更新系统OpenSSL

打开你的 CentOS 7 系统终端,输入

1
openssl version

得到

1
OpenSSL 1.0.2k-fips  26 Jan 2017

好厉害,CentOS 7 默认使用的还是 2017 年的旧版本 OpenSSL。

再查看

1
openssl ciphers -V | grep TLS

你看到结果肯定是一堆 TLSv1.2。

真牛逼,CentOS 7 自带的 OpenSSL 不支持 TLSv1.3。

下载新版OpenSSL源码

OpenSSL源码页可以看到:

The latest stable version is the 1.1.1 series. This is also our Long Term Support (LTS) version, supported until 11th September 2023.

The OpenSSL FIPS Object Module 2.0 (FOM) is also available for download. It is no longer receiving updates.

OpenSSL 3.0 is the next major version of OpenSSL that is currently in development and includes the new FIPS Object Module. A pre-release version of this is available below. This is for testing only. It should not be used in production.

不难发现,现在 OpenSSL 1.1.1 系列是我们要下载的长期支持稳定版,2.0 将不再更新,而 3.0 则处于开发测试阶段。

1
wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz

解压:

1
tar -zxvf openssl-1.1.1g.tar.gz

编译安装

1
2
3
cd openssl-1.1.1g
./config --prefix=/usr/local/openssl
make && make install

替换旧版本OpenSSL

1
2
3
4
5
6
7
8
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/lib64/openssl /usr/lib64/openssl.old
mv /usr/lib64/libssl.so /usr/lib64/libssl.so.old
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
ln -s /usr/local/openssl/lib/libssl.so /usr/lib64/libssl.so
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v // 建立动态链接

查看当前OpenSSL版本

1
openssl version

看到版本号改变了的话,那就更新成功了。