How do I use OpenSSL 1.1.1 in Ubuntu 22.04?
In my case, I faced similar issue because of openssl 3.x move from 1.1.x., such as errors as:
VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak
However, I still wanted to use graphical network manager as provided by gnome, so It did as mentioned the trick from Gustavo, then build a new openvpn version with openssl 1.1.1 version:
# Move to temp folder
cd /tmp
# get dependancies
sudo apt install libssl-dev liblzo2-dev libpam0g-dev
OpenSSL
Updated version reason: I tried with another ubuntu 22.04 install, but failed to build the openssl 1.1.1l
library as I did it in the previous version (see below Old version section). This time, it failed during the make test
with an error on the test 80-test_ssl_new
, with the following output: ../test/recipes/80-test_ssl_new.t .................. Dubious, test returned 1 (wstat 256, 0x100)
.
After investigation, it seems that because of upgrade of perl
package on ubuntu 22.04 to 5.34, the @INC
perl module is missing, due to security issue.
Anyway, instead of trying to solve this new issue, I simply downloaded the Impish binary instead of trying to build it from scratch:
# download binary openssl packages from Impish builds
wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.1.1l-1ubuntu1.6_amd64.deb
wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_1.1.1l-1ubuntu1.6_amd64.deb
# install downloaded binary packages
sudo dpkg -i libssl-dev_1.1.1l-1ubuntu1.6_amd64.deb
sudo dpkg -i openssl_1.1.1l-1ubuntu1.6_amd64.deb
In such case, you can directly use those old version packages to build the OpenVPN with correct dependencies.
OpenVPN
Now that OpenSSL is 1.1.1l version, as with 21.10 Impish, I can build an OpenVPN binary using 1.1.1l libraries
# Get OpenVPN sources from Ubuntu 22.04 Jammy
wget https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openvpn/2.5.5-1ubuntu3/openvpn_2.5.5.orig.tar.xz
# Extract files
tar -xvf openvpn_2.5.5.orig.tar.xz
# build openvpn 2.5.5
cd ..
cd openvpn-2.5.5/
./configure
make -j 4 && sudo make install
# refresh cache
hash -r
# check version
/usr/local/sbin/openvpn --version
ldd /usr/bin/openssl
ldd /usr/local/sbin/openvpn
At this stage, I was able to connect to my VPN using existing certificates, however, graphical network manager was still using default 2.5.5 OpenVPN version based on OpenSSL 3.x.
Gnome
I found that network manager was always targeting binary in /usr/sbin
, so I made a backup then symlink the built OpenVPN:
# make a backup of default OpenVPN 2.5.5 before replace
sudo mv /usr/sbin/openvpn /usr/sbin/openvpn-2.5.5_default
# Symlink new OpenVPN client built with OpenSSL 1.1.1l library
sudo ln -s /usr/local/sbin/openvpn /usr/sbin/openvpn
Clean up
If you used the OpenSSL binary from Impish, you should now do a sudo apt update && sudo apt upgrade
to recover the newest version of this package.
It should not break your brand old OpenVPN version
Old version of this article
OpenSSL
this is the old version of the OpenSsl part above:
# Get OpenSSL sources from Ubuntu 21.10 Impish
wget https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openssl/1.1.1l-1ubuntu1.6/openssl_1.1.1l.orig.tar.gz
# Extract files
tar -xvf openssl_1.1.1l.orig.tar.gz
# build openssl 1.1.1l
cd /tmp/openssl-1.1.1l/
./config shared enable-ec_nistp_64_gcc_128 -Wl,-rpath=/usr/local/ssl/lib --prefix=/usr/local/ssl
make -j 4
make test && sudo make install
# refresh cache
hash -r
# check version
/usr/local/ssl/bin/openssl <<< version
# symlink binary for path resolution
sudo ln -s /usr/local/ssl/bin/openssl /usr/local/bin/openssl
OpenVPN
This is the old version of the OpenVPN part above. Now that openssl is 1.1.1l version, as with 21.10 Impish, I can build an openvpn binary using 1.1.1l libraries
# Get OpenVPN sources from Ubuntu 22.04 Jammy
wget https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openvpn/2.5.5-1ubuntu3/openvpn_2.5.5.orig.tar.xz
# Extract files
tar -xvf openvpn_2.5.5.orig.tar.xz
# build openvpn 2.5.5
cd ..
cd openvpn-2.5.5/
CFLAGS="-I/usr/local/ssl/include -Wl,-rpath=/usr/local/ssl/lib -L/usr/local/ssl/lib"
./configure
make -j 4 && sudo make install
# refresh cache
hash -r
# check version
/usr/local/sbin/openvpn --version
ldd /usr/local/bin/openssl
ldd /usr/local/sbin/openvpn
Keeley Hoek
I'm a first year graduate student at Harvard studying pure mathematics.
Updated on January 04, 2023Comments
-
Keeley Hoek 10 months
I understand that Ubuntu 22.04 upgraded to OpenSSL 3.0. This has broken my university's secure WiFi access point joining script because some insecure algorithms have been disabled by default. I don't want to downgrade to version 1.1.1, but instead install 1.1.1 alongside 3.0 ideally under an alias like
openssl1
(just as I can with e.g.python2
andpython3
) and then hack the script to useopenssl1
.What's the closest thing to a supported way to do this?
-
Admin over 1 yearI had the same issue with a monitoring tool (falcon-sensor) from the company which I work. Following the ubuntu steps in this tutorial did the trick for me.
-
Admin over 1 yearI found the solution for this in StackOverflow, and hopefully, will work for you too. stackoverflow.com/a/72633324/8624381
-
-
Admin over 1 yearFollowing your instructions,
apt
cannot findlibam0g-dev
package