35

I have been running a production server with Ubuntu 18 installed. Recently, I found that my web application was not allowed on some of the firewalls installed at the customer location.

I found that my server is communicating at TLSv1.0, TLSv1.1, TLSv1.2 protocols, I assume that the firewall setting is allowing communication with the server on TLSv1.3 protocol only.

As Ubuntu 18 is shipped with OpenSSL version 1.1.0, and to make server support TLS v1.3 I have to upgrade OpenSSL to version 1.1.1 which is the latest one.

As this is a production server running nginx server, I don't want to directly try anything on the server. 

root@energy-prod:~# nginx -v
nginx version: nginx/1.14.0 (Ubuntu)

What is the best way to upgrade OpenSSL to v1.1.1 without disturbing any other settings of the server?

Kevin Bowen
  • 20,055
  • 57
  • 82
  • 84
dollar
  • 467

1 Answers1

78

NOTE: As of ~August 2019, openSSL 1.1.1 should be available for installation via normal package upgrades/installations for 18.04. Or, you can download the .deb package directly from here.

According to the OpenSSL website:

The latest stable version is the 1.1.1 series. This is also our Long Term Support (LTS) version, supported until 11th September 2023.

Since this is not in the current Ubuntu repositories, you will need to download, compile, and install the latest OpenSSL version manually.

Below are the instructions to follow:

  1. Open a terminal (Ctrl+Alt+t).
  2. Fetch the tarball: wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz
  3. Unpack the tarball with tar -zxf openssl-1.1.1g.tar.gz && cd openssl-1.1.1g
  4. Issue the command ./config.
  5. Issue the command make (You may need to run sudo apt install make gcc before running this command successfully).
  6. Run make test to check for possible errors.
  7. Backup current openssl binary: sudo mv /usr/bin/openssl ~/tmp
  8. Issue the command sudo make install.
  9. Create symbolic link from newly install binary to the default location: 
    sudo ln -s /usr/local/bin/openssl /usr/bin/openssl
  10. Run the command sudo ldconfig to update symlinks and rebuild the library cache.

Assuming that there were no errors in executing steps 4 through 10, you should have successfully installed the new version of OpenSSL.

Again, from the terminal issue the command:

openssl version

Your output should be as follows:

OpenSSL 1.1.1g  21 Apr 2020
Chris Bornhoft
  • 217
Kevin Bowen
  • 20,055
  • 57
  • 82
  • 84