IMPORTANT NOTE: The steps in the article should work if this article is not too far from the time now.
Before we begin
Why OpenSSL 3.0?
There has been a huge amount of development effort that has gone into the new OpenSSL 3.0 version. As of the time of writing there have been 2112 commits made to the master branch of git (where all the new development work takes place) since the release of OpenSSL 1.1.1 back in September 2018, and that number is going up every day. To give an idea of the scale of these changes that represents 8.5% of all the commits ever made to OpenSSL since it was founded back in 1998!
OpenSSL 3.0 represents a major re-architecture of the internal plumbing of OpenSSL. We’ve been talking about this for a while and you can read a detailed description of the planned changes in our design document.
What's new in OpenSSL 3.0?
The biggest single change is the introduction of a concept called “Providers”. In OpenSSL 3.0 all cryptographic algorithms will be implemented in a provider. There will be a “default” built-in provider, as well as others such as a “legacy” provider to enable access to legacy algorithms and a “FIPS” provider to enable access to FIPS validated algorithms.
There has been significant progress towards implementing the changes in that design document. The three providers I described above are already present and (almost) all ciphers and digests have been migrated into them as well as numerous other algorithms. Migration of the various asymmetric algorithms is currently in progress. For those interested in following the current active development you can look at the currently active pull requests here.
End Of Life of OpenSSL 1.0.2
Note that as previously announced OpenSSL 1.0.2 will be End Of Life at the end of this year. This means there will not be any further public updates or security fixes to the 1.0.2 branch from then. This gives another strong reason for existing 1.0.2 users to upgrade to 1.1.1 as soon as possible.
Update to OpenSSL 3.0
We still expect the upgrade path from OpenSSL 1.1.1 to OpenSSL 3.0 to be relatively easy for most applications. In most cases applications will simply need to recompile in order to work with the new version. However, some changes may be required in order to benefit from the new features being introduced in OpenSSL 3.0 - for example to use algorithms from one of the new providers. In the simplest cases these changes might just be configuration file updates. In other cases code changes will be required.
The changes required for existing users of OpenSSL 1.0.2 to upgrade to OpenSSL 3.0 are more significant. For existing users of OpenSSL 1.0.2 we recommend upgrading to our newest LTS (Long Term Support) release 1.1.1, in order to ease the future migration to OpenSSL 3.0.Update on 3.0 Development, FIPS and 1.0.2 EOL - OpenSSL Blog
Get Start to Update / Upgrade OpenSSL
Before we do any upgrade / update on main feature that affect our connection to the server, we must do backup or Plan B (which allows you to connect to the machine even SSH is unavailable). For example, VNC , make server backup / snapshots, etc.
Check OpenSSL version
Check SSH version
update yum repo.
If you are currently OpenSSL v1.0.2, then you may miss some required modules and features in order to upgrade to v3.0. Therefore, before we get to OpenSSL v3, there are some prerequisites to meet. Because we are upgrading from 1.1.1x to 3.1.0, it's a big gap, which some perl modules are missing that requires by 3.1.0, we are going to install first.
We use IPC-Cmd here for example:
Go to your favourite directory to get installation package ready. I use /usr/src here:
download IPC-Cmd-1.04.tar.gz from https://cpan.metacpan.org/authors/id/B/BI/BINGOS/
The version of IPC-Cmd may change up to your needs. I use 1.04 here at 4th March 2023.
IMPORTANT NOTE: If your OpenSSL version already out of date and could not download as no secure connection could be made, add --no-check-certificate at the end of the wget command.
Extract it under /usr/src
tar -zxf IPC-Cmd-1.04.tar.gz
Go into the new folder
After this command, it will show which modules required and are missing. You will need to get the ready before install OpenSSL 3.
Typically, they can be installed by this following command.
yum -y install perl-Module-Load-Conditional perl-Locale-Maketext-Simple perl-Params-Check perl-ExtUtils-MakeMaker perl-CPAN perl-IPC-cmd
If not, you can install the missing modules by similar format as the command above.
Then, you have new perl modules ready, compile it.
make && make install
So far so good. Next, we will get OpenSSL 3 installed so soon.
Go one level up, /usr/src
download OpenSSL 3 via the releases from OpenSSL or whatever you like (but must be trusted source).
tar -zxf openssl-3.1.0.tar.gz
Go under the folder extracted
Get the configuration ready
Wait until it finish. It is well done if you see no "error" words in the prompt.
Let's check the version of OpenSSL to prove it:
Yes, that's correct, you see the old version number. Don't panic, it is cached.
Clear the cache by
openssl version -r
Gain new version details by
Reboot your machine to make all good
After reboot, check the version:
Great! ALL DONE! You're good to go, do NOT forget to leave a comment to let me know this helps you 😀