How to Install OpenSSL Latest Version on Ubuntu 23.10

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

The first step is to determine the version that is already installed:

openssl version

Output:

root@ubuntu23:~# openssl version
OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)
root@ubuntu23:~#

Update the System

Update the current packages using the below command,

apt update -y

apt upgrade -y

Install the required dependencies

Install the required packages using the below command,

apt install build-essential make

Once the packages are installed check the versions to confirm,

make --version

gcc --version

Output:

root@ubuntu23:~# make --version
GNU Make 4.3
Built for x86_64-pc-linux-gnu
Copyright (C) 1988-2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

root@ubuntu23:~# gcc --version
gcc (Ubuntu 13.2.0-4ubuntu3) 13.2.0
Copyright (C) 2023 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Verify that Perl package is installed by checking their versions.

perl --version

Output:

root@ubuntu23:~# perl --version

This is perl 5, version 36, subversion 0 (v5.36.0) built for x86_64-linux-gnu-read-multi
(with 53 registered patches, see perl -V for more detail)

Copyright 1987-2022, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl".  If you have access to the
Internet, point your browser at https://www.perl.org/, the Perl Home Page.

Check the downloaded zip file signature

Before installing the content of the downloaded zip file we will verify its signature, using GnuPG shipped with Ubuntu,

We discover the following details on the OpenSSL download page: "The OMC page provides access to the PGP keys for the signatures. Richard Levitte and Matt Caswell are current band members that have signed releases. The members' public keys are accessible by clicking the link on the OMC page. The relevant keys must therefore be downloaded and imported into the GnuPG database (one is in levitte.txt, and the other is in caswell.txt). Using curl,

curl 'https://keys.openpgp.org/vks/v1/by-fingerprint/7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C' > levitte.txt

curl 'https://keys.openpgp.org/vks/v1/by-fingerprint/8657ABB260F056B1E5190839D9C4D26D0E604491' > caswell.txt

Output:

root@ubuntu23:~# curl 'https://keys.openpgp.org/vks/v1/by-fingerprint/7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C' > levitte.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  5713  100  5713    0     0   9706      0 --:--:-- --:--:-- --:--:--  9699
root@vps:~# 

root@ubuntu23:~# curl 'https://keys.openpgp.org/vks/v1/by-fingerprint/8657ABB260F056B1E5190839D9C4D26D0E604491' > caswell.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2309  100  2309    0     0   4004      0 --:--:-- --:--:-- --:--:--  4008

Both keys are imported and then listed as below,

gpg --import caswell.txt
gpg --import levitte.txt

Output:

root@ubuntu23:~# gpg --import caswell.txt
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key D9C4D26D0E604491: public key "Matt Caswell <matt@openssl.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

root@ubuntu23:~# gpg --import levitte.txt
gpg: key D5E9E43F7DF9EE8C: public key "Richard Levitte <richard@levitte.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Check the imported key using the below command,

gpg --list-keys

Output:

root@ubuntu23:~# gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub   rsa2048 2013-04-30 [SC]
      8657ABB260F056B1E5190839D9C4D26D0E604491
uid           [ unknown] Matt Caswell <matt@openssl.org>
uid           [ unknown] Matt Caswell <frodo@baggins.org>
sub   rsa2048 2013-04-30 [E]

pub   rsa4096 2014-10-04 [SC]
      7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C
uid           [ unknown] Richard Levitte <richard@levitte.org>
uid           [ unknown] Richard Levitte <levitte@lp.se>
uid           [ unknown] Richard Levitte <levitte@openssl.org>
sub   rsa4096 2014-10-04 [E]

The above keys need to be marked as trusted within GnuPG database, this process as below,

gpg --edit-key levitte@openssl.org

Output:

root@ubuntu23:~# gpg --edit-key levitte@openssl.org
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  rsa4096/D5E9E43F7DF9EE8C
     created: 2014-10-04  expires: never       usage: SC
     trust: unknown       validity: unknown
sub  rsa4096/62D00E47A096F2AC
     created: 2014-10-04  expires: never       usage: E
[ unknown] (1). Richard Levitte <richard@levitte.org>
[ unknown] (2)  Richard Levitte <levitte@lp.se>
[ unknown] (3)  Richard Levitte <levitte@openssl.org>

gpg> fpr
pub   rsa4096/D5E9E43F7DF9EE8C 2014-10-04 Richard Levitte <richard@levitte.org>
 Primary key fingerprint: 7953 AC1F BC3D C8B3 B292  393E D5E9 E43F 7DF9 EE8C

gpg> trust
pub  rsa4096/D5E9E43F7DF9EE8C
     created: 2014-10-04  expires: never       usage: SC
     trust: unknown       validity: unknown
sub  rsa4096/62D00E47A096F2AC
     created: 2014-10-04  expires: never       usage: E
[ unknown] (1). Richard Levitte <richard@levitte.org>
[ unknown] (2)  Richard Levitte <levitte@lp.se>
[ unknown] (3)  Richard Levitte <levitte@openssl.org>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  rsa4096/D5E9E43F7DF9EE8C
     created: 2014-10-04  expires: never       usage: SC
     trust: ultimate      validity: unknown
sub  rsa4096/62D00E47A096F2AC
     created: 2014-10-04  expires: never       usage: E
[ unknown] (1). Richard Levitte <richard@levitte.org>
[ unknown] (2)  Richard Levitte <levitte@lp.se>
[ unknown] (3)  Richard Levitte <levitte@openssl.org>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> quit

Download the signature file from here and verify using below command,

curl https://www.openssl.org/source/openssl-3.1.4.tar.gz.asc > signature.asc

Now validate the desired signature using below command,

gpg --verify signature.asc openssl-3.1.4.tar.gz

Output:

root@ubuntu23:~# gpg --verify signature.asc openssl-3.1.4.tar.gz
gpg: Signature made Tue 24 Oct 2023 01:42:02 PM UTC
gpg:                using RSA key EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5
gpg: Can't check signature: No public key
root@ubuntu23:~#

Download and Install OpenSSL

At the time of making this guide, OpenSSL 3.1.4 was the latest stable version available. Please check here for any new updates when trying the steps outlined below.

wget https://www.openssl.org/source/openssl-3.1.4.tar.gz

Check Keys for corruption by comparing the SHA256 checksum form here with the computed checksum of the downloaded zip file,

wget https://www.openssl.org/source/openssl-3.1.4.tar.gz.sha256

echo "$(cat openssl-3.1.4.tar.gz.sha256) openssl-3.1.4.tar.gz" | sha256sum --check

Output:

root@ubuntu23:~# echo "$(cat openssl-3.1.4.tar.gz.sha256) openssl-3.1.4.tar.gz" | sha256sum --check
openssl-3.1.4.tar.gz: OK

We will install the latest version in /opt/openssl directory,

For this, we need to create and change the directory using the following command,

mkdir /opt/openssl

cd /opt/openssl

Extract the downloaded zip file into this directory,

tar xvzf /root/openssl-3.1.4.tar.gz --directory /opt/openssl

cd openssl-3.1.4/

Create the Makefile using the following command,

./config --prefix=/opt/openssl --openssldir=/opt/openssl/ssl

Output:

root@ubuntu23:/opt/openssl# cd openssl-3.1.4/
root@ubuntu23:/opt/openssl/openssl-3.1.4# ./config --prefix=/opt/openssl --openssldir=/opt/openssl/ssl
Configuring OpenSSL version 3.1.4 for target linux-x86_64
Using os-specific seed configuration
Created configdata.pm
Running configdata.pm
Created Makefile.in
Created Makefile
Created include/openssl/configuration.h

**********************************************************************
***                                                                ***
***   OpenSSL has been successfully configured                     ***
***                                                                ***
***   If you encounter a problem while building, please open an    ***
***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
***   and include the output from the following command:           ***
***                                                                ***
***       perl configdata.pm --dump                                ***
***                                                                ***
***   (If you are new to OpenSSL, you might want to consult the    ***
***   'Troubleshooting' section in the INSTALL.md file first)      ***
***                                                                ***
**********************************************************************
make

make install

OpenSSL new version 3.1.4 is installed,

Backup the default original file,

mv /usr/bin/openssl /usr/bin/openssl.backup

To maintain compatibility, and avoiding the need to alter the environment variable PATH, create a symbolic link /usr/bin/openssl pointing to /opt/openssl/bin/openssl using below command,

ln -s /opt/openssl/bin/openssl /usr/bin/openssl

cd /usr/bin/

ls -lisah openssl

Output:

root@vps:/usr/bin# ls -lisah openssl
344 0 lrwxrwxrwx 1 root root 24 Jul 28 16:05 openssl -> /opt/openssl/bin/openssl
root@vps:/usr/bin#

Create a configuration file and store it in the directory /etc/ld.so.conf.d/ . For this need change the directory to /etc/ld.so.conf.d/ and create the file openssl.conf with the following content,

/opt/openssl/lib64

Update the cache run using the below command,

ldconfig

To verify that everything is correct run the below commands,

which openssl

Output:

root@vps:~# which openssl
/usr/bin/openssl
root@vps:~#

Check the installed latest version,

openssl version

Output:

root@vps:~# openssl version
OpenSSL 3.1.4 24 October 2023 (Library: OpenSSL 3.1.4 24 October 2023)
root@vps:~# 

That's it, Reboot your system, and to confirm run the last two commands to check the OpenSSL Version.