How to upgrade OpenSSL from 1.0.2g to 1.1.0g in Ubuntu and let python recognize the new OpenSSL

Asked 27/7, 2018 at 15:18 Answered 18/5, 2021 at 14:3

ssl openssl ubuntu-16.04 tls1.2 pyopenssl

I have Ubuntu 16.04. It has OpenSSL 1.0.2g. I need to use OpenSSL 1.1.0g. Note that OpenSSL 1.1.0g is installed in my other machine Ubuntu 18. But I need to run a python program in Ubuntu 16.04 but I need the specific OpenSSL 1.1.0g. I did:

sudo apt-get upgrade
sudo apt-get update

But OpenSSL in my Ubuntu machine did not get updated. How can I update it?

I use python socket, ssl modules to make TLS connection in port 443. Will python automatically recognizes OpenSSL 1.1.0g if I updated the old OpenSSL 1.0.2g to OpenSSL 1.1.0g?

The reason for upgrading OpenSSL is I need to run python program ssl socket but I need the program to use OpenSSL 1.1.0g.

When I tried:

sudo apt-get install openssl

and checks the OpenSSL version via: openssl version -a I get the old version OpenSSL 1.0.2g

How to get the new version OpenSSL 1.1.0g in my Ubuntu 14.06 machine please?

Jemimah answered 27/7, 2018 at 15:18 Comment(0)

Why you couldn't get OpenSSL 1.1.0g working on Ubuntu 16.04 by just updating:

Your Ubuntu 18 has OpenSSL 1.1.0g because the version that is available on its repositories. Sometimes, it has more than one version of a package available on the repository system. But, it looks like Ubuntu 16.04 does not have the version you need available at all. That is why you weren't and you won't be able to get OpenSSL 1.1.0g working on Ubuntu 16.04 by just updating. The version available on the repositories is different.

And how to do it:

You either will need to install it manually or find a repository for Ubuntu 16.04 that make OpenSSL 1.1.0g available on the system. I am not sure there is a repository available, so if you want to install it manually do as it follows:

wget https://www.openssl.org/source/old/1.1.0/openssl-1.1.0g.tar.gz
tar xzvf openssl-1.1.0g.tar.gz
cd openssl-1.1.0g
./config
make
sudo make install

openssl version -a

That is it!

Warning.: By installing a new version of OpenSSL that is not available in the system, by default, you introduced a version that is not compatible with the updates made available by the maintenance of the system. You will need to take care of it yourself. Maybe, depending on your scenario, it is worth your while just use Ubuntu 18 that has the version of OpenSSL you need by default. It is the easiest and safest way to go.

Hope everything goes well. Good luck!

Productive answered 27/7, 2018 at 21:14 Comment(8)

Thanks a lot for taking the time to answer. I did follow the steps you mentioned to install it form the repository. The installation seems successful. But again, when I check the version, the old one is what shows. I gave up from OpenSSL and formatted my device to Ubuntu 18. – Jemimah 28/7, 2018 at 5:44

Thanks, it worked! though obviously the best advice is to upgrade to Ubuntu 18 – Confirmation 12/4, 2019 at 1:53

Thank you edson. BTW, after all the make/install if you see this as I did with my Ubuntu 16.04.6 x86_64,

$ openssl version -a openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory

then use ldconfig or simply type this line: export LD_LIBRARY_PATH=/usr/local/lib/ – Bauman 2/10, 2019 at 13:43

You're very welcome @ywu. Thank you for your contribution. – Productive 9/5, 2020 at 18:14

@Productive It didn't work to me, from this command make on. Mine is Ubuntu 16.04 LTS. – Galumph 18/8, 2020 at 17:40

If this didn't work for you, make sure that make install is putting it in the right place. For example, on my system, openssl was in /usr/bin, but the makefile defaults to /usr/local/bin. You can change this by running ./config --prefix /usr – Ethelind 18/11, 2020 at 20:16

@PeterDowdy You can change this by running ./config --prefix /usr No. Don't do that. You overwrite the OS -maintained copy of OpenSSL, meaning you no longer get fixes or patches to address exploitable bugs. Are you spending your time keeping up on CVEs so you know when you need to rebuild OpenSSL again? And then again a week later? You're also likely to break some dependent packages, so you now have to maintain those. Unless you want to put your system in the "My system is insecure as hell because I don't know how to maintain a secure OS installation" realm... – Bloodhound 19/5, 2021 at 11:31

@AndrewHenle You're generally right, although in my case I was working on a system that didn't receive OS updates, so it was this is nothing. That system was pretty unfortunate. – Ethelind 20/5, 2021 at 14:44

Here is how I installed the latest version of openssl from source code.

# Install make and packages required to compile the source code
apt-get install -y libfindbin-libs-perl build-essential

# Download source code
wget https://github.com/openssl/openssl/archive/refs/tags/OpenSSL_1_1_1k.tar.gz -O openssl.tar.gz

# Extract source code
tar -xf openssl.tar.gz

# Go to the source code folder
cd openssl-OpenSSL_1_1_1k

# Configure to compile it
./config --libdir=/usr/local/lib

# Compile with 4 parelel jobs
make -j 4

# Install compiled code
sudo make install

# Move older executable
sudo mv /usr/bin/openssl /usr/bin/openssl-1.0.2g

# Create soft symbolic link to the newer version of openssl
sudo ln -s /usr/local/bin/openssl /usr/bin/openssl

# Make visible the new libraries installed at /usr/local/lib
sudo ldconfig

Liquor answered 18/5, 2021 at 14:3 Comment(2)

ln -s /usr/local/bin/openssl /usr/bin/openssl?!?!? Good heavens NO!!!! Never, ever muck around with the OS-supplied binary. What do you think is going to happen the next time you update your OS and the openssl binary is part of that update? – Bloodhound 18/5, 2021 at 14:21

I followed it but it didn't change the inbuilt OpenSSL version of nginx. what to do for that – Galvez 11/4, 2022 at 9:1

Recommended topics

Hot tags