In this post, you will learn how to manually update OpenSSL on Debian to 1.1.1.t
The latest OpenSSL Security advisory (OpenSSL Security Advisory [7th February 2023]) reports a number of High Severity vulnerabilities that are resolved in OpenSSL 1.1.1t
OpenSSL 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t.
OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg (premium support customers
only).
A breakdown of these bugs can be found here.
Debain won’t update OpenSSL from 1.1.1n to 1.1.1t
fyi, OpenSSL (and the fork LibreSSL exist), If you use OpenSSL and cannot update to 1.1.1t in Debian. You may not be using OpenSSL.
When I check my OpenSSL version I get a report saying I have the older 1.1.1n installed 🙁
apt-cache policy openssl
openssl:
Installed: 1.1.1n-0+deb10u4
Candidate: 1.1.1n-0+deb10u4
Version table:
*** 1.1.1n-0+deb10u4 500
500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1n-0+deb10u3 500
500 http://deb.debian.org/debian buster/main amd64 Packages
Debian won’t update to OpenSSL 1.1.1t
sudo apt-get update && sudo apt-get upgrade have no effect on updating OpenSSL 1.1.1n to 1.1.1t
Finding the latest OpenSSL version source code
Read the latest OpenSSL change log and note the latest version (for me 1.1.1t was the latest).
Go to https://www.openssl.org/source/ and get the link to the latest source code (for me it was https://www.openssl.org/source/openssl-1.1.1t.tar.gz)
Manually update OpenSSL on Debian to 1.1.1.t
First, perform a backup of your system (this is a few clicks on UpCloud VM hosts, get €25 credits using this link.)
Verify your local OpenSSL version
#identidy your installed openssl
which openssl
#backup your local openssl binary
sudo mv /usr/bin/openssl ~/MyBackups
Local Source Location for the new Open SSL
Create a new folder to store the latest OpenSSL
cd ~/MyDownloads
Download the OpenSSL source code
Use wget to get the lasted OpenSSL source code
wget https://www.openssl.org/source/openssl-1.1.1t.tar.gz
Extract the source code
Extract the tar file
tar -zxf openssl-1.1.1t.tar.gz
Making Open SSL from code
Make the latest OpenSSL from source code
cd openssl-1.1.1t
./config
make test
Installing the latest OpenSSL
Install the latest OpenSSL
sudo make install
sudo ln -s /usr/local/bin/openssl /usr/bin/openssl
sudo ldconfig
Verifying installation
Verify the latest installed version
openssl version
> OpenSSL 1.1.1t 7 Feb 2023
SSL Version Script
Handy script (opensshinfo.sh) to check OpenSSL version information
#!/bin/sh
echo "Debain Open SSL Source"
sudo apt-cache policy openssl
echo ""
echo "Installed Open SSL"
openssl version -a
Output
sudo bash /scripts/sslversion.sh
Debain Open SSL Source
openssl:
Installed: 1.1.1n-0+deb10u4
Candidate: 1.1.1n-0+deb10u4
Version table:
*** 1.1.1n-0+deb10u4 500
500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1n-0+deb10u3 500
500 http://deb.debian.org/debian buster/main amd64 Packages
Installed Open SSL
OpenSSL 1.1.1t 7 Feb 2023
built on: Wed Feb 22 09:18:11 2023 UTC
platform: linux-x86_64
options: bn(64,64) rc4(8x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib/engines-1.1"
Seeding source: os-specific
OpenSSL 1.1.1t is installed 🙂
I will check often if I need to manually update OpenSSL on Debian to a newer version
Stay safe
fyi: Get €25 server hosting credits using this link UpCloud