SSL/TLS深度解析--OpenSSL 升级到最新版本

OpenSSL下载地址

OpenSSL 1.1.1

现有版本

[root@localhost ~]# cat /etc/redhat-release 
CentOS Linux release 7.5.1804 (Core) 
[root@localhost ~]# uname -r
3.10.0-862.11.6.el7.x86_64
[root@localhost ~]# openssl version -v
OpenSSL 1.0.2k-fips 26 Jan 2017

升级到新版本

[root@localhost software]# tar xf openssl-1.1.1.tar.gz
[root@localhost software]# cd openssl-1.1.1/
[root@localhost openssl-1.1.1]# ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl enable-ec_nistp_64_gcc_128
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1 (0x1010100fL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile

**********************************************************************
*** ***
*** If you want to report a building issue, please include the ***
*** output from this command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
**********************************************************************
# enable-ec_nistp_64_gcc_128可以让我们使用优化后的一些常用的椭圆曲线算法，这个优化基于编译器的一些特性，默认情况下会关闭这些特性，而且无法自动检测。

[root@localhost openssl-1.1.1]# make
[root@localhost openssl-1.1.1]# make install
[root@localhost openssl-1.1.1]# mv /usr/bin/openssl /usr/bin/openssl.bak
[root@localhost openssl-1.1.1]# mv /usr/include/openssl /usr/include/openssl.bak
[root@localhost openssl-1.1.1]# ln -s /usr/local/openssl/include/openssl /usr/include/openssl
[root@localhost openssl-1.1.1]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
[root@localhost openssl-1.1.1]# ldd $(which openssl)
        linux-vdso.so.1 =>  (0x00007ffe2b391000)
        libssl.so.1.1 => not found
        libcrypto.so.1.1 => not found
        libz.so.1 => /lib64/libz.so.1 (0x00007f709695e000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f709675a000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f709653e000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f7096171000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f70972eb000)
[root@localhost openssl-1.1.1]# echo "/usr/local/openssl/lib/" >> /etc/ld.so.conf
[root@localhost openssl-1.1.1]# ldconfig
[root@localhost openssl-1.1.1]# ldd $(which openssl)    
        linux-vdso.so.1 =>  (0x00007fff082be000)
        libssl.so.1.1 => /usr/local/openssl/lib/libssl.so.1.1 (0x00007fdd78f88000)
        libcrypto.so.1.1 => /usr/local/openssl/lib/libcrypto.so.1.1 (0x00007fdd78a82000)
        libz.so.1 => /lib64/libz.so.1 (0x00007fdd7886c000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007fdd78668000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fdd7844c000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fdd7807f000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fdd79219000)
[root@localhost openssl-1.1.1]# openssl version -a
OpenSSL 1.1.1  11 Sep 2018
built on: Sat Oct 20 07:24:19 2018 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/openssl"
ENGINESDIR: "/usr/local/openssl/lib/engines-1.1"
Seeding source: os-specific

• /lib /lib64是内核级的
• /usr/lib /usr/lib64是系统级的
• /usr/local/lib /usr/local/lib64是用户级的

转载于:https://blog.51cto.com/stuart/2298793