How to Install the latest OpenSSL version from Source on Linux

OpenSSL is a widely used crypto library that implements SSL and TLS protocols for secure communication over computer networks. Many programs like Apache Web server, PHP, Postfix, and many others use OpenSSL. OpenSSL provides support for various cryptographic algorithms such as ciphers (AES, Blowfish, DES, IDEA etc.), cryptographic hash functions (MD5, MD4, SHA-1, SHA-2, etc.), and public key cryptography (RSA, DSA, Diffie-Hellman key exchange).

In this tutorial, I will show you step by step how to install the latest stable OpenSSL version from source on Ubuntu 22.04 and CentOS 7.6 servers.

What will we do?

  1. Install Dependencies
  2. Download OpenSSL Source Code
  3. Install OpenSSL
    1. Compile and Install OpenSSL
    2. Configure Link Libraries
    3. Configure OpenSSL Binary
  4. Testing

Step 1 - Install Dependencies

Before we can compile the OpenSSL library from source, the first step is to install some package dependencies, including the 'build-essential' package on Ubuntu, or 'Development Tools' package on CentOS.

On Ubuntu

Update the Ubuntu repository and install package dependencies for software compilation using the apt command below.

sudo apt update
sudo apt install build-essential checkinstall zlib1g-dev -y

On CentOS

Install the 'Development Tools' and some packages libraries using the yum command.

yum group install 'Development Tools'
yum install perl-core zlib-devel -y

After the installation is complete, go to the next step.

Step 2 - Download OpenSSL

In this tutorial, we will install the latest stable version of OpenSSL - OpenSSL 3.0.7. You can download the source code from the OpenSSL site.

Go to the '/usr/local/src' directory and download the OpenSSL source code using wget.

cd /usr/local/src/
wget https://www.openssl.org/source/openssl-3.0.7.tar.gz

Now extract the openssl.tar.gz file, and go to the 'openssl' directory.

tar -xf openssl-3.0.7.tar.gz
cd openssl-3.0.7

Download OpenSSL source

The OpenSSL source code has been downloaded.

Step 3 - Install OpenSSL

Before installing the custom OpenSSL version to the system, let's check the installed version using the command below.

openssl version -a

Below is my results on Ubuntu:

Compile OpenSSL on Ubuntu 22.04

We will replace version 3.0.2 with latest stable version OpenSSL 3.0.7.

We will install the new OpenSSL version to the specific directory '/usr/local/ssl', and then enable the Link Libraries of OpenSSL, and configure the new binary PATH for OpenSSL.

Install and Compile OpenSSL

Go to the openssl downloaded directory '/usr/local/src/openssl'.

cd /usr/local/src/openssl-3.0.7

Configure and compile OpenSSL with the commands below.

./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib

make
make test

Wait for the OpenSSL compile process.

Compiling OpenSSL

make test passed successfully

Note:

  • --prefix and --openssldir = Set the output path of the OpenSSL.
  • shared = force to create a shared library.
  • zlib = enable the compression using zlib library.

When the compile process is complete, install the OpenSSL using the command below.

make install

make install

OpenSSL is installed in the '/usr/local/ssl' directory.

Check OpenSSL installation

Next, we will configure the shared libraries for OpenSSL. The new OpenSSL binary will load library files from the '/usr/local/ssl/lib' directory.

Go to the '/etc/ld.so.conf.d' directory and create new configuration file 'openssl-3.0.7.conf'.

cd /etc/ld.so.conf.d/
nano openssl-3.0.7.conf

Paste the openssl library path directory.

/usr/local/ssl/lib64

Save and exit.

Now reload the dynamic link using the command below.

sudo ldconfig -v

And you will see the OpenSSL libraries on the '/usr/local/ssl/lib64' directory has been loaded.

Ubuntu:

ldconfig on Ubuntu 22.04

Configure OpenSSL Binary

We will replace the default openssl binary '/usr/bin/openssl or /bin/openssl' with the new version '/usr/local/ssl/bin/openssl'.

On Ubuntu 22.04 LTS

Backup the binary files.

mv /usr/bin/c_rehash /usr/bin/c_rehash.bak
mv /usr/bin/openssl /usr/bin/openssl.bak

Edit the '/etc/environment' file using nano.

nano /etc/environment

Now add the new OpenSSL binary directory as below

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/usr/local/ssl/bin"

Configure PATH

Save and exit.

Reload the environment file and test the new updated binary PATH.

source /etc/environment
echo $PATH

Now check the OpenSSL binary file again.

which openssl

You will get the result as below.

Configure OpenSSL Binary on Ubuntu

The binary path of OpenSSL for Ubuntu has been updated.

On CentOS 7.6

Back up the CentOS OpenSSL binary files.

mv /bin/openssl /bin/openssl.bak

Create new environment files for OpenSSL.

vim /etc/profile.d/openssl.sh

Paste the configuration below.

#Set OPENSSL_PATH
OPENSSL_PATH="/usr/local/ssl/bin"
export OPENSSL_PATH
PATH=$PATH:$OPENSSL_PATH
export PATH

Save and exit.

Make the openssl.sh file executable.

chmod +x /etc/profile.d/openssl.sh

Load the OpenSSL environment and check the PATH bin directory using the commands below.

source /etc/profile.d/openssl.sh
echo $PATH

Now check the OpenSSL file.

which openssl

The binary path for OpenSSL on CentOS has been updated.

Step 4 - Testing

Test the new OpenSSL version using the following command.

openssl version -a

The result on Ubuntu.

Latest OpenSSL version on Ubuntu

The latest stable version of OpenSSL has been installed from source on Linux Ubuntu 22.04 and CentOS 7.6.

Reference

Share this page:

Suggested articles

39 Comment(s)

Add comment

Comments

By: Udom at: 2018-07-25 12:54:19
Reply  

Hi, I have upgrade to the latest version but I cannot incorparate this version to Apache. Do you have any suggestion?

 

Regards 

By: Alex at: 2018-07-28 21:01:57
Reply  

What a great article!  Thanks a lot!!!

By: Norbert at: 2018-08-11 07:49:16
Reply  

Good tutorial, although I preferred to not touch the old binaries, I simply added /usr/local/ssh/bin as the first entry of the $PATH. Note also that the files in /etc/ld.so.conf.d/ are parsed in alphabetical order.

By: Sonia at: 2018-08-28 23:05:20
Reply  

How to give Cross compiler option?

 

I am trying to cross compile for power pc..using compiler:{CC=ppc4xx-linux-gcc --host=powerpc-linux --target=powerpc-linux --with-yielding_select=no} but make depend/make fails. Anything I can do?

By: Pooch at: 2018-09-22 22:53:28
Reply  

Thank you for putting this together! I've been struggling with changing OpenSSL versions in Debian for some time now.

One thing I'm still unclear about is why we're using the shared option here when compiling. Is this required or is it simply to provide shared libraries of the correct version of OpenSSL for other applications that need it?

By: Kenny at: 2018-10-05 12:05:19
Reply  

 Thanks very much. Good documentation and easy to follow.

By: Dennis at: 2018-10-05 13:29:23
Reply  

To keep the PATH-Setting after reboot:

vim /etc/profile.d/openssl-start.sh

#!/bin/bash

source /etc/profile.d/openssl.sh

------------

vim /etc/systemd/system/openssl.service

 

[Unit]

After=mysql.service

 

[Service]

ExecStart=/etc/profile.d/openssl-start.sh

 

[Install]

WantedBy=default.target

--------------

 

systemctl enable openssl.service

By: Von at: 2018-10-18 05:25:26
Reply  

Just in case if someone encountered a TAP OUT error. Please install the following

yum install perl-Module-Load-Conditional perl-core

By: Daniel at: 2018-11-04 11:56:33
Reply  

Excellent Article!! Thank your for sharing :-)

By: Bruno Wego at: 2018-11-18 17:35:37
Reply  

Thanks a lot!

By: Manuel at: 2018-11-24 02:07:17
Reply  

Claro y facil. Muy buen trabajo. Gracias

Manuel

By: Jay at: 2019-02-08 17:27:36
Reply  

Excellent article

By: Josh at: 2019-02-27 23:32:48
Reply  

I needed to put 'sudo' before the make directives and then it worked!

By: Evaldo at: 2019-03-01 18:22:04
Reply  

Thank you!

By: Rob at: 2019-03-23 22:26:13
Reply  

Hello Muhammad, thanks so much. Your tutorial works perfectly. At first, I thought things were off, because on Ubuntu 'openssl version' gave me a not found response, but after a reboot, everything was well. Thanks again.

By: Rob at: 2019-03-23 22:28:38
Reply  

By the way, maybe I should clarify I did the upgrade to openssl 1.1.1b.

By: Andrew at: 2019-04-12 04:42:11
Reply  

Great Article! Worked like a charm, Thanks!

By: Rashmi Sikka at: 2019-04-18 07:07:30
Reply  

Awesome article, one of the rarest!

By: Majid Zarrin at: 2019-05-13 13:39:21
Reply  

Grate job!

Thank you so much!!!

By: Reese at: 2019-05-19 21:57:49
Reply  

Having problems with wget, getting the error message "Unable to locally verfiy the issuer's authority. To connect to google.com insecurely, use '--no-check-certificate'. How do I resove this?

By: Luiz at: 2022-05-05 19:27:52
Reply  

Me too.

You have a solution ?

By: luis angel at: 2019-08-05 00:03:51
Reply  

thanks for the information

By: Dee at: 2019-08-13 05:19:34
Reply  

Good tutorial for the beginners

By: Resilien at: 2019-10-25 05:30:05
Reply  

easy and clean steps to follow what a article 

By: ByteHerder at: 2020-02-06 22:55:59
Reply  

cp: `e_os2.h' and `/usr/src/redhat/openssl-1.0.2o/include/openssl/e_os2.h' are the same file

By: Naveen Prashanth at: 2020-03-17 10:06:21
Reply  

Excellent article 

By: FanBelt32 at: 2020-08-15 19:32:09
Reply  

Thanks for the great working notes.  For Mint 20,  I had to go get Zlib.h & and new GCC to gain stdlib.h .

   Cheers,

   Fanbelt32

By: Alok at: 2020-08-29 07:23:35
Reply  

Hi.

its very good job.

/Alok

By: Andres at: 2020-12-14 19:29:06
Reply  

Did all of this steps and now lost root access on CentOS, anyone through same and knew how to fix it?

By: Rodrigo at: 2021-04-26 03:02:25
Reply  

Very well done!!! Thanks!!

By: Hein Visser at: 2021-06-16 07:54:54
Reply  

20210616 Thank you for this exellent guide. It works 100% on a Raspberry Pi 4 with freshly installed latest version of Raspberry Pi OS, uname -a : Linux pi4-6 5.10.17-v7l+ #1421 SMP Thu May 27 14:00:13 BST 2021 armv7l GNU/Linux

By: Jack at: 2021-08-27 17:29:25
Reply  

I followed these instructions on some redhat servers and it appeared to work great, however, an SA teammate informed me to never use this procedure as it broke the capability to login to the servers via the console. I had yum uninstall openssl and openssl-devel and then linked /usr/local/ssl/bin/openssl to /bin/openssl

By: Manraj at: 2021-11-25 06:45:40
Reply  

Thanks alot

By: Bathulah Mahir at: 2022-04-14 05:45:06
Reply  

I update OpenSSL to version 1.1.1n, and looks like wget, curl have error after using this guideline upgrade, it shows the errors like 

 

ERROR: cannot verify bitbucket.org's certificate, issued by ‘CN=R3,O=Let's Encrypt,C=US’:

  Unable to locally verify the issuer's authority.

To connect to www.openssl.org insecurely, use `--no-check-certificate'.

By: Adam at: 2022-04-19 04:36:14
Reply  

Thanks! Great article

By: Justin at: 2022-09-14 13:39:53
Reply  

This was super useful, thank you!!

By: Donna at: 2022-10-16 02:19:36
Reply  

Thank You. This is very useful.

By: Steven Davies-Morris at: 2022-10-17 21:01:35
Reply  

Thank you for an extremely clear and easy to follow tutorial.  Got me to openssl 1.1.1q.  Now I can upgrade openSSH.

By: Sanshis at: 2023-01-25 14:55:26
Reply  

If i install from rpm (EPEL)  and just replace openssl11 to openssl will it work, and what are the chances of breaking the system. 

mv /bin/openssl /bin/openssl.bak

mv /bin/openssl11 /bin/openssl