Upgrade OpenSSL to The Latest Version in cPanel

Upgrading OpenSSL is actually something that has a risk factor because it is linked to so many other services. So you have to do it safely and without affecting anything. I have tested several methods, and here is the easy way to do this.

My current SSL version.

-bash-4.1# openssl version -a
OpenSSL 1.0.0-fips 29 Mar 2010
built on: Mon Mar 4 22:19:53 UTC 2013
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: aesni dynamic

When upgrading, you have to make sure that the “OPENSSLDIR” and the “options” must be the same. No issues if the newer version has more options, but the existing options are a must.

So let’s upgrade. The easy method that I mentioned is given below.

Install “Axivo” repo.

-bash-4.1# rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm
Retrieving http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm
Preparing... ########################################### [100%]
1:axivo-release ########################################### [100%]

This repository has the latest OpenSSL version that is “OpenSSL 1.0.1e”. You just need to update the existing package using “Yum”. One thing I love about “yum update” is that it will update the current version without changing the path, or other environment variables. So it is entirely safe to use other than doing a manual upgrade. Just execute the below command, and that will do the trick.

-bash-4.1# yum --enablerepo=axivo update openssl

That’s it! Now check your OpenSSL version.

-bash-4.1# openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Thu Apr 25 19:36:42 EDT 2013
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O3 -g -m64 -mtune=nocona -m128bit-long-double -mmmx -msse3 -mfpmath=sse -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: rsax dynamic

See! Now you are having the latest OpenSSL version.