OpenSSL v1.0.1x on CentOS v6.x (for Nginx 1.4)
Howto install OpenSSL v1.0.1 on CentOS 6 to get TLS v1.2 support
This follows InterServed Technologies post:
# rpm -Uvh http://dl.iuscommunity.org/pub/ius/stable/Redhat/6/x86_64/ius-release-1.0-11.ius.el6.noarch.rpm # yum install yum-plugin-replace # yum replace openssl --replace-with=openssl10
Links
- Provide OpenSSL 1.0.1c or Higher as cPanel RPM, to allow TLS 1.1, TLS 1.2
- https://www.ssllabs.com/ssltest/index.html
- http://en.wikipedia.org/wiki/Transport_Layer_Security
Appendices
openssl10-1.0.1e-1.ius binaries
/usr/bin/openssl
openssl10-libs-1.0.1e-1.ius binaries
/usr/lib64/libcrypto.so.1.0.1e /usr/lib64/libcrypto.so.10 -> libcrypto.so.1.0.1e /usr/lib64/libssl.so.1.0.1e /usr/lib64/libssl.so.10 -> libssl.so.1.0.1e /usr/lib64/openssl /usr/lib64/openssl/engines /usr/lib64/openssl/engines/lib4758cca.so /usr/lib64/openssl/engines/libaep.so /usr/lib64/openssl/engines/libatalla.so /usr/lib64/openssl/engines/libcapi.so /usr/lib64/openssl/engines/libchil.so /usr/lib64/openssl/engines/libcswift.so /usr/lib64/openssl/engines/libgmp.so /usr/lib64/openssl/engines/libnuron.so /usr/lib64/openssl/engines/libpadlock.so /usr/lib64/openssl/engines/libsureware.so /usr/lib64/openssl/engines/libubsec.so /usr/share/doc/openssl10-libs-1.0.1e /usr/share/doc/openssl10-libs-1.0.1e/LICENSE
openssl-1.0.0-27.el6_4.2 binaries
/usr/bin/openssl /usr/lib64/.libcrypto.so.1.0.0.hmac /usr/lib64/.libcrypto.so.10.hmac -> .libcrypto.so.1.0.0.hmac /usr/lib64/.libssl.so.1.0.0.hmac /usr/lib64/.libssl.so.10.hmac -> .libssl.so.1.0.0.hmac /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so.10 -> libcrypto.so.1.0.0 /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so.10 -> libssl.so.1.0.0 /usr/lib64/openssl /usr/lib64/openssl/engines /usr/lib64/openssl/engines/lib4758cca.so /usr/lib64/openssl/engines/libaep.so /usr/lib64/openssl/engines/libatalla.so /usr/lib64/openssl/engines/libcapi.so /usr/lib64/openssl/engines/libchil.so /usr/lib64/openssl/engines/libcswift.so /usr/lib64/openssl/engines/libgmp.so /usr/lib64/openssl/engines/libnuron.so /usr/lib64/openssl/engines/libpadlock.so /usr/lib64/openssl/engines/libsureware.so /usr/lib64/openssl/engines/libubsec.so
Failure to use yum replace plugin
The openssl10 package conflicts with the standard openssl package. Direct installation when opensll is installed is not possible.
# yum install openssl10 Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package openssl10.x86_64 0:1.0.1e-1.ius.el6 will be installed --> Processing Dependency: openssl10-libs(x86-64) = 1.0.1e-1.ius.el6 for package: openssl10-1.0.1e-1.ius.el6.x86_64 --> Processing Dependency: make for package: openssl10-1.0.1e-1.ius.el6.x86_64 --> Processing Dependency: libssl.so.10(libssl.so.10)(64bit) for package: openssl10-1.0.1e-1.ius.el6.x86_64 --> Processing Dependency: libcrypto.so.10(libcrypto.so.10)(64bit) for package: openssl10-1.0.1e-1.ius.el6.x86_64 --> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.1)(64bit) for package: openssl10-1.0.1e-1.ius.el6.x86_64 --> Running transaction check ---> Package make.x86_64 1:3.81-20.el6 will be installed ---> Package openssl10-libs.x86_64 0:1.0.1e-1.ius.el6 will be installed --> Processing Conflict: openssl10-1.0.1e-1.ius.el6.x86_64 conflicts openssl < 1.0.1 --> Finished Dependency Resolution Error: openssl10 conflicts with openssl-1.0.0-27.el6_4.2.x86_64 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest
yum-plugin-replace
# yum install yum-plugin-replace Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.as24220.net * epel: ucmirror.canterbury.ac.nz * extras: mirror.as24220.net * ius: syd.mirror.rackspace.com * updates: mirror.as24220.net Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package yum-plugin-replace.noarch 0:0.2.5-1.ius.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ===================================================================================== Package Arch Version Repository Size ===================================================================================== Installing: yum-plugin-replace noarch 0.2.5-1.ius.el6 ius 16 k Transaction Summary ===================================================================================== Install 1 Package(s) Total download size: 16 k Installed size: 33 k
yum replace openssl
# yum replace openssl --replace-with=openssl10 Loaded plugins: replace Replacing packages takes time, please be patient... WARNING: Unable to resolve all providers: ['config(openssl)', 'openssl(x86-64)'] This may be normal depending on the package. Continue? [y/N] y Resolving Dependencies --> Running transaction check ---> Package openssl.x86_64 0:1.0.0-27.el6_4.2 will be erased ---> Package openssl10.x86_64 0:1.0.1e-1.ius.el6 will be installed --> Processing Dependency: make for package: openssl10-1.0.1e-1.ius.el6.x86_64 ---> Package openssl10-libs.x86_64 0:1.0.1e-1.ius.el6 will be installed --> Running transaction check ---> Package make.x86_64 1:3.81-20.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ===================================================================================== Package Arch Version Repository Size ===================================================================================== Installing: openssl10 x86_64 1.0.1e-1.ius.el6 ius 664 k openssl10-libs x86_64 1.0.1e-1.ius.el6 ius 772 k Removing: openssl x86_64 1.0.0-27.el6_4.2 @updates 3.6 M Installing for dependencies: make x86_64 1:3.81-20.el6 base 389 k Transaction Summary ===================================================================================== Install 3 Package(s) Remove 1 Package(s) Total download size: 1.8 M