How do I install and build against OpenSSL 1.0.0 on Ubuntu?

Question

You can consider this a follow-up question to How do I install the OpenSSL C++ library on Ubuntu?

I\'m trying to build some code on Ubuntu 10.04 LTS that requires Op

Answer 1

Here's what solved it for me: Upgrade latest version OpenSSL on Ubuntu

Transcribing the main informations:

Download the OpenSSL v1.0.0g source:

$ wget http://www.openssl.org/source/openssl-1.0.0g.tar.gz

Unpack the archive and install:

$ tar xzvf openssl-1.0.0g.tar.gz
$ cd openssl-1.0.0g
$ ./config
$ make
$ make test
$ sudo make install

All files, including binaries and man pages are install under the directory /usr/local/ssl. To ensure users use this version of OpenSSL instead of the previous version you must update the paths for man pages and binaries.

Edit the file /etc/manpath.config adding the following line before the first MANPATH_MAP:

MANPATH_MAP     /usr/local/ssl/bin      /usr/local/ssl/man

Update the man database (I honestly can't remember and don't know for sure if this command was necessary - maybe try without it and at the end when testing if the man pages are still the old versions come back and run mandb):

sudo mandb

Edit the file /etc/environment and insert the path for OpenSSL binaries (/usr/local/ssl/bin) before the path for Ubuntu's version of OpenSSL (/usr/bin). My environment file looks like this:

PATH="/usr/local/sbin:/usr/local/bin:/usr/local/ssl/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"

Logout and login and test:

$ openssl version
OpenSSL 1.0.0g 18 Jan 2012

Also test the man pages by running man openssl and at the very bottom in the left hand corner it should report 1.0.0g.

Note that although the users will now automatically use the new version of OpenSSL, existing programs (e.g. Apache) may not as they are linked against the libraries from the Ubuntu version.

Answer 2

Get the 1.0.0a source from here.

# tar -xf openssl-1.0.0a.tar.gz
# cd openssl-1.0.0a
# ./config
# sudo make install

This puts it in /usr/local/ssl by default

When you build, you need to tell gcc to look for the headers in /usr/local/ssl/include and link with libs in /usr/local/ssl/lib. You can specify this by doing something like:

gcc test.c -o test -I/usr/local/ssl/include -L/usr/local/ssl/lib -lssl -lcrypto

EDIT DO NOT overwrite any system libraries. It's best to keep new libs in /usr/local. Overwriting Ubuntu defaults can be hazardous to your health and break your system.

Additionally, I was wrong about the paths as I just tried this in Ubuntu 10.04 VM. Fixed.

Note, there is no need to change LD_LIBRARY_PATH since the openssl libs you link against by default are static libs (at least by default - there might be a way to configure them as dynamic libs in the ./config step)

You may need to link against libcrypto because you are using some calls that are built and defined in the libcrypto package. Openssl 1.0.0 actually builds two libraries, libcrypto and libssl.

EDIT 2 Added -lcrypto to gcc line.

Answer 3

Instead of:

    $ ./config
    $ make
    $ make test
    $ make install

Do:

    $ sudo ./config --prefix=/usr
    $ sudo make
    $ sudo make test
    $ sudo make install

This will help you update to openssl 1.0.1g to patch for CVE-2014-0160 (Heartbleed).

OpenSSL Security Advisory [07 Apr 2014]

TLS heartbeat read overrun (CVE-2014-0160)

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

Source: https://www.openssl.org/news/secadv_20140407.txt