How to upgrade OpenSSL in CentOS 6.5 / Linux / Unix from source?
Solution 1
./config --prefix=/usr --openssldir=/usr/local/openssl shared
Try this config line instead to overwrite the default. It installs to prefix /usr/local/ssl by default in your setup when you leave off the prefix. You probably have "/usr/local/ssl/bin/openssl" instead of overwriting /usr/bin/openssl. You can also use /usr/local for prefix instead, but you would need to adjust your path accordingly if that is not already on your path. Here is the INSTALL documentation:
$ ./config
$ make
$ make test
$ make install
[If any of these steps fails, see section Installation in Detail below.]
This will build and install OpenSSL in the default location, which is (for
historical reasons) /usr/local/ssl. If you want to install it anywhere else,
run config like this:
$ ./config --prefix=/usr/local --openssldir=/usr/local/openssl
https://github.com/openssl/openssl/blob/master/INSTALL http://heartbleed.com/
Solution 2
The fix for the heartbleed vulnerability has been backported to 1.0.1e-16 by Red Hat for Enterprise Linux see, and this is therefore the official fix that CentOS ships.
Replacing OpenSSL with the latest version from upstream (i.e. 1.0.1g) runs the risk of introducing functionality changes which may break compatibility with applications/clients in unpredictable ways, causes your system to diverge from RHEL, and puts you on the hook for personally maintaining future updates to that package. By replacing openssl using a simple make config && make && make install means that you also lose the ability to use rpm to manage that package and perform queries on it (e.g. verifying all the files are present and haven't been modified or had permissions changed without also updating the RPM database).
I'd also caution that crypto software can be extremely sensitive to seemingly minor things like compiler options, and if you don't know what you're doing, you could introduce vulnerabilities in your local installation.
Solution 3
To manually compile OpenSSL, do as follows:
$ cd /usr/src
$ wget https://www.openssl.org/source/openssl-1.0.1g.tar.gz -O openssl-1.0.1g.tar.gz
$ tar -zxf openssl-1.0.1g.tar.gz
$ cd openssl-1.0.1g
$ ./config
$ make
$ make test
$ make install
$ openssl version
If it shows the old version, do the steps below.
$ mv /usr/bin/openssl /root/
$ ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
openssl version
OpenSSL 1.0.1g 7 Apr 2014
http://olaitanmayowa.com/heartbleed-how-to-upgrade-openssl-in-centos/
Solution 4
sudo yum update openssl is all you need.
This will bring you up to openssl-1.0.1e-16.el6_5.7.
You need to restart Apache after the update. Or better yet, reboot the box if possible, so that all applications that use OpenSSL will load the new version.
Solution 5
The only thing you have to do is perform an yum update.
It will automatically download and update a backported version of openssl-1.0.1e-16.el6_5.7 which has been patched by RedHat with heartbeat disabled.
To verify the update simply check the changelog:
# rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
you should see the following:
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
Make sure you reboot the server because important services such as Apache and SSH use openSSL.
Mostafa
Updated on July 08, 2022Comments
-
Mostafa almost 2 years
How do I upgrade OpenSSL in CentOS 6.5?
I have used these commands, but nothings happens:
cd /usr/src wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz tar -zxf openssl-1.0.1g.tar.gz cd openssl-1.0.1g ./config make make test make install cd /usr/src rm -rf openssl-1.0.1g.tar.gz rm -rf openssl-1.0.1gAfter using this command, I get the old version
openssl version