Upgrade OpenSSL to the latest version

In this tutorial I will show you how to upgrade OpenSSL to the latest version (cPanel)

Upgrading OpenSSL is actually something that have a risk factory because it is linked to so many other services. So you have to do it safely and without affecting anything. I have tested several method and here is the easy way to do this.

My current SSL version.

-bash-4.1# openssl version -a
OpenSSL 1.0.0-fips 29 Mar 2010
built on: Mon Mar 4 22:19:53 UTC 2013
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: aesni dynamic

When upgrading one thing you have to make sure is that the “OPENSSLDIR” and the “options” must be the same. No issues if the newer version have more options but the existing options are must.

So let’s upgrade. The easy method that I mentioned is given below.

Install  ”Axivo” repo.

-bash-4.1# rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm
Retrieving http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm
Preparing... ########################################### [100%]
 1:axivo-release ########################################### [100%]

This repository have the latest OpenSSL version that is “OpenSSL 1.0.1e”. You just need to update the existing package using “Yum”. One thing I love about “yum update” is that it will update the existing version without changing the path, other environment variables. So it is completely safe to use other than doing a manual upgrade. Just execute the below command and that will do the trick.

-bash-4.1# yum --enablerepo=axivo update openssl

That’s it! Now check your OpenSSL version.

-bash-4.1# openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Thu Apr 25 19:36:42 EDT 2013
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O3 -g -m64 -mtune=nocona -m128bit-long-double -mmmx -msse3 -mfpmath=sse -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: rsax dynamic

Leave a Reply

Your email address will not be published. Required fields are marked *