TLSv1.3 OpenSSL 1.1.1 - How To Enable?

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Aug 7, 2018.

  1. ahrasis

    ahrasis Active Member

    Please refer to Reply #3 to install OpenSSL 1.1.1 via Ondrej Sury PPA.

    Before compiling manually please ensure that you are on new / fresh server or otherwise you will need to purge your default OpenSSL together with others softwares that are depending on it:

    1. Download the latest version (currently 1.1.1) to your tmp folder:
    Code:
    cd /tmp
    wget https://www.openssl.org/source/openssl-1.1.1.tar.gz
    2. Extract and get into its extracted folder:
    Code:
    tar -xzvf openssl-1.1.1.tar.gz
    cd openssl-1.1.1
    3. You need to configure it first and then simply install the newly extracted openssl files by running:
    Code:
    ./config -Wl,-rpath,'$(LIBRPATH)'
    make && make install
    4. It should now install the new version under /usr/local/bin/openssl. Backup the previous version and copy the new version to its place:
    Code:
    mv /usr/bin/openssl /usr/bin/openssl.old
    cp /usr/local/bin/openssl /usr/bin/
    5. When you run "openssl version" command but face errors, do some minor library fixes, as follows:
    Code:
    export LD_LIBRARY_PATH=/usr/local/lib
    echo "export LD_LIBRARY_PATH=/usr/local/lib" >> ~/.bashrc
    6. When you run "openssl version" it should shows "OpenSSL 1.1.1 11 Sep 2018"; and running nginx -V should show something like the following:
    Code:
    openssl version && nginx -V
    OpenSSL 1.1.1  11 Sep 2018
    nginx version: nginx/1.14.0 (Ubuntu)
    built with OpenSSL 1.1.0g  2 Nov 2017 (running with OpenSSL 1.1.1  11 Sep 2018)
    ...
    Optional, if you already have default openssl and other softwares installed
    7. If while doing the above, the older OpenSSL version is still dominating your system, causing your new openssl 1.1.1 not working, you will need to purge it, however, in doing so, as said earlier, do note that other important softwares might be removed as well as they are depending on openssl.
    Code:
    apt purge openssl
    8. Note (via copy and save them elsewhere) and restore the removed softwares after you finished purging the old OpenSSL (when you restore them back, openssl also be reinstalled, and this is ok / normal).

    In summary the whole code can be scripted as follows:
    Code:
    # The Main Steps
    cd /tmp
    wget https://www.openssl.org/source/openssl-1.1.1.tar.gz
    tar -xzvf openssl-1.1.1.tar.gz
    cd openssl-1.1.1
    ./config -Wl,-rpath,'$(LIBRPATH)'
    make && make install
    mv /usr/bin/openssl /usr/bin/openssl.old
    cp /usr/local/bin/openssl /usr/bin/
    openssl version
    
    # Do this if you need fixes for the library
    export LD_LIBRARY_PATH=/usr/local/lib
    echo "export LD_LIBRARY_PATH=/usr/local/lib" >> ~/.bashrc
    
    # OPTIONAL
    # Purge the old openssl version and
    # Note removed softwares for reinstallation
    # apt purge openssl
    # Reinstall removed softwares that you noted above
    # apt install "replace this with the removed softwares that you noted earlier and without the quotes"
    
    # Check whether nginx uses its library
    nginx -V
    
    Since Ubuntu is debian derivative, I think this tip / trick should normally work on debian and its other derivatives but I am not sure that it will work on other linux OS.
     
    Last edited: Oct 31, 2018
  2. ahrasis

    ahrasis Active Member

    Just to update that OpenSSl version 1.1.1 is already finalized and released. It can already be downloaded from https://www.openssl.org/source/openssl-1.1.1.tar.gz and install on your server as described in the above post.

    I also opened this as an issue at Ondrej github where he maintain 1.1.0h version for those who are using his PPA for php and he advised us to wait a month or two more before he attempt to compile it as an installable package.
     
    till likes this.
  3. ahrasis

    ahrasis Active Member

    Just to update that Ondrej has released his PPA QA compilation for OpenSSL 1.1.1 (supposedly test version) for Apache2 and Nginx. Those who are interested to test it may read at https://github.com/oerdnj/deb.sury.org/issues/951#issuecomment-433696287.

    Basically for Nginx, simply add the following repositories, remove default ubuntu nginx and re-install nginx:
    Code:
    add-apt-repository ppa:ondrej/nginx-mainline; add-apt-repository ppa:ondrej/nginx-qa
    apt-get update; apt-get -y remove nginx; apt-get -y install nginx
    And for Apache2, do almost the same as above:
    Code:
    add-apt-repository ppa:ondrej/apache2; add-apt-repository ppa:ondrej/apache2-qa
    apt-get update; apt-get -y remove apache2; apt-get -y install apache2
     
    Last edited: Oct 30, 2018
  4. ahrasis

    ahrasis Active Member

    OpenSSL 1.1.1 has been uploaded to apache2, php, nginx and nginx-stable (Ubuntu PPA) repositories by Ondrej Sury making it now available to all users that are already using that repositories without the need to add the test (-qa) repositories that I mentioned in the earlier post.
     
    Taleman likes this.

Share This Page