openssl-1.1 - The Open Source toolkit for SSL/TLS, version 1.1.x ChangeLog
Repository:https://github.com/openssl/openssl/tree/OpenSSL_1_1_1w

HOWTO


# OpenSSL 1.1.1w (previous LTS version)
# ==============
# See the main OpenSSL HOWTO for information that applies to all releases

# OpenSSL 1.1.1 is no longer supported, was supported until 2023-09-11
#
# Do not use this one, upgrade to a supported release:
# OpenSSL Release Strategy

# OpenSSL 1.1.1 End of Life
# OpenSSL 1.1.1 Series Release Notes
# OpenSSL 1.1.1 Series ChangeLog
# openssl-announce: OpenSSL version 1.1.1w published
# Migration Guide (look for "Upgrading from OpenSSL ______")

# If you did not specify a prefix when running the configure script for
# OpenSSL prior to 1.1.0, everything would end up under /usr/local/ssl
#
# From 1.1.0 onward, prefix /usr/local is used by default, and openssldir is
# prefix/ssl, so here is before:
#
#   /usr/local/ssl/bin
#   /usr/local/ssl/certs
#   /usr/local/ssl/include/openssl
#   /usr/local/ssl/lib
#   /usr/local/ssl/lib/engines
#   /usr/local/ssl/lib/pkgconfig
#   /usr/local/ssl/man
#   /usr/local/ssl/misc
#   /usr/local/ssl/private
#
# and here is after:
#
#   /usr/local/bin
#   /usr/local/include/openssl
#   /usr/local/lib
#   /usr/local/lib/engines-*
#   /usr/local/lib/pkgconfig
#   /usr/local/share/doc/openssl
#   /usr/local/share/man
#   /usr/local/ssl/certs
#   /usr/local/ssl/misc
#   /usr/local/ssl/private

# Get the tarball
cd
test -f installed/openssl-1.1.1w.tar.gz &&
mv installed/openssl-1.1.1w.tar.gz .
test ! -f openssl-1.1.1w.tar.gz &&
wget https://github.com/openssl/openssl/releases/download/\
OpenSSL_1_1_1w/openssl-1.1.1w.tar.gz

# Verify tarball w/ sha256sum:
# (if already installed, this works too: openssl sha256 openssl-1.1.1w.tar.gz)
# (and this too: shasum -a 256 openssl-1.1.1w.tar.gz)
# (and this too:
#  php -r "echo hash_file('sha256', 'openssl-1.1.1w.tar.gz') . PHP_EOL;")
echo "cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76a\
c8  openssl-1.1.1w.tar.gz" | sha256sum -c

# Verify tarball w/ gpg:
# (the following key, as this is written, is located here:
#  https://keys.openpgp.org/search?q=openssl-omc%40openssl.org)
( gpg --list-keys EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5 > /dev/null 2>&1 ||
gpg --keyserver keys.openpgp.org \
  --recv-keys EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5 ) &&
wget -nc https://github.com/openssl/openssl/releases/download/\
OpenSSL_1_1_1w/openssl-1.1.1w.tar.gz &&
  gpg --verify openssl-1.1.1w.tar.gz.asc && rm openssl-1.1.1w.tar.gz.asc

# Extract the source
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "openssl-*" -exec rm -r {} \;
tar xzvf ~/openssl-1.1.1w.tar.gz
cd openssl-1.1.1w
test $UID = 0 && chown -R root:root .

## Configure and then build it

# Be aware, OpenSSL does _not_ use autoconf, automake, libtool, etc.  See
# here for more info:
# less ./INSTALL
# OpenSSL Wiki - Compilation and Installation

# If you run config with --libdir=lib64, anywhere lib is shown will become
# lib64.
#
# If you want to go with the default, don't specify --prefix or
# --openssldir, or use --prefix=/usr/local and --openssldir=/usr/local/ssl
#
# If you want to stick with everything going under /usr/local/ssl as it did with
# versions < 1.1.0, use --prefix=/usr/local/ssl --openssldir=/usr/local/ssl
#
# If you want to install it where Slackware does, use --prefix=/usr
# --openssldir=/etc/ssl

# As of 1.1.0, shared (.so) builds are default, prior to that static (.a)
# libraries were the default, './config shared' is no longer needed (but
# still works).  If you do _not_ want shared libraries, use 'no-shared'.

# If you are upgrading from 1.1.x to 3.0.x, shared library files go from
# libcrypto.so.1.1.0 and libssl.so.1.1.0 to .3  There are symlinks like
# libssl.so and libssl.so.1, but anything linked to the real filenames
# like libssl.so.1.1.0 will be broken if you remove those old files.

# Configure it for 64-bit systems
test $(uname -m) = "x86_64" && ./config --libdir=lib64

# Configure it for anything else
test $(uname -m) != "x86_64" && ./config

# Do this if you want to change the man page location from $prefix/share/man
# to $prefix/man (/usr/local/man) and the doc location from $prefix/share/doc
# to $prefix/doc (/usr/local/doc).  If you have /usr/local/share/{doc,man}
# -> /usr/local/{doc,man} symlinks, not necessary.  You can also pass
# DOCDIR and MANDIR to 'make install'
#
# I use the wildcard matching only so it will fit on an 80 character line.
# Verify the changes by running:
# diff -u Makefile.old Makefile
sed -i.old Makefile \
-e 's%^MANDIR=\(.*\)/share/man$%MANDIR=\1/man%' \
-e 's%^DOCDIR=\(.*\)/share/doc/\(.*\)$%DOCDIR=\1/doc/\2%'

# Build it
# 'make depend' is no longer necessary for >= 1.1.0
make

# Test the build
make test

# Now become root to install it
su

## Remove the Slackware package, if there is one
# If you are installing OpenSSL from source using the default prefix,
# and you have a bunch of things running using a /usr prefix OpenSSL such
# as the Slackware package, the safer bet while still being able to use
# the new one would probably be to only remove the openssl package, leaving
# the openssl-solibs package installed.  If you know for sure that nothing
# is using the shared libraries from openssl-solibs, then remove that
# as well.
test -x /sbin/removepkg && /sbin/removepkg openssl

# Remove old doc files before installing new ones
test -d /usr/local/doc/openssl && rm -r /usr/local/doc/openssl
test -d /usr/local/share/doc/openssl && rm -r /usr/local/share/doc/openssl
test -d /usr/local/ssl/share/doc && rm -r /usr/local/ssl/share/doc
test -d /usr/local/ssl/doc && find /usr/local/ssl/doc -type f -exec rm {} \;

# If you have an old distribution-installed OpenSSL with a /etc/ssl
# configuration directory, back that up and remove it.
# Skip this if you have symlinked /usr/local/ssl/certs to /etc/ssl/certs
# to use the certs in Slackware's ca-certificates package.
# (or back up and remove everything other than certs in there)
test ! -f /var/adm/packages/ca-certificates* &&
test -d /etc/ssl &&
  ( mkdir -p -m 0700 ~/backup/etc-ssl-$(date +%Y%m%d)
    cp -a /etc/ssl/* ~/backup/etc-ssl-$(date +&Y%m%d)/
    rm -r /etc/ssl )

# If /usr/local/ssl/certs is a symlink, remove it temporarily
# (only because 'make install' failed in previous releases)
test -L /usr/local/ssl/certs && rm /usr/local/ssl/certs

# Install the new version
# If you altered the Makefile above, 'make install' is fine
# If not, add this after 'make install'
#  DOCDIR=/usr/local/doc/openssl MANDIR=/usr/local/man
# (or create symlinks:
#  /usr/local/shared/doc -> /usr/local/doc
#  /usr/local/shared/man -> /usr/local/man)
make install

# The FIPS module (and legacy) is installed here:
# /usr/local/lib64/ossl-modules/fips.so
# /usr/local/ssl/fipsmodule.cnf

## If your paths changed as with upgrading from OpenSSL 1.0.x to 1.1.x:

# If your bin directory changed from /usr/local/ssl/bin to /usr/local/bin,
# you can zap /usr/local/ssl/bin:
test -x /usr/local/bin/openssl -a -x /usr/local/ssl/bin/openssl &&
rm -r /usr/local/ssl/bin

# If your includes directory changed from /usr/local/ssl/include/openssl to
# /usr/local/include/openssl, you can zap the old location:
test -d /usr/local/ssl/include -a -d /usr/local/include/openssl &&
rm -r /usr/local/ssl/include

# If your library directory changed from /usr/local/ssl/lib* to
# /usr/local/lib*, copy the old library files in the former to the latter
#
# NOTE: you may need to leave /usr/local/ssl/lib*/engines there if you
# continue to use things linked with libssl.so.1.0 and libcrypto.so.1.0

FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/${FOO}/libcrypto.so.1.1 &&
test -d /usr/local/ssl/${FOO} &&
( cd /usr/local/ssl/${FOO}
   cp -ai lib*.so.* /usr/local/${FOO}/ &&
    rm -r /usr/local/ssl/${FOO} )
unset FOO

# If you used --prefix=/usr this time, you do not need to update
# /etc/ld.so.conf for the library files to be located

# If you used the default OpenSSL prefix (/usr/local), which would put
# library files in /usr/local/lib*/, make sure that /usr/local/lib* is
# set in /etc/ld.so.conf
# If you have .so.1.1 you might make .so.1 symlinks here, but since the
# "real" files are .so.3 that is not needed, and .so ones were already
# created.
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/${FOO}/libcrypto.so.3 &&
( cd /usr/local/${FOO}
   egrep -q "^/usr/local/${FOO}$" /etc/ld.so.conf ||
     echo "/usr/local/${FOO}" >> /etc/ld.so.conf )
unset FOO

# If you used /usr/local/ssl for everything this time, make sure that
# /usr/local/ssl/lib* (lib or lib64) is set in /etc/ld.so.conf
# If you have .so.1.1 you might make .so.1 symlinks here, but since the
# "real" files are .so.3 that is not needed, and .so ones were already
# created.
FOO=lib
test $(uname -m) = "x86_64" && FOO=lib64
test -f /usr/local/ssl/${FOO}/libcrypto.so.3 &&
( cd /usr/local/ssl/${FOO}
   egrep -q "^/usr/local/ssl/${FOO}$" /etc/ld.so.conf ||
     echo "/usr/local/ssl/${FOO}" >> /etc/ld.so.conf )
unset FOO

# If the library path changed, and you did not update /etc/ld.so.conf above,
# do so now

# Update /etc/ld.so.cache
ldconfig

# If you upgraded from a 1.x.x version to a 3.x.x one, you may find
# old libssl.so.1.x.x shared library files in prefix/lib*/.  Make very,
# very sure that nothing else is using those before removing them.
# Apache httpd, sendmail, sshd, master|imapd|lmtpd|lmtpd (Cyrus), syslog-ng,
# and many other things that use OpenSSL may be running right now with
# the 1.x.x shared library files still in use.  You will need to re-build
# and re-install those, and other ones that do not run as a daemon
# like wget, curl, lynx, etc., etc.

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# Depending on what prefix you went with, you can read the HTML version of
# all of the OpenSSL man pages with lynx like so.
# The SEE ALSO links in them will be broken because they are using
# localhost, unless you make that copy accessible via a web server on
# localhost of course.  During 'make install', pod2html is run out of
# util/process_docs.pl if you want to delve in to that.
lynx /usr/local/doc/openssl/html/

# You can also read the man pages for 1.1.1 here:
# https://docs.openssl.org/1.1.1/man1/
# https://docs.openssl.org/1.1.1/man3/

# Become your non-root user again
exit

# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/openssl-*.tar.*
mv openssl-1.1.1w.tar.gz installed/

# Go back to the main OpenSSL HOWTO for "Post-install setup"

List of HOWTOs
Web page itself last updated: 2023-12-20 8:06pm (EDT -0400)
HOWTO last updated: 2025-03-19 9:44pm
Copyright © 2001-2025 Jason Englander. All Rights reserved.
[HTML5]