Openssl 1.1.1 Centos 7.8 to get TLS1.3

Issues related to applications and software problems
Post Reply
Tofou17
Posts: 3
Joined: 2020/05/13 14:12:34

Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by Tofou17 » 2020/05/13 14:22:18

Hello,

I would like to set TLS1.3 for ningx, so I've just intalled the new EPEL package openssl11-libs

But I've still the base package openssl.x86_64 1:1.0.2k-19.el7 (cf. image), which is still the default openssl version ( # openssl version)

Can I remove openssl 1.0.2k ? openssl11-libs will become the new default or I have something to do ?

And after that, is it possible to update nginx (I have version 1.18) (with nginx repo of course) with the new openssl 1.1.1 ?

Thank you in advance for your help
Attachments
Capture.PNG
Capture.PNG (6.64 KiB) Viewed 758 times

User avatar
TrevorH
Forum Moderator
Posts: 28827
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by TrevorH » 2020/05/13 17:03:50

Can I remove openssl 1.0.2k ?
Only if you want to render your system unworkable.

The offical RH position is that if you want TLS 1.3 then you should use RHEL 8.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

chemal
Posts: 672
Joined: 2013/12/08 19:44:49

Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by chemal » 2020/05/13 18:32:04

The two openssl versions are incompatible, neither can replace the other. The nginx package from the official repo is linked against the system version of openssl.

Tofou17
Posts: 3
Joined: 2020/05/13 14:12:34

Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by Tofou17 » 2020/05/13 19:47:39

Thank you for your replies.

Unfortunately, it remains painful to upgrade to Centos 8.

In my mind, there is no easy way to do it and I have to reinstall all my server and applications, a big work Im' not ready to do until my hardware fail.

Perhaps you know a easy way to upgrade without destroy all my data and applications ?

Thank you in advance for yours advices
Last edited by Tofou17 on 2020/05/13 20:38:19, edited 1 time in total.

chemal
Posts: 672
Joined: 2013/12/08 19:44:49

Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by chemal » 2020/05/13 20:30:27

Epel's openssl11 package is quite new. I didn't even know about it. The only packages in epel that already use it are opensmtpd and rpki-client. You could suggest a rebuild of epel's nginx via bugzilla.

Tofou17
Posts: 3
Joined: 2020/05/13 14:12:34

Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by Tofou17 » 2020/05/13 20:39:06

Thank you chemal for your suggestion.

bheesham
Posts: 1
Joined: 2020/06/23 13:51:29

Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by bheesham » 2020/06/23 14:43:35

Any updates on this? OpenSSL 1.1.1 is not taking as latest on Centos7.7

I installed the package from EPEL Repo

[root@server ~]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
[root@server ~]# rpm -qa | grep openssl
openssl11-1.1.1c-2.el7.x86_64
openssl-libs-1.0.2k-19.el7.x86_64
openssl11-libs-1.1.1c-2.el7.x86_64
openssl-1.0.2k-19.el7.x86_64
xmlsec1-openssl-1.2.20-7.el7_4.x86_64
openssl-devel-1.0.2k-19.el7.x86_64
openssl098e-0.9.8e-29.el7.centos.3.x86_64
[root@server ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

User avatar
TrevorH
Forum Moderator
Posts: 28827
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by TrevorH » 2020/06/23 15:38:00

The package from EPEL is not a replacement for the system openssl.

For the system openssl, it's entirely up to Red Hat as to whether they rebase it to 1.1.x but I suspect it's incredibly unlikely given that last time they rebased openssl (CentOS 6.5, Dec 2013) they broke so many things very badly. It was not a good experience.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 7 - Software Support”