Page 1 of 2
Openssl 1.1.1 Centos 7.8 to get TLS1.3
Posted: 2020/05/13 14:22:18
by Tofou17
Hello,
I would like to set TLS1.3 for ningx, so I've just intalled the new EPEL package openssl11-libs
But I've still the base package openssl.x86_64 1:1.0.2k-19.el7 (cf. image), which is still the default openssl version ( # openssl version)
Can I remove openssl 1.0.2k ? openssl11-libs will become the new default or I have something to do ?
And after that, is it possible to update nginx (I have version 1.18) (with nginx repo of course) with the new openssl 1.1.1 ?
Thank you in advance for your help
Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3
Posted: 2020/05/13 17:03:50
by TrevorH
Can I remove openssl 1.0.2k ?
Only if you want to render your system unworkable.
The offical RH position is that if you want TLS 1.3 then you should use RHEL 8.
Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3
Posted: 2020/05/13 18:32:04
by chemal
The two openssl versions are incompatible, neither can replace the other. The nginx package from the official repo is linked against the system version of openssl.
Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3
Posted: 2020/05/13 19:47:39
by Tofou17
Thank you for your replies.
Unfortunately, it remains painful to upgrade to Centos 8.
In my mind, there is no easy way to do it and I have to reinstall all my server and applications, a big work Im' not ready to do until my hardware fail.
Perhaps you know a easy way to upgrade without destroy all my data and applications ?
Thank you in advance for yours advices
Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3
Posted: 2020/05/13 20:30:27
by chemal
Epel's openssl11 package is quite new. I didn't even know about it. The only packages in epel that already use it are opensmtpd and rpki-client. You could suggest a rebuild of epel's nginx via bugzilla.
Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3
Posted: 2020/05/13 20:39:06
by Tofou17
Thank you chemal for your suggestion.
Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3
Posted: 2020/06/23 14:43:35
by bheesham
Any updates on this? OpenSSL 1.1.1 is not taking as latest on Centos7.7
I installed the package from EPEL Repo
[root@server ~]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
[root@server ~]# rpm -qa | grep openssl
openssl11-1.1.1c-2.el7.x86_64
openssl-libs-1.0.2k-19.el7.x86_64
openssl11-libs-1.1.1c-2.el7.x86_64
openssl-1.0.2k-19.el7.x86_64
xmlsec1-openssl-1.2.20-7.el7_4.x86_64
openssl-devel-1.0.2k-19.el7.x86_64
openssl098e-0.9.8e-29.el7.centos.3.x86_64
[root@server ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3
Posted: 2020/06/23 15:38:00
by TrevorH
The package from EPEL is not a replacement for the system openssl.
For the system openssl, it's entirely up to Red Hat as to whether they rebase it to 1.1.x but I suspect it's incredibly unlikely given that last time they rebased openssl (CentOS 6.5, Dec 2013) they broke so many things very badly. It was not a good experience.
Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3
Posted: 2020/07/06 10:50:28
by bheesham
Any suggestions on how to upgrade OpenSSL1.1.1 on Centos7.7? We wanted to disable weak ciphers at CentOS Operating System level. With this current version, we need to manage these things through services like Apache/Nginix or any other application services.
Please advise !
Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3
Posted: 2020/07/06 12:25:33
by tunk
If you're concerned about security, then you may want to update to 7.8.