HOWTO
# OpenSSL
# =======
# Slackware 13.37: openssl, openssl-solibs 0.9.8r
# Slackware 14.0: openssl, openssl-solibs 1.0.1c
# Slackware 14.1: openssl, openssl-solibs 1.0.1e
# Slackware 14.2: openssl, openssl-solibs 1.0.2h
# Slackware 15.0: openssl, openssl-solibs 1.1.1m
#
# Check Slackware's 'patches' directory for security upgrades if you
# decide against installing it from source.
# Go here for news about OpenSSL security advisories and new releases:
#
https://www.openssl.org/news/
# man and HTML format man pages will be installed locally below, but you
# can also view OpenSSL man pages online here:
#
https://www.openssl.org/docs/manpages.html
# Keep in mind, if you upgrade OpenSSL, which is used by every SSL/TLS using
# piece of software (unless it uses
GnuTLS instead), you may have some
# serious issues. For example, you could get yourself kicked out of the
# OpenSSH connection you're using to upgrade it. If you can't be local, in
# person, you may want to temporarily enable telnet and use that - even
# though, normally, you should never, ever use that.
# If you are not 100% confident in doing this, you may want to consider
# making your own replacement packages, or using someone else's.
#
slackbook: Package Management
#
Slackware Linux Essentials: Chapter 18 Slackware Package Management
#
Wikipedia: Slackware - Packages
#
linux.com: Intro to Slackware Package Management
#
SlackWiki: Building A Package
#
packages.slackware.com
#
slackpkg
#
Wikipedia: slapt-get
#
slackbuilds.org
#
slackware.pkgs.org
#
alien-pkg-convert
# rpm2tgz
# ...
#
OpenSSL Release Strategy
#
# There are several versions of OpenSSL included below. The latest in the
# 1.1.0 (not supported), and 1.1.1 (long term support) branches.
#
# As this is written, OpenSSL 3.0.x has been released and 3.0 will be
# supported until 2023-09-07.
# If you did not specify a prefix in releases prior to 1.1.0, everything
# would end up under /usr/local/ssl
#
# From 1.1.0 onward, prefix /usr/local is used by default, and openssldir is
# prefix/ssl, so here is before:
#
# /usr/local/ssl/bin
# /usr/local/ssl/certs
# /usr/local/ssl/include/openssl
# /usr/local/ssl/lib
# /usr/local/ssl/lib/engines
# /usr/local/ssl/lib/pkgconfig
# /usr/local/ssl/man
# /usr/local/ssl/misc
# /usr/local/ssl/private
#
# and here is after:
#
# /usr/local/bin
# /usr/local/include/openssl
# /usr/local/lib
# /usr/local/lib/engines-1.1
# /usr/local/lib/pkgconfig
# /usr/local/share/doc/openssl
# /usr/local/share/man
# /usr/local/ssl/certs
# /usr/local/ssl/misc
# /usr/local/ssl/private
# If you have trouble with the download URL below, either find a mirror
# in the latest list:
#
https://www.openssl.org/source/mirror.html
# or try one of these, which I've used and/or checked in the past and do not
# guarantee to be updated and current::
#
http://mirrors.ibiblio.org/openssl/source/ (HTTP, US)
#
ftp://ftp.fi.muni.cz/pub/openssl/ (FTP, Czech Republic)
#
http://artfiles.org/openssl.org/source/ (HTTP, Germany)
#
ftp://ftp.kfki.hu/pub/packages/security/openssl/ (FTP, Hungary)
# If you get an error about certificate verification when downloading with
# wget, you can use 'wget --no-check-certificate URL', but you're better off
# fixing/implementing certificates for verification. If you have Slackware's
# 'ca-certificates' package, for example, making /usr/local/ssl/certs a
# symlink to /etc/ssl/certs will take care of that problem.
# I always get the checksums used below from the announce mailing list, make
# sure it is the same on the web site Source page, and/or verify the tarball
# with
gpg (GnuPG).
# If you upgrade from one full version (1.0.1x) to another (1.0.2x), there
# may be old shared library files left behind from the old version in
# /usr/local/ssl/lib (or .../lib64). Some binaries may be linked to the
# old version's shared library files (i.e. libcrypto.so.1.0.0) instead of
# non-specific symlink (libcrypto.so or libcrypto.so.1), so be aware that
# if you remove the old ones, some things may break until you re-compile
# them. Running this as root:
# lsof /usr/local/ssl/lib*/libssl.so* | awk '{ print $1 }' | sort | uniq
# and the same with /usr/lib*/libssl.so* if replacing a Slackware package,
# should give you an idea of some OpenSSL-linked daemons that are currently
# running on your system. If replacing a Slackware or other distribution
# package, you should check /usr/lib*/libssl.so* too.
#
# There is a list of OpenSSL-using applications at the bottom of this page
# that may help if some command-line programs stop working. To see if
# a particular binary is linked with an OpenSSL shared library or not, run
# ldd on it (ldd /bin/foo), looking for libcrypto or libssl in the output.
# The safe solution would be to just leave the old files there until you're
# positive that nothing is using them.
# Note:
# As of 1.0.1s and 1.0.2g, SSLv2 is disabled
# As of 1.1.0, SSLv2 support was removed
# As of 1.1.1, TLSv1.3 was added
# Prerequisites:
#
Perl
#
bc (for certain 'make test' tests)
# OpenSSL 1.1.1t (LTS version)
# ==============
# OpenSSL 1.1.1 will be supported until 2023-09-11
# Get it
cd
test -f installed/openssl-1.1.1t.tar.gz &&
mv installed/openssl-1.1.1t.tar.gz .
test ! -f openssl-1.1.1t.tar.gz &&
wget https://www.openssl.org/source/openssl-1.1.1t.tar.gz
# Verify tarball w/
sha256sum:
# (if already installed, this works too: openssl sha256 openssl-1.1.1t.tar.gz)
echo "8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b openssl-1.1.1t.tar.gz" | sha256sum -c
# Verify tarball w/
gpg:
( gpg --list-keys 1CA79E6D > /dev/null 2>&1 || gpg --recv-keys 1CA79E6D ) &&
wget -nc https://www.openssl.org/source/openssl-1.1.1t.tar.gz.asc &&
gpg --verify openssl-1.1.1t.tar.gz.asc && rm openssl-1.1.1t.tar.gz.asc
# Extract it
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "openssl-*" -exec rm -r {} \;
tar xzvf ~/openssl-1.1.1t.tar.gz
cd openssl-1.1.1t
test $UID = 0 && chown -R root:root .
## Configure and then build it
# Be aware, OpenSSL does _not_ use autoconf, automake, libtool, etc. See
# here for more info:
# less ./INSTALL
#
OpenSSL FAQ - Questions on Building and Testing OpenSSL
#
OpenSSL Wiki - Compilation and Installation
# If you run config with --libdir=lib64, anywhere lib is shown will become
# lib64.
#
# If you want to go with the default, don't specify --prefix or
# --openssldir, or use --prefix=/usr/local and --openssldir=/usr/local/ssl
#
# If you want to stick with everything going under /usr/local/ssl, use
# --prefix=/usr/local/ssl --openssldir=/usr/local/ssl
#
# If you want to install it where Slackware does, use --prefix=/usr
# --openssldir=/etc/ssl
# As of 1.1.0, shared (.so) builds are default, prior to that static (.a)
# libraries were the default, './config shared' is no longer needed (but
# still works). If you do _not_ want shared libraries, use 'no-shared'.
# If you are upgrading from 1.0.x to 1.1.1, shared library files go from
# libcrypto.so.1.0.0 and libssl.so.1.0.0 to .1.1 There are symlinks like
# libssl.so and libssl.so.1, but anything linked to the real filenames
# like libssl.so.1.0.0 will be broken if you remove those old files.
# Configure it for 64-bit systems
test $(uname -m) = "x86_64" && ./config --libdir=lib64
# Configure it for anything else
test $(uname -m) != "x86_64" && ./config
# Do this if you want to change the man page location from $prefix/share/man
# to $prefix/man (/usr/local/man) and the doc location from $prefix/share/doc
# to $prefix/doc (/usr/local/doc). If you have /usr/local/share/{doc,man}
# -> /usr/local/{doc,man} symlinks, not necessary. You can also pass
# DOCDIR and MANDIR to 'make install'
#
# I use the wildcard matching only so it will fit on an 80 character line.
# Verify the changes by running:
# diff -u Makefile.old Makefile
sed -i.old Makefile -e 's%^MANDIR=\(.*\)/share/man$%MANDIR=\1/man%' -e 's%^DOCDIR=\(.*\)/share/doc/\(.*\)$%DOCDIR=\1/doc/\2%'
# Build it
# 'make depend' is no longer necessary for >= 1.1.0
make
# Test the build
make test
# Now become root to install it
su
## Remove the Slackware package, if there is one
# If you are installing OpenSSL from source using the default prefix,
# and you have a bunch of things running using a /usr prefix OpenSSL such
# as the Slackware package, the safer bet while still being able to use
# the new one would probably be to only remove the openssl package, leaving
# the openssl-solibs package installed. If you know for sure that nothing
# is using the shared libraries from openssl-solibs, then remove that
# as well.
test -x /sbin/removepkg && /sbin/removepkg openssl
# Remove old doc files before installing new ones
test -d /usr/local/doc/openssl && rm -r /usr/local/doc/openssl
test -d /usr/local/share/doc/openssl && rm -r /usr/local/share/doc/openssl
test -d /usr/local/ssl/share/doc && rm -r /usr/local/ssl/share/doc
test -d /usr/local/ssl/doc && find /usr/local/ssl/doc -type f -exec rm {} \;
# If you have an old distribution-installed OpenSSL with a /etc/ssl
# configuration directory, back that up and remove it.
# Skip this if you have symlinked /usr/local/ssl/certs to /etc/ssl/certs
# to use the certs in Slackware's ca-certificates package.
# (or back up and remove everything other than certs in there)
test ! -f /var/adm/packages/ca-certificates* &&
test -d /etc/ssl &&
( mkdir -p -m 0700 ~/backup/etc-ssl-$(date +%Y%m%d)
cp -a /etc/ssl/* ~/backup/etc-ssl-$(date +&Y%m%d)/
rm -r /etc/ssl )
# If /usr/local/ssl/certs is a symlink, remove it temporarily
# ('make install' failed in previous releases)
test -L /usr/local/ssl/certs && rm /usr/local/ssl/certs
# Install the new version
# If you altered the Makefile above, 'make install' is fine
# If not, add this after 'make install'
# DOCDIR=/usr/local/doc/openssl MANDIR=/usr/local/man
make install
## If your paths changed as with upgrading from OpenSSL 1.0.x to 1.1.x:
# If your bin directory changed from /usr/local/ssl/bin to /usr/local/bin,
# you can zap /usr/local/ssl/bin:
test -x /usr/local/bin/openssl -a -x /usr/local/ssl/bin/openssl &&
rm -r /usr/local/ssl/bin
# If your includes directory changed from /usr/local/ssl/include/openssl to
# /usr/local/include/openssl, you can zap the old location:
test -d /usr/local/ssl/include -a -d /usr/local/include/openssl &&
rm -r /usr/local/ssl/include
# If your library directory changed from /usr/local/ssl/lib* to
# /usr/local/lib*, copy the old library files in the former to the latter
#
# NOTE: you may need to leave /usr/local/ssl/lib*/engines there if you
# continue to use things linked with libssl.so.1.0 and libcrypto.so.1.0
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/${FOO}/libcrypto.so.1.1 &&
test -d /usr/local/ssl/${FOO} &&
( cd /usr/local/ssl/${FOO}
cp -ai lib*.so.* /usr/local/${FOO}/ &&
rm -r /usr/local/ssl/${FOO} )
unset FOO
# If you used --prefix=/usr this time, you do not need to update
# /etc/ld.so.conf for the library files to be located
# If you used the default OpenSSL prefix (/usr/local), which would put
# library files in /usr/local/lib*/, make sure that /usr/local/lib* is
# set in /etc/ld.so.conf
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/${FOO}/libcrypto.so.1.1 &&
( cd /usr/local/${FOO}
ln -sf libcrypto.so.1.1 libcrypto.so.1
ln -sf libssl.so.1.1 libssl.so.1
egrep -q "^/usr/local/${FOO}$" /etc/ld.so.conf ||
echo "/usr/local/${FOO}" >> /etc/ld.so.conf )
unset FOO
# If you used /usr/local/ssl for everything this time, make sure that
# /usr/local/ssl/lib* (lib or lib64) is set in /etc/ld.so.conf
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/ssl/${FOO}/libcrypto.so.1.1 &&
( cd /usr/local/ssl/${FOO}
ln -sf libcrypto.so.1.1 libcrypto.so.1
ln -sf libssl.so.1.1 libssl.so.1
egrep -q "^/usr/local/ssl/${FOO}$" /etc/ld.so.conf ||
echo "/usr/local/ssl/${FOO}" >> /etc/ld.so.conf )
unset FOO
# If the library path changed, and you did not update /etc/ld.so.conf above,
# do so now
# Update /etc/ld.so.cache
ldconfig
# If you upgraded from a 0.x.x version to a 1.x.x one, you may find
# old libssl.so.1.x.x shared library files in prefix/lib*/. Make very,
# very sure that nothing else is using those before removing them.
# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .
# You may want to install certwatch as the Slackware package does, run
# out of /etc/cron.daily:
#
http://ftp.slackware.com/pub/slackware/slackware-current/source/n/openssl/certwatch.gz
# Depending on what prefix you went with, you can read the HTML version of
# all of the OpenSSL man pages with
lynx like so.
# The SEE ALSO links in them will be broken because they are using
# localhost, unless you make that copy accessible via a web server on
# localhost of course. During 'make install', pod2html is run out of
# util/process_docs.pl if you want to delve in to that.
lynx /usr/local/doc/openssl/html/
# You can also read the man pages for 1.1.1 here:
#
https://www.openssl.org/docs/man1.1.1/
# Become your non-root user again
exit
# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/openssl-*.tar.*
mv openssl-1.1.1t.tar.gz installed/
# Skip down to the bottom for a few more things to set up
# OpenSSL 1.1.0l
# ==============
# OpenSSL 1.1.0 is no longer supported, you should upgrade to 1.1.1 or
# 3.0.0
# The following versions of ISC BIND (and older) can not build against
# this version of OpenSSL:
# 9.9.9-P3
# 9.10.4-P3
# 9.11.0rc3
#
# Cyrus IMAP does not fully support OpenSSL 1.1.0 until version 3.0.0
# Get it
cd
test -f installed/openssl-1.1.0l.tar.gz &&
mv installed/openssl-1.1.0l.tar.gz .
test ! -f openssl-1.1.0l.tar.gz &&
wget https://www.openssl.org/source/openssl-1.1.0l.tar.gz
# Verify tarball w/
sha256sum:
# (if already installed, this works too: openssl sha256 openssl-1.1.0l.tar.gz)
echo "74a2f756c64fd7386a29184dc0344f4831192d61dc2481a93a4c5dd727f41148 openssl-1.1.0l.tar.gz" | sha256sum -c
# Verify tarball w/
gpg:
( gpg --list-keys 7DF9EE8C > /dev/null 2>&1 || gpg --recv-keys 7DF9EE8C ) &&
wget -nc http://openssl.org/source/openssl-1.1.0l.tar.gz.asc &&
gpg --verify openssl-1.1.0l.tar.gz.asc && rm openssl-1.1.0l.tar.gz.asc
# Extract it
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "openssl-*" -exec rm -r {} \;
tar xzvf ~/openssl-1.1.0l.tar.gz
cd openssl-1.1.0l
test $UID = 0 && chown -R root:root .
## Configure and then build it
# Be aware, OpenSSL does _not_ use autoconf, automake, libtool, etc. See
# here for more info:
# less ./INSTALL
#
https://www.openssl.org/docs/faq.html#MISC6
#
https://wiki.openssl.org/index.php/Compilation_and_Installation
# If you run config with --libdir=lib64, anywhere lib is shown will become
# lib64.
#
# If you want to go with the new default, don't specify --prefix or
# --openssldir, or use --prefix=/usr/local and --openssldir=/usr/local/ssl
#
# If you want to stick with everything going under /usr/local/ssl, use
# --prefix=/usr/local/ssl --openssldir=/usr/local/ssl
#
# If you want to install it where Slackware does, use --prefix=/usr
# --openssldir=/etc/ssl
# As of 1.1.0, shared (.so) builds are default, prior to that static (.a)
# libraries were the default, './config shared' is no longer needed (but
# still works). If you do _not_ want shared libraries, use 'no-shared'.
# If you are upgrading from 1.0.x to 1.1.0, shared library files go from
# libcrypto.so.1.0.0 and libssl.so.1.0.0 to .1.1 There are symlinks like
# libssl.so and libssl.so.1, but anything linked to the real filenames
# like libssl.so.1.0.0 will be broken if you remove those old files.
# Configure it for 64-bit systems
test $(uname -m) = "x86_64" && ./config --libdir=lib64
# Configure it for anything else
test $(uname -m) != "x86_64" && ./config
# Do this if you want to change the man page location from $prefix/share/man
# to $prefix/man (/usr/local/man) and the doc location from $prefix/share/doc
# to $prefix/doc (/usr/local/doc). If you have /usr/local/share/{doc,man} ->
# /usr/local/{doc,man} symlinks, not necessary. You can also pass
# DOCDIR and MANDIR to 'make install'
#
# I use the wildcard matching only so it will fit on an 80 character line.
# Verify the changes by running:
# diff -u Makefile.old Makefile
sed -i.old Makefile -e 's%^MANDIR=\(.*\)/share/man$%MANDIR=\1/man%' -e 's%^DOCDIR=\(.*\)/share/doc/\(.*\)$%DOCDIR=\1/doc/\2%'
# Build it
# 'make depend' is no longer necessary for >= 1.1.0
make
# Test the build
make test
# Now become root to install it
su
## Remove the Slackware package, if there is one
# If you are installing OpenSSL from source using the default prefix,
# and you have a bunch of things running using a /usr prefix OpenSSL such
# as the Slackware package, the safer bet while still being able to use
# the new one would probably be to only remove the openssl package, leaving
# the openssl-solibs package installed. If you know for sure that nothing
# is using the shared libraries from openssl-solibs, then remove that
# as well.
test -x /sbin/removepkg && /sbin/removepkg openssl
# Remove old doc files before installing new ones
test -d /usr/local/doc/openssl && rm -r /usr/local/doc/openssl
test -d /usr/local/share/doc/openssl && rm -r /usr/local/share/doc/openssl
test -d /usr/local/ssl/share/doc && rm -r /usr/local/ssl/share/doc
test -d /usr/local/ssl/doc && find /usr/local/ssl/doc -type f -exec rm {} \;
# If you have an old distribution-installed OpenSSL with a /etc/ssl
# configuration directory, back that up and remove it.
# Skip this if you have symlinked /usr/local/ssl/certs to /etc/ssl/certs
# to use the certs in Slackware's ca-certificates package.
# (or back up and remove everything other than certs in there)
test ! -f /var/adm/packages/ca-certificates* &&
test -d /etc/ssl &&
( mkdir -p -m 0700 ~/backup/etc-ssl-$(date +%Y%m%d)
cp -a /etc/ssl/* ~/backup/etc-ssl-$(date +&Y%m%d)/
rm -r /etc/ssl )
# If /usr/local/ssl/certs is a symlink, remove it temporarily
# ('make install' failed in previous releases)
test -L /usr/local/ssl/certs && rm /usr/local/ssl/certs
# Install the new version
# If you altered the Makefile above, 'make install' is fine
# If not, add this after 'make install'
# DOCDIR=/usr/local/doc/openssl MANDIR=/usr/local/man
make install
## If your paths changed as with upgrading from OpenSSL 1.0.x to 1.1.x:
# If your bin directory changed from /usr/local/ssl/bin to /usr/local/bin,
# you can zap /usr/local/ssl/bin:
test -x /usr/local/bin/openssl -a -x /usr/local/ssl/bin/openssl &&
rm -r /usr/local/ssl/bin
# If your includes directory changed from /usr/local/ssl/include/openssl to
# /usr/local/include/openssl, you can zap the old location:
test -d /usr/local/ssl/include -a -d /usr/local/include/openssl &&
rm -r /usr/local/ssl/include
# If your library directory changed from /usr/local/ssl/lib* to
# /usr/local/lib*, copy the old library files in the former to the latter
#
# NOTE: you may need to leave /usr/local/ssl/lib*/engines there if you
# continue to use things linked with libssl.so.1.0 and libcrypto.so.1.0
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/${FOO}/libcrypto.so.1.1 &&
test -d /usr/local/ssl/${FOO} &&
( cd /usr/local/ssl/${FOO}
cp -ai lib*.so.* /usr/local/${FOO}/ &&
rm -r /usr/local/ssl/${FOO} )
unset FOO
# If the library path changed, update /etc/ld.so.conf if necessary, and run
# ldconfig
# If you used --prefix=/usr this time, you do not need to update
# /etc/ld.so.conf for the library files to be located
# If you used the default OpenSSL prefix (/usr/local), which would put
# library files in /usr/local/ssl/lib*/, make sure that /usr/local/lib* is
# set in /etc/ld.so.conf
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/${FOO}/libcrypto.so.1.1 &&
( cd /usr/local/${FOO}
ln -sf libcrypto.so.1.1 libcrypto.so.1
ln -sf libssl.so.1.1 libssl.so.1
egrep -q "^/usr/local/${FOO}$" /etc/ld.so.conf ||
echo "/usr/local/${FOO}" >> /etc/ld.so.conf )
unset FOO
# If you used /usr/local/ssl for everything this time, make sure that
# /usr/local/ssl/lib* (lib or lib64) is set in /etc/ld.so.conf
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/ssl/${FOO}/libcrypto.so.1.1 &&
( cd /usr/local/ssl/${FOO}
ln -sf libcrypto.so.1.1 libcrypto.so.1
ln -sf libssl.so.1.1 libssl.so.1
egrep -q "^/usr/local/ssl/${FOO}$" /etc/ld.so.conf ||
echo "/usr/local/ssl/${FOO}" >> /etc/ld.so.conf )
unset FOO
# If you upgraded from a 0.x.x version to a 1.x.x one, you may find
# old libssl.so.1.x.x shared library files in prefix/lib*/. Make very,
# very sure that nothing else is using those before removing them.
# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .
# You may want to install certwatch as the Slackware package does, run
# out of /etc/cron.daily:
#
http://ftp.slackware.com/pub/slackware/slackware-current/source/n/openssl/certwatch.gz
# Depending on what prefix you went with, you can read the HTML version of
# all of the OpenSSL man pages with
lynx like so.
# The SEE ALSO links in them will be broken because they are using
# localhost, unless you make that copy accessible via a web server on
# localhost of course. During 'make install', pod2html is run out of
# util/process_docs.pl if you want to delve in to that.
lynx /usr/local/doc/openssl/html/
# You can also read the man pages for 1.1.0 here:
#
https://www.openssl.org/docs/man1.1.0/
# Become your non-root user again
exit
# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/openssl-*.tar.*
mv openssl-1.1.0l.tar.gz installed/
# Skip down to the bottom for a few more things to set up
# Post-install setup
# ==================
# If you installed >= 1.1.0 into the /usr prefix, then you don't need to do
# anything related to setting PATH, MANPATH, PKG_CONFIG_PATH, the
# symlink to /etc/ssl/certs, etc. Do continue to the list of things you may
# need to restart or rebuild though.
# Become root
# su, sudo bash, whatever your preference
su -
# If you had previously used prefix /usr/local/ssl and upgraded to >= 1.1.0
# using prefix /usr/local, you should not need an /etc/profile.d/openssl.sh
# to update PATH, MANPATH, and PKG_CONFIG_PATH any more. If you do remove
# it, you will need to log out and back in to see the changes (or source it).
#
# If you use --prefix=/usr/local/ssl (default < 1.1.0), create an
# /etc/profile.d/openssl.sh that will set up the correct directories in PATH
# and MANPATH and with the update to PKG_CONFIG_PATH, the pkg-config program
# will be able to find libcrypto.pc, libssl.pc, and openssl.pc If you use
# other shells like csh, create a /etc/profile.d/openssl.csh too.
cat << EOF > /etc/profile.d/openssl.sh
#!/bin/sh
test -d /usr/local/ssl/bin &&
export PATH=/usr/local/ssl/bin:\$PATH
test -d /usr/local/ssl/man &&
export MANPATH=/usr/local/ssl/man:\$MANPATH
if [ -d /usr/local/ssl/lib64/pkgconfig ]; then
SSLPCDIR=/usr/local/ssl/lib64/pkgconfig
elif [ -d /usr/local/ssl/lib/pkgconfig ]; then
SSLPCDIR=/usr/local/ssl/lib/pkgconfig
fi
if [ -n "\$SSLPCDIR" -a -d "\$SSLPCDIR" -a ! -L "\$SSLPCDIR" ]; then
if [ -n "\$PKG_CONFIG_PATH" ]; then
PKG_CONFIG_PATH="\$PKG_CONFIG_PATH:\${SSLPCDIR}"
else
PKG_CONFIG_PATH="\$SSLPCDIR"
fi
export PKG_CONFIG_PATH
fi
unset SSLPCDIR
EOF
chmod 755 /etc/profile.d/openssl.sh
# If you have Slackware's ca-certificates package installed, do this to keep
# an updated list that the new OpenSSL will be aware of. You can also
# update ETCCERTSDIR in update-ca-certificates to avoid having to create the
# symlink. If you used --prefix=/usr and --openssldir=/etc/ssh, you don't
# need a symlink because that is the real path used already.
test -d /usr/local/ssl/certs && rmdir /usr/local/ssl/certs
test ! -d /etc/ssl/certs && mkdir -p /etc/ssl/certs
ln -s /etc/ssl/certs /usr/local/ssl/certs
test -x /usr/sbin/update-ca-certificates &&
/usr/sbin/update-ca-certificates --verbose
## If there are security fixes in the new version, you should immediately
## rebuild any apps that linked with the static libraries (.a) and you should
## restart any apps that are linked with the shared libraries (.so) - which
## will only help if they are binary compatible with the new version
## libraries. To find apps that are currently running that are linked with
## the shared libraries, try running this as root for libssl and libcrypto.
## If you changed prefixes while upgrading and you have not restarted
## anything yet, use the path to the old version.
# find /usr/local/lib*/ -name "libssl.so*" -exec lsof {} \;
# find /usr/local/ssl/lib*/ -name "libssl.so*" -exec lsof {} \;
# find /usr/lib*/ -name "libssl.so*" -exec lsof {} \;
# If you're not sure if a particular binary is linked to OpenSSL or not, run
# ldd on it. If it is linked with the shared libraries it will output
# something like this:
# libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0xb75a1000)
# libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0xb744c000)
# or this:
# libssl.so.1.0.0 => /usr/local/ssl/lib64/libssl.so.1.0.0 (0x00007f92f53d9000)
# libcrypto.so.1.0.0 => /usr/local/ssl/lib64/libcrypto.so.1.0.0 (0x00007f92f4ffa000)
# or this:
# libcrypto.so.1.1 => /usr/local/lib64/libcrypto.so.1.1 (0x00007f7ad294a000)
# libssl.so.1.1 => /usr/local/lib64/libssl.so.1.1 (0x00007f3100efd000)
## If you run BIND named in a chroot jail, you may need to copy the
## shared library files there
# mkdir -p /named/files/are/in/here/usr/local/lib64/engines-1.1
# find /usr/local/lib64/ -maxdepth 1 -name libcrypto.* # -exec cp -p {} /named/files/are/in/here/usr/local/lib64/ \;
# find /usr/local/lib64/ -maxdepth 1 -name libssl.* # -exec cp -p {} /named/files/are/in/here/usr/local/lib64/ \;
# find /usr/local/lib64/engines-1.1/ -type f # -exec cp -p {} /named/files/are/in/here/usr/local/lib64/engines-1.1/ \;
## Example of doing all of it with BIND chroot in /var/named
test -d /var/named/usr/local/lib64/engines-1.1 &&
( cd /var/named/usr/local/lib64/engines-1.1
find /usr/local/lib64 -type f -maxdepth 1 -name "libcrypto.*" -o -name "libssl.*" -exec cp -a {} . \;
find /usr/local/lib64/engines-1.1 -type f -exec cp -a {} . \; )
# Become your non-root user again
exit
# If you created a /etc/profile.d/openssl.sh, source it to add the
# appropriate directories to your current shell's PATH, MANPATH, and
# PKG_CONFIG_PATH
test -f /etc/profile.d/openssl.sh && . /etc/profile.d/openssl.sh
# Here are some daemon-type software that is commonly linked with OpenSSL
# libraries:
#
Apache 2.x's httpd (named 'apache2' in Ubuntu)
#
BIND's named (and dig, host, ...)
#
CUPS' cupsd
#
Cyrus IMAP's master, fud, imapd, lmtpd, pop3d
#
Cyrus SASL's saslauthd
#
fetchmail (when running as a daemon)
#
IMAP Proxy's in.imapproxyd
#
MySQL's mysqld
#
NTP's ntpd
#
NUT's upsd, upsmon, usbhid-ups, ...
#
OpenLDAP's slapd and slurpd
#
OpenSSH's sshd
#
Postfix's master, qmgr, pickup
#
ProFTPD
#
Python (e.g.
Mailman)
#
Samba's smbd and nmbd
#
sendmail
#
stunnel
#
syslog-ng
#
ucd/
net-snmp's snmpd
#
vsftpd
#
# Here are some non-daemon apps that may be linked with openssl:
#
#
curl
#
lftp
#
links
#
lynx
#
nail,
mailx's /bin/mail
#
neon
#
Pine/
Alpine/
Re-Alpine
#
Python
#
tcpdump
#
wget
# Creating SSL certs for an application to use
# ============================================#
# Make sure /usr/local/ssl/bin is in your PATH (or whatever directory has
# the openssl binary in it):
echo $PATH | grep -q "/usr/local/ssl/bin" ||
export PATH=$PATH:/usr/local/ssl/bin
# OpenSSL installed from source is installed under /usr/local/ssl by
# default, leaving the openssl binary in /usr/local/ssl/bin. If you are
# using a distribution package, or it was installed from source under the
# /usr prefix, your openssl binary will be in /usr/bin, which is usually
# in the PATH by default. In /usr prefix installations, CA.pl may be
# in /etc/ssl/misc as in Slackware or /usr/lib/ssl/misc as in Ubuntu.
# I typically modify CA.pl with these changes:
# - Change $DAYS if you want (self-signed) certificates longer than 1 year
# - Change $CADAYS if you want the CA to exist longer than 3 years
# - Change $CATOP if you want the CA files to go somewhere other than
# ~/demoCA/
# - This is not an issue with recent releases, but if your OpenSSL uses a
# default of 1024 bits, to change the CA from 1024 to 2048 bits, somewhere
# around row 114 you'll find something like this:
# print "Making CA certificate ...\n";
# system ("$REQ -new -keyout " .
# "${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
# Replace "-new" with "-newkey rsa:2048"
# And I modify /usr/local/ssl/openssl.cnf with a few:
# - Any paths I need changed, including demoCA (dir = ) as changed in CA.pl
# - default_days to whatever is set in CA.pl
# - default_bits if using something other than 1024 bit CSRs
# - If you want to pre-fill your country, state, town, etc. for certs you
# can do that in there
# Move any old files out of the way if creating a new CA or keys, certs
cd
test -d ./demoCA.old2 && rm -r ./demoCA.old2/
test -d ./demoCA.old && mv -f ./demoCA.old ./demoCA.old2
test -d ./demoCA && mv -f ./demoCA ./demoCA.old
test -f newcert.pem && mv -f newcert.pem newcert.pem.old
test -f newreq.pem && mv -f newreq.pem newreq.pem.old
test -f newkey.pem && mv -f newkey.pem newkey.pem.old
# Create a CA - certificate authority, to self-sign certificates
/usr/local/ssl/misc/CA.pl -newca
# <enter>
# <CA password - make up one>
# <CA password again>
# Country Code (US)
# State or Province (New Jersey)
# City, Town, Borough, whatever (Fooville)
# Organization Name (foo.org)
# Organizational Unit name (root)
# Common Name (foo.org CA)
# E-mail address (root@foo.org)
# <enter>
# <enter>
# <CA password>
# Create a CSR (certificate signing request) and a new private key with
# no password (so you don't have to enter the password when you start
# Apache or whatever it is). Output files will be newreq.pem and newkey.pem
/usr/local/ssl/misc/CA.pl -newreq-nodes
# Country Code (US)
# State or Province Name (New Jersey)
# City, Town, Borough, whatever (Fooville)
# Organization (foo.org)
# Organizational Unit Name (root, postmaster, webmaster, etc.)
# Certificate name (serverhostnameorappropriatecname.foo.org)
# E-mail address (root@foo.org)
# <enter>
# <enter>
# Now if you need to get a certificate from
CAcert or another
#
certificate authority, you will probably need to go to their web site and
# cut and paste the contents of the newreq.pem file in order for them to
# create your certificate, which they then generally e-mail to you, or e-mail
# you to go to a web page to download it. Just be aware that if you
# modified $DAYS above, that will have no effect on whoever you pay to
# sign your SSL certificate, that would only matter if you self-sign yours.
#
# Save the certificate, for now, as newcert.pem
# If you are not using a non-free CA or CAcert, you can self-sign the
# CSR to get you a newcert.pem
/usr/local/ssl/misc/CA.pl -sign
# <CA password>
# y
# y
# If you will be using your own CA to sign and verify certificates, you
# will need to keep everything in ./demoCA/ Otherwise, you can remove that,
# but I would recommend backing it up first. You may find that you need
# it later... Same goes for the CSR, key, and cert files. You may find
# too that you need to convert from one format to another depending on
# what you are using it for.
# The files that OpenSSL uses to verify certificates that it has signed and
# to create CRLs
# Once you copy the *.pem files to whatever location is configured for the
# application (Apache, sendmail, Cyrus-IMAP, whatever), you can remove the
# originals after maybe saving a backup copy and ./demoCA/ if you won't be
# using your own CA again.