How to Install OpenSSL Latest Version on Ubuntu 23.10
OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.
The first step is to determine the version that is already installed:
openssl version
Output:
root@ubuntu23:~# openssl version
OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)
root@ubuntu23:~#
Update the System
Update the current packages using the below command,
apt update -y
apt upgrade -y
Install the required dependencies
Install the required packages using the below command,
apt install build-essential make
Once the packages are installed check the versions to confirm,
make --version
gcc --version
Output:
root@ubuntu23:~# make --version
GNU Make 4.3
Built for x86_64-pc-linux-gnu
Copyright (C) 1988-2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
root@ubuntu23:~# gcc --version
gcc (Ubuntu 13.2.0-4ubuntu3) 13.2.0
Copyright (C) 2023 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Verify that Perl package is installed by checking their versions.
perl --version
Output:
root@ubuntu23:~# perl --version
This is perl 5, version 36, subversion 0 (v5.36.0) built for x86_64-linux-gnu-read-multi
(with 53 registered patches, see perl -V for more detail)
Copyright 1987-2022, Larry Wall
Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.
Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at https://www.perl.org/, the Perl Home Page.
Check the downloaded zip file signature
Before installing the content of the downloaded zip file we will verify its signature, using GnuPG shipped with Ubuntu,
We discover the following details on the OpenSSL download page: "The OMC page provides access to the PGP keys for the signatures. Richard Levitte and Matt Caswell are current band members that have signed releases. The members' public keys are accessible by clicking the link on the OMC page. The relevant keys must therefore be downloaded and imported into the GnuPG database (one is in levitte.txt, and the other is in caswell.txt). Using curl,
curl 'https://keys.openpgp.org/vks/v1/by-fingerprint/7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C' > levitte.txt
curl 'https://keys.openpgp.org/vks/v1/by-fingerprint/8657ABB260F056B1E5190839D9C4D26D0E604491' > caswell.txt
Output:
root@ubuntu23:~# curl 'https://keys.openpgp.org/vks/v1/by-fingerprint/7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C' > levitte.txt
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5713 100 5713 0 0 9706 0 --:--:-- --:--:-- --:--:-- 9699
root@vps:~#
root@ubuntu23:~# curl 'https://keys.openpgp.org/vks/v1/by-fingerprint/8657ABB260F056B1E5190839D9C4D26D0E604491' > caswell.txt
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2309 100 2309 0 0 4004 0 --:--:-- --:--:-- --:--:-- 4008
Both keys are imported and then listed as below,
gpg --import caswell.txt
gpg --import levitte.txt
Output:
root@ubuntu23:~# gpg --import caswell.txt
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key D9C4D26D0E604491: public key "Matt Caswell <matt@openssl.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
root@ubuntu23:~# gpg --import levitte.txt
gpg: key D5E9E43F7DF9EE8C: public key "Richard Levitte <richard@levitte.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
Check the imported key using the below command,
gpg --list-keys
Output:
root@ubuntu23:~# gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub rsa2048 2013-04-30 [SC]
8657ABB260F056B1E5190839D9C4D26D0E604491
uid [ unknown] Matt Caswell <matt@openssl.org>
uid [ unknown] Matt Caswell <frodo@baggins.org>
sub rsa2048 2013-04-30 [E]
pub rsa4096 2014-10-04 [SC]
7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C
uid [ unknown] Richard Levitte <richard@levitte.org>
uid [ unknown] Richard Levitte <levitte@lp.se>
uid [ unknown] Richard Levitte <levitte@openssl.org>
sub rsa4096 2014-10-04 [E]
The above keys need to be marked as trusted within GnuPG database, this process as below,
gpg --edit-key levitte@openssl.org
Output:
root@ubuntu23:~# gpg --edit-key levitte@openssl.org
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/D5E9E43F7DF9EE8C
created: 2014-10-04 expires: never usage: SC
trust: unknown validity: unknown
sub rsa4096/62D00E47A096F2AC
created: 2014-10-04 expires: never usage: E
[ unknown] (1). Richard Levitte <richard@levitte.org>
[ unknown] (2) Richard Levitte <levitte@lp.se>
[ unknown] (3) Richard Levitte <levitte@openssl.org>
gpg> fpr
pub rsa4096/D5E9E43F7DF9EE8C 2014-10-04 Richard Levitte <richard@levitte.org>
Primary key fingerprint: 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C
gpg> trust
pub rsa4096/D5E9E43F7DF9EE8C
created: 2014-10-04 expires: never usage: SC
trust: unknown validity: unknown
sub rsa4096/62D00E47A096F2AC
created: 2014-10-04 expires: never usage: E
[ unknown] (1). Richard Levitte <richard@levitte.org>
[ unknown] (2) Richard Levitte <levitte@lp.se>
[ unknown] (3) Richard Levitte <levitte@openssl.org>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub rsa4096/D5E9E43F7DF9EE8C
created: 2014-10-04 expires: never usage: SC
trust: ultimate validity: unknown
sub rsa4096/62D00E47A096F2AC
created: 2014-10-04 expires: never usage: E
[ unknown] (1). Richard Levitte <richard@levitte.org>
[ unknown] (2) Richard Levitte <levitte@lp.se>
[ unknown] (3) Richard Levitte <levitte@openssl.org>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> quit
Download the signature
file from here and verify using below command,
curl https://www.openssl.org/source/openssl-3.1.4.tar.gz.asc > signature.asc
Now validate the desired signature using below command,
gpg --verify signature.asc openssl-3.1.4.tar.gz
Output:
root@ubuntu23:~# gpg --verify signature.asc openssl-3.1.4.tar.gz
gpg: Signature made Tue 24 Oct 2023 01:42:02 PM UTC
gpg: using RSA key EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5
gpg: Can't check signature: No public key
root@ubuntu23:~#
Download and Install OpenSSL
At the time of making this guide, OpenSSL 3.1.4 was the latest stable version available. Please check here for any new updates when trying the steps outlined below.
wget https://www.openssl.org/source/openssl-3.1.4.tar.gz
Check Keys for corruption by comparing the SHA256 checksum form here with the computed checksum of the downloaded zip file,
wget https://www.openssl.org/source/openssl-3.1.4.tar.gz.sha256
echo "$(cat openssl-3.1.4.tar.gz.sha256) openssl-3.1.4.tar.gz" | sha256sum --check
Output:
root@ubuntu23:~# echo "$(cat openssl-3.1.4.tar.gz.sha256) openssl-3.1.4.tar.gz" | sha256sum --check
openssl-3.1.4.tar.gz: OK
We will install the latest version in /opt/openssl
directory,
For this, we need to create and change the directory using the following command,
mkdir /opt/openssl
cd /opt/openssl
Extract the downloaded zip file into this directory,
tar xvzf /root/openssl-3.1.4.tar.gz --directory /opt/openssl
cd openssl-3.1.4/
Create the Makefile using the following command,
./config --prefix=/opt/openssl --openssldir=/opt/openssl/ssl
Output:
root@ubuntu23:/opt/openssl# cd openssl-3.1.4/
root@ubuntu23:/opt/openssl/openssl-3.1.4# ./config --prefix=/opt/openssl --openssldir=/opt/openssl/ssl
Configuring OpenSSL version 3.1.4 for target linux-x86_64
Using os-specific seed configuration
Created configdata.pm
Running configdata.pm
Created Makefile.in
Created Makefile
Created include/openssl/configuration.h
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL.md file first) ***
*** ***
**********************************************************************
make
make install
OpenSSL new version 3.1.4 is installed,
Backup the default original file,
mv /usr/bin/openssl /usr/bin/openssl.backup
To maintain compatibility, and avoiding the need to alter the environment variable PATH, create a symbolic link /usr/bin/openssl
pointing to /opt/openssl/bin/openssl
using below command,
ln -s /opt/openssl/bin/openssl /usr/bin/openssl
cd /usr/bin/
ls -lisah openssl
Output:
root@vps:/usr/bin# ls -lisah openssl
344 0 lrwxrwxrwx 1 root root 24 Jul 28 16:05 openssl -> /opt/openssl/bin/openssl
root@vps:/usr/bin#
Create a configuration file and store it in the directory /etc/ld.so.conf.d/
. For this need change the directory to /etc/ld.so.conf.d/
and create the file
openssl.conf
with the following content,
/opt/openssl/lib64
Update the cache run using the below command,
ldconfig
To verify that everything is correct run the below commands,
which openssl
Output:
root@vps:~# which openssl
/usr/bin/openssl
root@vps:~#
Check the installed latest version,
openssl version
Output:
root@vps:~# openssl version
OpenSSL 3.1.4 24 October 2023 (Library: OpenSSL 3.1.4 24 October 2023)
root@vps:~#
That's it, Reboot your system, and to confirm run the last two commands to check the OpenSSL Version.