How do I use OpenSSL 1.1.1 in Ubuntu 22.04?

9,679

In my case, I faced similar issue because of openssl 3.x move from 1.1.x., such as errors as:

VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak

However, I still wanted to use graphical network manager as provided by gnome, so It did as mentioned the trick from Gustavo, then build a new openvpn version with openssl 1.1.1 version:

# Move to temp folder
cd /tmp

# get dependancies
sudo apt install libssl-dev liblzo2-dev libpam0g-dev

OpenSSL

Updated version reason: I tried with another ubuntu 22.04 install, but failed to build the openssl 1.1.1l library as I did it in the previous version (see below Old version section). This time, it failed during the make test with an error on the test 80-test_ssl_new, with the following output: ../test/recipes/80-test_ssl_new.t .................. Dubious, test returned 1 (wstat 256, 0x100). After investigation, it seems that because of upgrade of perl package on ubuntu 22.04 to 5.34, the @INC perl module is missing, due to security issue.

Anyway, instead of trying to solve this new issue, I simply downloaded the Impish binary instead of trying to build it from scratch:

# download binary openssl packages from Impish builds
wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.1.1l-1ubuntu1.6_amd64.deb
wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_1.1.1l-1ubuntu1.6_amd64.deb

# install downloaded binary packages
sudo dpkg -i libssl-dev_1.1.1l-1ubuntu1.6_amd64.deb
sudo dpkg -i openssl_1.1.1l-1ubuntu1.6_amd64.deb

In such case, you can directly use those old version packages to build the OpenVPN with correct dependencies.

OpenVPN

Now that OpenSSL is 1.1.1l version, as with 21.10 Impish, I can build an OpenVPN binary using 1.1.1l libraries

# Get OpenVPN sources from Ubuntu 22.04 Jammy
wget https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openvpn/2.5.5-1ubuntu3/openvpn_2.5.5.orig.tar.xz

# Extract files
tar -xvf openvpn_2.5.5.orig.tar.xz

# build openvpn 2.5.5
cd ..
cd openvpn-2.5.5/
./configure
make -j 4 && sudo make install

# refresh cache
hash -r

# check version
/usr/local/sbin/openvpn --version
ldd /usr/bin/openssl
ldd /usr/local/sbin/openvpn

At this stage, I was able to connect to my VPN using existing certificates, however, graphical network manager was still using default 2.5.5 OpenVPN version based on OpenSSL 3.x.

Gnome

I found that network manager was always targeting binary in /usr/sbin, so I made a backup then symlink the built OpenVPN:

# make a backup of default OpenVPN 2.5.5 before replace
sudo mv /usr/sbin/openvpn /usr/sbin/openvpn-2.5.5_default

# Symlink new OpenVPN client built with OpenSSL 1.1.1l library
sudo ln -s /usr/local/sbin/openvpn /usr/sbin/openvpn

Clean up

If you used the OpenSSL binary from Impish, you should now do a sudo apt update && sudo apt upgrade to recover the newest version of this package. It should not break your brand old OpenVPN version

Old version of this article

OpenSSL

this is the old version of the OpenSsl part above:

# Get OpenSSL sources from Ubuntu 21.10 Impish
wget https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openssl/1.1.1l-1ubuntu1.6/openssl_1.1.1l.orig.tar.gz

# Extract files
tar -xvf openssl_1.1.1l.orig.tar.gz

# build openssl 1.1.1l
cd /tmp/openssl-1.1.1l/
./config shared enable-ec_nistp_64_gcc_128 -Wl,-rpath=/usr/local/ssl/lib --prefix=/usr/local/ssl
make -j 4
make test && sudo make install

# refresh cache
hash -r

# check version
/usr/local/ssl/bin/openssl <<< version

# symlink binary for path resolution
sudo ln -s /usr/local/ssl/bin/openssl /usr/local/bin/openssl

OpenVPN

This is the old version of the OpenVPN part above. Now that openssl is 1.1.1l version, as with 21.10 Impish, I can build an openvpn binary using 1.1.1l libraries

# Get OpenVPN sources from Ubuntu 22.04 Jammy
wget https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openvpn/2.5.5-1ubuntu3/openvpn_2.5.5.orig.tar.xz

# Extract files
tar -xvf openvpn_2.5.5.orig.tar.xz

# build openvpn 2.5.5
cd ..
cd openvpn-2.5.5/
CFLAGS="-I/usr/local/ssl/include -Wl,-rpath=/usr/local/ssl/lib -L/usr/local/ssl/lib"
./configure
make -j 4 && sudo make install

# refresh cache
hash -r

# check version
/usr/local/sbin/openvpn --version
ldd /usr/local/bin/openssl
ldd /usr/local/sbin/openvpn
Share:
9,679
Keeley Hoek
Author by

Keeley Hoek

I'm a first year graduate student at Harvard studying pure mathematics.

Updated on January 04, 2023

Comments

  • Keeley Hoek
    Keeley Hoek 10 months

    I understand that Ubuntu 22.04 upgraded to OpenSSL 3.0. This has broken my university's secure WiFi access point joining script because some insecure algorithms have been disabled by default. I don't want to downgrade to version 1.1.1, but instead install 1.1.1 alongside 3.0 ideally under an alias like openssl1 (just as I can with e.g. python2 and python3) and then hack the script to use openssl1.

    What's the closest thing to a supported way to do this?

    • Admin
      Admin over 1 year
      I had the same issue with a monitoring tool (falcon-sensor) from the company which I work. Following the ubuntu steps in this tutorial did the trick for me.
    • Admin
      Admin over 1 year
      I found the solution for this in StackOverflow, and hopefully, will work for you too. stackoverflow.com/a/72633324/8624381
  • Admin
    Admin over 1 year
    Following your instructions, apt cannot find libam0g-dev package