Updating OpenSSL latest and greatest version in Ubuntu 20.04 and 18.04

UPDATED (September 2nd. 2020)

A year has passed since I published this story. Since then Ubuntu 20.04 was released and OpenSSL newest version was published on August 6th 2020. Basically the only thing I changed in this story was the letter that references OpenSSL 1.1.1 series, i.e. changing the letter ‘c’ in the original version to the letter ‘g’ in the commands of the updated one. While these changes are reflected in the commands, the pictures illustrating the results of these commands remain unaltered. Enjoy your reading!

If you use SSL/TLS protocol in your application, or you are about to doing it, recommendation is to keep OpenSSL updated. This is specially true not only due to the role it plays in issuing certificates, but also after the lessons learned with Heartbleed.

Ubuntu 20.04.1 (the latest 20.04 update as of September 2020) comes with “OpenSSL 1.1.1 31 Mar 2020” installed and Ubuntu 18.04.03 (the latest 18.04 update as of August 2019) comes with “OpenSSL 1.1.1 11 Sep 2018” shipped. At this moment OpenSSL 1.1.1 series’ latest version is ‘1.1.1g’ shipped on Aug 6th. 2020.

In this story I will guide the reader on how to proceed with this update without breaking any interoperability with existing applications that depends on OpenSSL.

I assume the reader is familiar with bash commands and, of course, the update will be on a Ubuntu 20.04 or 18.04 box. While I cannot see any reason this procedure should not work on Ubuntu 16.04 (if you do please let me know), it was not tested.

The first thing to do is to check what version is installed:

$ openssl version

In my case “OpenSSL 1.1.1 20 Mar 2020” was the result.

Step 1: Download openssl-1.1.1g from here and save it into ~/Downloads directory:

$ cd ~/Downloads
$ wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz

Step 2: Check for corruption comparing SHA256 check sum form here with computed check sum of the downloaded zip file:

$ wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz.sha256
$ echo "$(cat openssl-1.1.1g.tar.gz.sha256) openssl-1.1.1g.tar.gz" | sha256sum --check

In the image below the above commands are underlined in yellow and the checksum result (OK in this case) is underlined in green:

Step 3: Check downloaded zip file signature

Before installing the content of the downloaded zip file we will verify its signature, using GnuPG shipped with Ubuntu (this can be trusted as mentioned at GnuPG).

At OpenSSL download page we find the following information : “PGP keys for the signatures are available from the OMC page. Current members that sign releases include Richard Levitte and Matt Caswell.” Following the link at OMC page we reach the members’ public keys. The next step thus is to download the required keys (one in levitte.txt and the other in caswell.txt) and import them into GnuPG database. Using curl:

$ curl 'http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C' > levitte.txt
$ curl 'http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x8657ABB260F056B1E5190839D9C4D26D0E604491' > caswell.txt

To trust these signatures it is good practice to verify the certificate of the domain (bellow figure). Using Google’s Chrome Security tab within the Developer tools, one can validate that the issuer “ Let’s Encrypt Authority X3” (trusted by the browser) issued the certificate to the domain www.openssl.org, meaning that this is a Domain Validation certificate, enabling anyone to trust the signatures downloaded.

Both keys are imported and then listed as bellow:

$ gpg --import caswell.txt
$ gpg --import levitte.txt
$ gpg --list-keys

The next illustration contains the outcome of the above commands that are underlined in yellow:

The above keys need to be marked as trusted within GnuPG database. This is achieved opening the editor for each signature and marking them as trusted, after checking their fingerprints. Bellow I exemplify this procedure only for Levitte's, the signing member, as follows:

$ gpg --edit-key levitte@openssl.org

Underline in yellow are the commands to check signature’s fingerprint (fpr), to mark it as trusted (trust), to assign a level of trustworthiness (5) and confirm the above decision (y). To leave this editor type ‘quit’. Sorry that the fonts above are too small but I wanted all commands showing in just one screenshot. Zooming in will help reading it.

With trusted signatures in our GnuPG database it is possible to check the downloaded file signature, provided we have this file verification signature. In the following command we download it, saving it to signature.asc:

$ curl https://www.openssl.org/source/openssl-1.1.1g.tar.gz.asc > signature.asc

Finally lets validate the desired signature as follows:

$ gpg --verify signature.asc openssl-1.1.1g.tar.gz

The desirable result is shown next, meaning that the downloaded zip file is the original signed by OpenSSL member “Richard Levitte”:

Step 4: Install OpenSSL

The procedure that follows is based on the one posted at Ubuntu’s community knowledge base “Ask Ubuntu” and can be found here. Main differences are:

1. Ubuntu 18.04 doesn’t recognize the environment variable LD_LIBRARY_PATH, using ldconfig instead.
2. Directory entry /usr/bin/openssl became a symbolic link to /opt/openssl/bin/openssl; and
3. Created a symbolic link to /etc/ssl/certs, enabling using default trusted certificate authorities.

We will install the new version at /opt/openssl. To do that we need to create and change directory by typing:

$ sudo mkdir /opt/openssl
$ cd /opt/openssl

Before proceeding verify if Perl, GCC and Make are properly installed by checking their versions. In an Ubuntu 20.04 or 18.04 desktop these tools come installed by default:

$ perl --version
$ gcc --version
$ make --version

Should you need, these applications are in Ubuntu repositories and can be installed via APT.

Extract the downloaded zip file into this directory:

$ sudo tar xfzv ~/Downloads/openssl-1.1.1g.tar.gz --directory /opt/openssl
$ cd openssl-1.1.1g

Execute the following command to create the Makefile:

$ sudo ./config --prefix=/opt/openssl --openssldir=/opt/openssl/ssl

Where /opt/openssl is the home directory and /opt/openssl/ssl is the directory where OpenSSL will store certificates and private keys. The outcome should look like below:

Execute the Makefile, this will take some time, by:

$ sudo make
$ sudo make install

OpenSSL new version 1.1.1g is installed. But right now there are to installations: the original and this one. I won’t delete the original, but only set the new one as the default.

Backup the original by:

$ sudo mv /usr/bin/openssl /usr/bin/openssl.old

In the literature there are references to applications that expect openssl to be at the original directory. To maintain compatibility, and avoiding the need to alter the environment variable PATH, we will create a symbolic link /usr/bin/openssl pointing to /opt/openssl/bin/openssl:

$ sudo ln -s /opt/openssl/bin/openssl /usr/bin/openssl
$ ls -lisah openssl

The last command should return:

OpenSSL needs the correct versions of libssl.so.1.1 and libcrypto.so.1.1 to work properly, so these files need to be loaded before Ubuntu’s original ones (these are at directory /usr/lib/x86_64-linux-gnu/). In Ubuntu 20.04 and 18.04 this is not done by setting the environment variable LD_LIBRARY_PATH. Instead one has to create a configuration file and store is at directory /etc/ld.so.conf.d. To do this change directory to /etc/ld.so.conf.d and create the file openssl.conf with the following content:

/opt/openssl/lib

The end result should look like:

To update the cache run:

$ sudo ldconfig

To verify that everything is correct execute:

$ which openssl
$ openssl version
$ openssl

The results should be:

Reboot your system to make things permanent and execute the last three commands again, targeting, obviously, the same outcome.

By now you have OpenSSL new version installed and working correctly. But if you try to download any of the previous files, for instance openssl-1.1.1g.tar.gz, you will get the following error:

This error is to be expected. The Certificate Authority “Let’s Encrypt Authority X3” that issued the server certificate is not in OpenSSL certificate and private key directory (/opt/openssl/ssl). If this is the desired behavior skip what follows and you have OpenSSL 1.1.1g completely installed.

If this is not your desired behavior, you have two options: copy all certificates in /etc/ssl/certs/ to /opt/openssl/ssl/certs; or make /opt/openssl/ssl/certs a symbolic link pointing /etc/ssl/certs/ files (my choice).

$ sudo ln -s /etc/ssl/certs/*.* /opt/openssl/ssl/certs/

Downloading again openssl-1.1.1g.tar.gz we get the desired behavior:

Now all you need is to enjoy your Ubuntu 20.04 or 18.04 box running with OpenSSL latest and greatest version, as of August 2020, 1.1.1g.