared/man -> /usr/local/man)
make install

# The FIPS module (and legacy) is installed here:
# /usr/local/lib64/ossl-modules/fips.so
# /usr/local/ssl/fipsmodule.cnf

## If your paths changed as with upgrading from OpenSSL 1.0.x to 1.1.x:

# If your bin directory changed from /usr/local/ssl/bin to /usr/local/bin,
# you can zap /usr/local/ssl/bin:
test -x /usr/local/bin/openssl -a -x /usr/local/ssl/bin/openssl &&
rm -r /usr/local/ssl/bin

# If your includes directory changed from /usr/local/ssl/include/openssl to
# /usr/local/include/openssl, you can zap the old location:
test -d /usr/local/ssl/include -a -d /usr/local/include/openssl &&
rm -r /usr/local/ssl/include

# If your library directory changed from /usr/local/ssl/lib* to
# /usr/local/lib*, copy the old library files in the former to the latter
#
# NOTE: you may need to leave /usr/local/ssl/lib*/engines there if you
# continue to use things linked with libssl.so.1.0 and libcrypto.so.1.0

FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/${FOO}/libcrypto.so.1.1 &&
test -d /usr/local/ssl/${FOO} &&
( cd /usr/local/ssl/${FOO}
   cp -ai lib*.so.* /usr/local/${FOO}/ &&
    rm -r /usr/local/ssl/${FOO} )
unset FOO

# If you used --prefix=/usr this time, you do not need to update
# /etc/ld.so.conf for the library files to be located

# If you used the default OpenSSL prefix (/usr/local), which would put
# library files in /usr/local/lib*/, make sure that /usr/local/lib* is
# set in /etc/ld.so.conf
# If you have .so.1.1 you might make .so.1 symlinks here, but since the
# "real" files are .so.3 that is not needed, and .so ones were already
# created.
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/${FOO}/libcrypto.so.3 &&
( cd /usr/local/${FOO}
   egrep -q "^/usr/local/${FOO}$" /etc/ld.so.conf ||
     echo "/usr/local/${FOO}" >> /etc/ld.so.conf )
unset FOO

# If you used /usr/local/ssl for everything this time, make sure that
# /usr/local/ssl/lib* (lib or lib64) is set in /etc/ld.so.conf
# If you have .so.1.1 you might make .so.1 symlinks here, but since the
# "real" files are .so.3 that is not needed, and .so ones were already
# created.
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/ssl/${FOO}/libcrypto.so.3 &&
( cd /usr/local/ssl/${FOO}
   egrep -q "^/usr/local/ssl/${FOO}$" /etc/ld.so.conf ||
     echo "/usr/local/ssl/${FOO}" >> /etc/ld.so.conf )
unset FOO

# If the library path changed, and you did not update /etc/ld.so.conf above,
# do so now

# Update /etc/ld.so.cache
ldconfig

# If you upgraded from a 1.x.x version to a 3.x.x one, you may find
# old libssl.so.1.x.x shared library files in prefix/lib*/.  Make very,
# very sure that nothing else is using those before removing them.
# Apache httpd, sendmail, sshd, master|imapd|lmtpd|lmtpd (Cyrus), syslog-ng,
# and many other things that use OpenSSL may be running right now with
# the 1.x.x shared library files still in use.  You will need to re-build
# and re-install those, and other ones that do not run as a daemon
# like wget, curl, lynx, etc., etc.

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# You may want to install certwatch as the Slackware package does, run
# out of /etc/cron.daily:
# http://ftp.slackware.com/pub/slackware/slackware-current/source/n/openssl/certwatch.gz

# Depending on what prefix you went with, you can read the HTML version of
# all of the OpenSSL man pages with lynx like so.
# The SEE ALSO links in them will be broken because they are using
# localhost, unless you make that copy accessible via a web server on
# localhost of course.  During 'make install', pod2html is run out of
# util/process_docs.pl if you want to delve in to that.
lynx /usr/local/doc/openssl/html/

# You can also read the man pages for 1.1.1 here:
# https://www.openssl.org/docs/man1.1.1/
# https://www.openssl.org/docs/man3.0/

# Become your non-root user again
exit

# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/openssl-*.tar.*
mv openssl-1.1.1w.tar.gz installed/

# Skip down to the bottom for a few more things to set up


# Post-install setup
# ==================
# If you installed >= 1.1.0 into the /usr prefix, then you don't need to do
# anything related to setting PATH, MANPATH, PKG_CONFIG_PATH, the
# symlink to /etc/ssl/certs, etc.  Do continue to the list of things you may
# need to restart or rebuild though.

# Become root
# su, sudo bash, whatever your preference
su -

# If you had previously used prefix /usr/local/ssl and upgraded to >= 1.1.0
# using prefix /usr/local, you should not need an /etc/profile.d/openssl.sh
# to update PATH, MANPATH, and PKG_CONFIG_PATH any more.  If you do remove
# it, you will need to log out and back in to see the changes (or source it).
#
# If you use --prefix=/usr/local/ssl (default < 1.1.0), create an
# /etc/profile.d/openssl.sh that will set up the correct directories in PATH
# and MANPATH and with the update to PKG_CONFIG_PATH, the pkg-config program
# will be able to find libcrypto.pc, libssl.pc, and openssl.pc  If you use
# other shells like csh, create a /etc/profile.d/openssl.csh too.
cat << EOF > /etc/profile.d/openssl.sh
#!/bin/sh
test -d /usr/local/ssl/bin &&
export PATH=/usr/local/ssl/bin:\$PATH
test -d /usr/local/ssl/man &&
export MANPATH=/usr/local/ssl/man:\$MANPATH
if [ -d /usr/local/ssl/lib64/pkgconfig ]; then
  SSLPCDIR=/usr/local/ssl/lib64/pkgconfig
elif [ -d /usr/local/ssl/lib/pkgconfig ]; then
  SSLPCDIR=/usr/local/ssl/lib/pkgconfig
fi
if [ -n "\$SSLPCDIR" -a -d "\$SSLPCDIR" -a ! -L "\$SSLPCDIR" ]; then
  if [ -n "\$PKG_CONFIG_PATH" ]; then
    PKG_CONFIG_PATH="\$PKG_CONFIG_PATH:\${SSLPCDIR}"
  else
    PKG_CONFIG_PATH="\$SSLPCDIR"
  fi
  export PKG_CONFIG_PATH
fi
unset SSLPCDIR
EOF
chmod 755 /etc/profile.d/openssl.sh

# If you have Slackware's ca-certificates package installed, do this to keep
# an updated list that the new OpenSSL will be aware of.  You can also
# update ETCCERTSDIR in update-ca-certificates to avoid having to create the
# symlink.  If you used --prefix=/usr and --openssldir=/etc/ssh, you don't
# need a symlink because that is the real path used already.
test -d /usr/local/ssl/certs && rmdir /usr/local/ssl/certs
test ! -d /etc/ssl/certs && mkdir -p /etc/ssl/certs
ln -s /etc/ssl/certs /usr/local/ssl/certs
test -x /usr/sbin/update-ca-certificates &&
/usr/sbin/update-ca-certificates --verbose

## If there are security fixes in the new version, you should immediately
## rebuild any apps that linked with the static libraries (.a) and you should
## restart any apps that are linked with the shared libraries (.so) - which
## will only help if they are binary compatible with the new version
## libraries.  To find apps that are currently running that are linked with
## the shared libraries, try running this as root for libssl and libcrypto.
## If you changed prefixes while upgrading and you have not restarted
## anything yet, use the path to the old version.
# find /usr/local/lib*/ -name "libssl.so*" -exec lsof {} \;
# find /usr/local/ssl/lib*/ -name "libssl.so*" -exec lsof {} \;
# find /usr/lib*/ -name "libssl.so*" -exec lsof {} \;

# If you're not sure if a particular binary is linked to OpenSSL or not, run
# ldd on it.  If it is linked with the shared libraries it will output
# something like this:
# libssl.so.1.0.0 => /usr/local/ssl/lib64/libssl.so.1.0.0 (0x00007f92f53d9000)
# libcrypto.so.1.0.0 => /usr/local/ssl/lib64/libcrypto.so.1.0.0 (0x00007f92f4ffa000)
# or this:
# libcrypto.so.1.1 => /usr/local/lib64/libcrypto.so.1.1 (0x00007f7ad294a000)
# libssl.so.1.1 => /usr/local/lib64/libssl.so.1.1 (0x00007f3100efd000)
# or this:
# libcrypto.so.3 => /usr/local/lib64/libcrypto.so.3 (0x00007f87063e7000)
# libssl.so.3 => /usr/local/lib64/libssl.so.3 (0x00007f8706a6e000)

## If you run BIND named in a chroot jail, you may need to copy the
## shared library files there
# mkdir -p /named/files/are/in/here/usr/local/lib64/engines-3
# find /usr/local/lib64/ -maxdepth 1 -name libcrypto.* \
#  -exec cp -p {} /named/files/are/in/here/usr/local/lib64/ \;
# find /usr/local/lib64/ -maxdepth 1 -name libssl.* \
#  -exec cp -p {} /named/files/are/in/here/usr/local/lib64/ \;
# find /usr/local/lib64/engines-3/ -type f \
#  -exec cp -p {} /named/files/are/in/here/usr/local/lib64/engines-3/ \;
# find /usr/local/lib64/ossl-modules/ -type f \
#  -exec cp -p {} /named/files/are/in/here/usr/local/lib64/ossl-modules/ \;
## Example of doing all of it with BIND chroot in /var/named
test -d /var/named/usr/local/lib64 &&
( cd /var/named/usr/local/lib64
   cp -a /usr/local/lib64/libcrypto.* .
   cp -a /usr/local/lib64/libssl.* .
   mkdir -p -m 0700 engines-3 ossl-modules
   cp -a /usr/local/lib64/engines-3/* engines-3/
   cp -a /usr/local/lib64/ossl-modules/* ossl-modules/ )

# Become your non-root user again
exit

# If you created a /etc/profile.d/openssl.sh, source it to add the
# appropriate directories to your current shell's PATH, MANPATH, and
# PKG_CONFIG_PATH
test -f /etc/profile.d/openssl.sh && . /etc/profile.d/openssl.sh

# Here are some daemon-type software that is commonly linked with OpenSSL
# libraries:
# Apache 2.x's httpd (named 'apache2' in Ubuntu)
# BIND's named (and dig, host, ...)
# CUPS' cupsd
# Cyrus IMAP's master, fud, imapd, lmtpd, pop3d
# Cyrus SASL's saslauthd
# fetchmail (when running as a daemon)
# IMAP Proxy's in.imapproxyd
# MySQL's mysqld
# NTP's ntpd
# NUT's upsd, upsmon, usbhid-ups, ...
# OpenLDAP's slapd and slurpd
# OpenSSH's sshd
# Postfix's master, qmgr, pickup
# ProFTPD
# Python (e.g. Mailman)
# Samba's smbd and nmbd
# sendmail
# stunnel
# syslog-ng
# ucd/net-snmp's snmpd
# vsftpd
#
# Here are some non-daemon apps that may be linked with openssl:
#
# curl
# lftp
# links
# lynx
# nail, mailx's /bin/mail
# neon
# Pine/Alpine/Re-Alpine
# Python
# tcpdump
# wget


# Creating SSL certs for an application to use
# ============================================#
# Make sure /usr/local/ssl/bin is in your PATH (or whatever directory has
# the openssl binary in it):
echo $PATH | grep -q "/usr/local/ssl/bin" ||
export PATH=$PATH:/usr/local/ssl/bin

# OpenSSL installed from source is installed under /usr/local/ssl by
# default, leaving the openssl binary in /usr/local/ssl/bin.  If you are
# using a distribution package, or it was installed from source under the
# /usr prefix, your openssl binary will be in /usr/bin, which is usually
# in the PATH by default.  In /usr prefix installations, CA.pl may be
# in /etc/ssl/misc as in Slackware or /usr/lib/ssl/misc as in Ubuntu.

# I typically modify CA.pl with these changes:
# - Change $DAYS if you want (self-signed) certificates longer than 1 year
# - Change $CADAYS if you want the CA to exist longer than 3 years
# - Change $CATOP if you want the CA files to go somewhere other than
#   ~/demoCA/
# - This is not an issue with recent releases, but if your OpenSSL uses a
#   default of 1024 bits, to change the CA from 1024 to 2048 bits, somewhere
#   around row 114 you'll find something like this:
#     print "Making CA certificate ...\n";
#     system ("$REQ -new -keyout " .   
#         "${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
#   Replace "-new" with "-newkey rsa:2048"

# And I modify /usr/local/ssl/openssl.cnf with a few:
# - Any paths I need changed, including demoCA (dir = ) as changed in CA.pl
# - default_days to whatever is set in CA.pl
# - default_bits if using something other than 1024 bit CSRs
# - If you want to pre-fill your country, state, town, etc. for certs you
#   can do that in there

# Move any old files out of the way if creating a new CA or keys, certs
cd
test -d ./demoCA.old2 && rm -r ./demoCA.old2/
test -d ./demoCA.old && mv -f ./demoCA.old ./demoCA.old2
test -d ./demoCA && mv -f ./demoCA ./demoCA.old
test -f newcert.pem && mv -f newcert.pem newcert.pem.old
test -f newreq.pem && mv -f newreq.pem newreq.pem.old
test -f newkey.pem && mv -f newkey.pem newkey.pem.old

# Create a CA - certificate authority, to self-sign certificates
/usr/local/ssl/misc/CA.pl -newca
# <enter>
# <CA password - make up one>
# <CA password again>
# Country Code (US)
# State or Province (New Jersey)
# City, Town, Borough, whatever (Fooville)
# Organization Name (foo.org)
# Organizational Unit name (root)
# Common Name (foo.org CA)
# E-mail address (root@foo.org)
# <enter>
# <enter>
# <CA password>

# Create a CSR (certificate signing request) and a new private key with
# no password (so you don't have to enter the password when you start
# Apache or whatever it is).  Output files will be newreq.pem and newkey.pem
/usr/local/ssl/misc/CA.pl -newreq-nodes
# Country Code (US)
# State or Province Name (New Jersey)
# City, Town, Borough, whatever (Fooville)
# Organization (foo.org)
# Organizational Unit Name (root, postmaster, webmaster, etc.)
# Certificate name (serverhostnameorappropriatecname.foo.org)
# E-mail address (root@foo.org)
# <enter>
# <enter>

# Now if you need to get a certificate from CAcert or another
# certificate authority, you will probably need to go to their web site and
# cut and paste the contents of the newreq.pem file in order for them to
# create your certificate, which they then generally e-mail to you, or e-mail
# you to go to a web page to download it.  Just be aware that if you
# modified $DAYS above, that will have no effect on whoever you pay to
# sign your SSL certificate, that would only matter if you self-sign yours.
#
# Save the certificate, for now, as newcert.pem

# If you are not using a non-free CA or CAcert, you can self-sign the
# CSR to get you a newcert.pem
/usr/local/ssl/misc/CA.pl -sign
# <CA password>
# y
# y

# If you will be using your own CA to sign and verify certificates, you
# will need to keep everything in ./demoCA/  Otherwise, you can remove that,
# but I would recommend backing it up first.  You may find that you need
# it later...  Same goes for the CSR, key, and cert files.  You may find
# too that you need to convert from one format to another depending on
# what you are using it for.

# The files that OpenSSL uses to verify certificates that it has signed and
# to create CRLs
# Once you copy the *.pem files to whatever location is configured for the
# application (Apache, sendmail, Cyrus-IMAP, whatever), you can remove the
# originals after maybe saving a backup copy and ./demoCA/ if you won't be
# using your own CA again.

List of HOWTOs
Web page itself last updated: 2023-09-26 1:12am (EST -0500)
HOWTO last updated: 2023-12-01 7:16pm
Copyright © 2001-2023 Jason Englander. All Rights reserved.
[HTML5]