I just want to show you proven method to update OpenSSL on CentOS 7.

I used an image of Bitrix virtual machine . Here is my system settings:

  • Bitrix VM appliance 7.5.5
  • Kernel: 3.10.0-1160.105.1.el7.x86_64
  • OS: CentOS Linux release 7.9.2009 (Core)
  • CPU: Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz x1

Updating OpenSSL

As default, there is an old OpenSSL version 1.0.2k-fips 2017 years old. Current OpenSSL version

For example, let’s update to 1.1.1t 2023 years old

Installing development tools

sudo yum -y group install 'Development Tools'
sudo yum -y install perl-core zlib-devel cmake3 wget curl unzip yum-utils gcc

Then go to “tmp” dir

cd /tmp

Downloading an archive with source of OpenSSL

wget https://www.openssl.org/source/openssl-1.1.1t.tar.gz

If archive not found, you can download here

Extracting

tar -xzvf openssl-1.1.1t.tar.gz

Go to extracted dir

cd openssl-1.1.1t

Configuring

./config no-async shared --prefix=/usr/local/ssl --openssldir=/usr/local/ssl -Wl,-rpath,/usr/local/ssl/lib

Making and then installing (Don’t forget to enter the password for sudo!)

make && sudo make install

Deleting an existing openssl (You can make backup the current OpenSSL version) and making symbolic link for new one

sudo rm /usr/bin/openssl && sudo ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

Checking new version

openssl version -a

Installing GOST engine

If you need to integrate with ESIA or Goskey then you have to install GOST engine.

Go to “tmp” dir

cd /tmp

Dowloading an archive with source files

wget https://github.com/gost-engine/engine/archive/3bd506dcbb835c644bd15a58f0073ae41f76cb06.zip

If archive not found, you can download here

Unzipping

unzip 3bd506dcbb835c644bd15a58f0073ae41f76cb06.zip

Go to unzipped dir

cd engine-3bd506dcbb835c644bd15a58f0073ae41f76cb06

Making a dir “build” and go into it

mkdir build && cd build

Making configuration for build

cmake3 -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS='-I/usr/local/ssl/include -L/usr/local/ssl/lib' -DOPENSSL_ROOT_DIR=/usr/local/ssl -DOPENSSL_INCLUDE_DIR=/usr/local/ssl/include -DOPENSSL_LIBRARIES=/usr/local/ssl/lib ..

Building

cmake3 --build . --config Release

Go to dir “bin”

cd ../bin/

Copying builded modules

sudo cp gostsum gost12sum /usr/local/bin/
sudo cp gost.so /usr/local/ssl/lib/engines-1.1/

Now editing OpenSSL configuration file

sudo vim /usr/local/ssl/openssl.cnf

In the beginning of file (after commented lines) append this

openssl_conf=openssl_def

It looks like that Screenshot of the beginning of config file

Then in the end of file append this

# OpenSSL default section
[openssl_def]
engines = engine_section

# Engine section
[engine_section]
gost = gost_section

# Engine gost section
[gost_section]
engine_id = gost
dynamic_path = /usr/local/ssl/lib/engines-1.1/gost.so
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet

It looks like that Screenshot of the end of config file It’s done! Now you have GOST engine in your OpenSSL. Let’s check it

openssl ciphers | tr ":" "\n" | grep GOST 
openssl engine

If everything went successfully, you will see installed gost engine Screenshot of installed GOST engine