OpenSSL目前属于LTS 1.0.2系列和1.1.1系列并存的状态,前者将在2019年底完成使命退出支持,而1.1.1的LTS版本将会支持至2023年9月11号为止。在yum或者apt-get的源仓库没有提供相关的二进制安装的情况下,最简单的更新方式就是从源码编译并更新了,这篇文章以CentOS 7.6为例,介绍一下如何将openssl升级至1.1.1版本。
[root@host121 ~]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 [root@host121 ~]# rpm -qa |grep -i openssl openssl-1.0.2k-16.el7.x86_64 openssl-libs-1.0.2k-16.el7.x86_64 [root@host121 ~]#yum info确认
使用yum info显示安装包信息:
[root@host121 ~]# yum info openssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.tuna.tsinghua.edu.cn
* extras: mirror.bit.edu.cn
* updates: ap.stykers.moe
Installed Packages
Name : openssl
Arch : x86_64
Epoch : 1
Version : 1.0.2k
Release : 19.el7
Size : 814 k
Repo : installed
From repo : base
Summary : Utilities from the general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
: machines. OpenSSL includes a certificate management tool and shared
: libraries which provide various cryptographic algorithms and
: protocols.
[root@host121 ~]#
源码编译方式更新openssl
事前准备
安装编译所需要的依赖:
执行命令:yum install make gcc perl pcre-devel zlib-devel -y
步骤1: 下载源码的压缩包文件执行命令:wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz
[root@host121 ~]# ls openssl-1.1.1d.tar.gz openssl-1.1.1d.tar.gz [root@host121 ~]# tar xvf openssl-1.1.1d.tar.gz ... openssl-1.1.1d/util/unlocal_shlib.com.in [root@host121 ~]#步骤2: 编译并生成可执行文件
执行命令:cd openssl-1.1.1d && .config && make && make install
执行日志示例如下所示:
[root@host121 ~]# cd openssl-1.1.1d && ./config && make && make install
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1d (0x1010104fL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL file first) ***
*** ***
**********************************************************************
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
"-oMakefile" crypto/include/internal/bn_conf.h.in > crypto/include/internal/bn_conf.h
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
"-oMakefile" crypto/include/internal/dso_conf.h.in > crypto/include/internal/dso_conf.h
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
"-oMakefile" include/openssl/opensslconf.h.in > include/openssl/opensslconf.h
make depend && make _all
make[1]: Entering directory `/root/openssl-1.1.1d'
make[1]: Leaving directory `/root/openssl-1.1.1d'
make[1]: Entering directory `/root/openssl-1.1.1d'
gcc -I. -Iinclude -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib64/engines-1.1\"" -DNDEBUG -MMD -MF apps/app_rand.d.tmp -MT apps/app_rand.o -c -o apps/app_rand.o apps/app_rand.c
...省略
/usr/local/share/doc/openssl/html/man7/ssl.html
/usr/local/share/doc/openssl/html/man7/x509.html
[root@host121 openssl-1.1.1d]#
步骤3: 设定LD_LIBRARY_PATH并确认版本信息
根据需要设定环境变量,并将其设定到/etc/profile或者个人用户的profile中即可
[root@host121 openssl-1.1.1d]# export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64 [root@host121 openssl-1.1.1d]# echo "export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64" >>/etc/profile [root@host121 openssl-1.1.1d]# [root@host121 openssl-1.1.1d]# openssl version OpenSSL 1.1.1d 10 Sep 2019 [root@host121 openssl-1.1.1d]#参考内容
https://www.openssl.org/source/
