How do I upgrade OpenSSL in CentOS 6.5?
I have used these commands, but nothings happens:
cd /usr/src
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -zxf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config
make
make test
make install
cd /usr/src
rm -rf openssl-1.0.1g.tar.gz
rm -rf openssl-1.0.1g
After using this command, I get the old version
openssl version
it is easy! you are downloading the binary file?. download the rpm latest package openssl-1.0.1e-30.el6.x86_64 check what was the current version using rpm -q openssl. if this is older then do rpm -U openssl-1.0.1e-30.el6.x86_64 . if yum is configured updated this package in the repo and do yum update openssl if your repo in RHN do simply yum update openssl-1.0.1g is very old and valnuarable
sudo yum update openssl
is all you need.
This will bring you up to openssl-1.0.1e-16.el6_5.7
.
You need to restart Apache after the update. Or better yet, reboot the box if possible, so that all applications that use OpenSSL will load the new version.
The fix for the heartbleed
vulnerability has been backported to 1.0.1e-16
by Red Hat for Enterprise Linux see, and this is therefore the official fix that CentOS ships.
Replacing OpenSSL with the latest version from upstream (i.e. 1.0.1g) runs the risk of introducing functionality changes which may break compatibility with applications/clients in unpredictable ways, causes your system to diverge from RHEL, and puts you on the hook for personally maintaining future updates to that package. By replacing openssl using a simple make config && make && make install means that you also lose the ability to use rpm to manage that package and perform queries on it (e.g. verifying all the files are present and haven't been modified or had permissions changed without also updating the RPM database).
I'd also caution that crypto software can be extremely sensitive to seemingly minor things like compiler options, and if you don't know what you're doing, you could introduce vulnerabilities in your local installation.
To manually compile OpenSSL, do as follows:
$ cd /usr/src
$ wget https://www.openssl.org/source/openssl-1.0.1g.tar.gz -O openssl-1.0.1g.tar.gz
$ tar -zxf openssl-1.0.1g.tar.gz
$ cd openssl-1.0.1g
$ ./config
$ make
$ make test
$ make install
$ openssl version
If it shows the old version, do the steps below.
$ mv /usr/bin/openssl /root/
$ ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
openssl version
OpenSSL 1.0.1g 7 Apr 2014
http://olaitanmayowa.com/heartbleed-how-to-upgrade-openssl-in-centos/
I agree that in 95% of cases, all you need is sudo yum update openssl
However, if you need a specific version of openssl or specific functionality, which is not in CentOS repository, you probably need to compile from source. The other answers here were incomplete. Below is what worked (CentOS 6.9), although this may introduce incompatibilities with installed software, and will not auto-update the openssl.
Choose openssl version from https://www.openssl.org/source/
Log-in as root:
cd /usr/local/src/
# OPTIONALLY CHANGE openssl-1.1.0f.tar.gz to the version which you want
wget https://www.openssl.org/source/openssl-1.1.0f.tar.gz
sha256sum openssl-1.1.0f.tar.gz #confirm this matches the published hash
tar -zxf openssl-1.1.0f.tar.gz
cd /usr/local/src/openssl-1.1.0f
./config --prefix=/usr/local --openssldir=/usr/local/openssl
make
make test
make install
export LD_LIBRARY_PATH=/usr/local/lib64
#make export permanent
echo "export LD_LIBRARY_PATH=/usr/local/lib64" > /etc/profile.d/ld_library_path.sh
chmod ugo+x /etc/profile.d/ld_library_path.sh
openssl version #confirm it works
#recommended reboot here
openssl version #confirm it works after reboot
My approach was:
openssl version
OpenSSL 1.0.1e 11 Feb 2013
wget https://www.openssl.org/source/openssl-1.0.2a.tar.gz
wget http://www.linuxfromscratch.org/patches/blfs/svn/openssl-1.0.2a-fix_parallel_build-1.patch
tar xzf openssl-1.0.2a.tar.gz
cd openssl-1.0.2a
patch -Np1 -i ../openssl-1.0.2a-fix_parallel_build-1.patch
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib shared zlib-dynamic
make
make install
openssl version
OpenSSL 1.0.2a 19 Mar 2015
The only thing you have to do is perform an yum update
.
It will automatically download and update a backported version of openssl-1.0.1e-16.el6_5.7
which has been patched by RedHat with heartbeat disabled.
To verify the update simply check the changelog:
# rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
you should see the following:
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
Make sure you reboot the server because important services such as Apache and SSH use openSSL.
You should replace the old OpenSSL binary file by the new one via a symlink:
sudo ln -sf /usr/local/ssl/bin/openssl `which openssl`
Remember that after this procedure you should reboot the server or restart all the services related to OpenSSL.
You can also check the local changelog to verify whether or not OpenSSL is patched against the vulnerability with the following command:
rpm -q --changelog openssl | grep CVE-2014-0224
If a result is not returned, then you must patch OpenSSL.
http://www.liquidweb.com/kb/update-and-patch-openssl-for-the-ccs-injection-vulnerability/
rpm -qa openssl
yum clean all && yum update "openssl*"
lsof -n | grep ssl | grep DEL
cd /usr/src
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -zxf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config --prefix=/usr --openssldir=/usr/local/openssl shared
./config
make
make test
make install
cd /usr/src
rm -rf openssl-1.0.1g.tar.gz
rm -rf openssl-1.0.1g
and
openssl version
Source: Stackoverflow.com