Oracle Linux/openssl

From r00tedvw.com wiki
Revision as of 09:54, 9 October 2018 by R00t (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Installing Openssl from source

More recently CVEs have been discovered in the latest versions of openssl available from the repos, which presents a problem for administrators since they cannot easily upgrade to a patched version. For such cases, sometimes manually compiling openssl from source is the only temporary solution until the repositories are updated or backported.

Reference: https://blacksaildivision.com/how-to-install-openssl-on-centos

Check version

OpenSSL

~$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

Kernel

~$ uname -r
2.6.32-754.el6.x86_64

Distribution

~$ lsb_release -a
LSB Version:	:base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch
Distributor ID:	CentOS
Description:	CentOS release 6.10 (Final)
Release:	6.10
Codename:	Final

Install dependencies

~$ sudo yum install libtool perl-core zlib-devel -y

Download and untar source

~$ curl -L https://github.com/openssl/openssl/archive/OpenSSL_1_1_1.tar.gz -o /tmp/openssl/OpenSSL_1_1_1.tar.gz --create-dirs
~$ tar -zxvf /tmp/openssl/OpenSSL_1_1_1.tar.gz -C /tmp/openssl/

Configure OpenSSL

~$ cd /tmp/openssl/openssl-OpenSSL_1_1_1/
~$ ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib
~$ make
~$ make test
~$ sudo make install

Possible Issues

If you encounter an issue, it would be good to run make test in verbose mode.

~$ make test V=1

Parse errors: No plan found in TAP output

If you encounter this error, run make test in verbose mode as earlier described. If you see the following, then you will need to update Perl

Test::More version 0.96 required--this is only version 0.92 at /tmp/openssl/openssl-OpenSSL_1_1_1/test/../util/perl/OpenSSL/Test.pm line 13.

The easiest way I found to do this was to follow these directions:

First of all, check that make and CPAN perl packet manager are installed:

~$ yum install make cpan

Then configure your perl with CPAN. Just enter cpan in the command prompt and answer yes to all interactive questions.
Then update your cpan manager:

~$ sudo cpan
#cpan> install Bundle::CPAN
#cpan> reload cpan

And now install packages of your interest:

#cpan> install Test::More

04-test_err.t

It is possible that you make encounter an issue with the test: 04-test_err.t when going through make test. If you run a verbose output and get the following, it could be related to a known issue in openssl.
Below is how to run an individual test.

~$ make V=1 TESTS=test_err test
...
ERROR: (int) 'errno == EINVAL' failed @ test/errtest.c:31
    # [34] compared to [22]
    not ok 1 - preserves_system_erro

You have (2) options in this scenario:

  • Ignore the error and make openssl anyway. Per the comments in the issue, it can be safely ignored.
  • Edit ./errtest.c so that it calls ERR_get_error() twice:
~$ sudo vim /tmp/openssl/openssl-OpenSSL_1_1_1/test/errtest.c
...
#else
    ERR_get_error();       <<<ADD
    errno = EINVAL;
    ERR_get_error();
    return TEST_int_eq(errno, EINVAL);
...

Check Version again

~$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

Unfortunately it still shows the old version. For me, I simply delete the old openssl file (after making a backup) and then created a symlink to the new version.

~$ which openssl
/usr/bin/openssl
~$ sudo cp /usr/bin/openssl /usr/bin/openssl.original
~$ sudo rm /usr/bin/openssl
~$ sudo ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

error libssl.so.1.1: cannot open shared object file

If you try to use openssl and get an error like this, you make need to create a openssl configuration file that tells openssl where to find the needed libraries.

~$ openssl version
openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory

In my case, my libraries were located at: /usr/local/openssl/lib/, so I specified that in the new config file:

~$ sudo find / -name libssl.so.1.1
/tmp/openssl/openssl-OpenSSL_1_1_1/libssl.so.1.1
~$ sudo sh -c "echo '/usr/local/openssl/lib/' >> /etc/ld.so.conf.d/openssl.conf"

Finally we need to rebuild the ldconfig cache

~$ sudo ldconfig

Try again:

~$ openssl version
OpenSSL 1.1.1  11 Sep 2018

Check functionality

Do a quick check for functionality. Something like this should be good:

~$ openssl s_client -showcerts -connect google.com:443 </dev/null 2>/dev/null

If you get the SSL cert contents, it works.

Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Ubuntu
Oracle Linux
AWS
Windows
OpenVPN
Grafana
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
MetaSploit
Zoneminder
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
Toolbox