I just want to show you proven method to update OpenSSL on CentOS 7.
I used an image of Bitrix virtual machine . Here is my system settings:
- Bitrix VM appliance 7.5.5
- Kernel: 3.10.0-1160.105.1.el7.x86_64
- OS: CentOS Linux release 7.9.2009 (Core)
- CPU: Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz x1
Updating OpenSSL
As default, there is an old OpenSSL version 1.0.2k-fips 2017 years old.
For example, let’s update to 1.1.1t 2023 years old
Installing development tools
sudo yum -y group install 'Development Tools'
sudo yum -y install perl-core zlib-devel cmake3 wget curl unzip yum-utils gcc
Then go to “tmp” dir
cd /tmp
Downloading an archive with source of OpenSSL
wget https://www.openssl.org/source/openssl-1.1.1t.tar.gz
If archive not found, you can download here
Extracting
tar -xzvf openssl-1.1.1t.tar.gz
Go to extracted dir
cd openssl-1.1.1t
Configuring
./config no-async shared --prefix=/usr/local/ssl --openssldir=/usr/local/ssl -Wl,-rpath,/usr/local/ssl/lib
Making and then installing (Don’t forget to enter the password for sudo!)
make && sudo make install
Deleting an existing openssl (You can make backup the current OpenSSL version) and making symbolic link for new one
sudo rm /usr/bin/openssl && sudo ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
Checking new version
openssl version -a
Installing GOST engine
If you need to integrate with ESIA or Goskey then you have to install GOST engine.
Go to “tmp” dir
cd /tmp
Dowloading an archive with source files
wget https://github.com/gost-engine/engine/archive/3bd506dcbb835c644bd15a58f0073ae41f76cb06.zip
If archive not found, you can download here
Unzipping
unzip 3bd506dcbb835c644bd15a58f0073ae41f76cb06.zip
Go to unzipped dir
cd engine-3bd506dcbb835c644bd15a58f0073ae41f76cb06
Making a dir “build” and go into it
mkdir build && cd build
Making configuration for build
cmake3 -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS='-I/usr/local/ssl/include -L/usr/local/ssl/lib' -DOPENSSL_ROOT_DIR=/usr/local/ssl -DOPENSSL_INCLUDE_DIR=/usr/local/ssl/include -DOPENSSL_LIBRARIES=/usr/local/ssl/lib ..
Building
cmake3 --build . --config Release
Go to dir “bin”
cd ../bin/
Copying builded modules
sudo cp gostsum gost12sum /usr/local/bin/
sudo cp gost.so /usr/local/ssl/lib/engines-1.1/
Now editing OpenSSL configuration file
sudo vim /usr/local/ssl/openssl.cnf
In the beginning of file (after commented lines) append this
openssl_conf=openssl_def
It looks like that
Then in the end of file append this
# OpenSSL default section
[openssl_def]
engines = engine_section
# Engine section
[engine_section]
gost = gost_section
# Engine gost section
[gost_section]
engine_id = gost
dynamic_path = /usr/local/ssl/lib/engines-1.1/gost.so
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
It looks like that It’s done! Now you have GOST engine in your OpenSSL. Let’s check it
openssl ciphers | tr ":" "\n" | grep GOST
openssl engine
If everything went successfully, you will see installed gost engine