Openssl 1.1.1 Centos 7.8 to get TLS1.3

Issues related to applications and software problems
Tofou17
Posts: 3
Joined: 2020/05/13 14:12:34

Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by Tofou17 » 2020/05/13 14:22:18

Hello,

I would like to set TLS1.3 for ningx, so I've just intalled the new EPEL package openssl11-libs

But I've still the base package openssl.x86_64 1:1.0.2k-19.el7 (cf. image), which is still the default openssl version ( # openssl version)

Can I remove openssl 1.0.2k ? openssl11-libs will become the new default or I have something to do ?

And after that, is it possible to update nginx (I have version 1.18) (with nginx repo of course) with the new openssl 1.1.1 ?

Thank you in advance for your help
Attachments
Capture.PNG
Capture.PNG (6.64 KiB) Viewed 23731 times

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by TrevorH » 2020/05/13 17:03:50

Can I remove openssl 1.0.2k ?
Only if you want to render your system unworkable.

The offical RH position is that if you want TLS 1.3 then you should use RHEL 8.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

chemal
Posts: 776
Joined: 2013/12/08 19:44:49

Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by chemal » 2020/05/13 18:32:04

The two openssl versions are incompatible, neither can replace the other. The nginx package from the official repo is linked against the system version of openssl.

Tofou17
Posts: 3
Joined: 2020/05/13 14:12:34

Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by Tofou17 » 2020/05/13 19:47:39

Thank you for your replies.

Unfortunately, it remains painful to upgrade to Centos 8.

In my mind, there is no easy way to do it and I have to reinstall all my server and applications, a big work Im' not ready to do until my hardware fail.

Perhaps you know a easy way to upgrade without destroy all my data and applications ?

Thank you in advance for yours advices
Last edited by Tofou17 on 2020/05/13 20:38:19, edited 1 time in total.

chemal
Posts: 776
Joined: 2013/12/08 19:44:49

Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by chemal » 2020/05/13 20:30:27

Epel's openssl11 package is quite new. I didn't even know about it. The only packages in epel that already use it are opensmtpd and rpki-client. You could suggest a rebuild of epel's nginx via bugzilla.

Tofou17
Posts: 3
Joined: 2020/05/13 14:12:34

Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by Tofou17 » 2020/05/13 20:39:06

Thank you chemal for your suggestion.

bheesham
Posts: 2
Joined: 2020/06/23 13:51:29

Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by bheesham » 2020/06/23 14:43:35

Any updates on this? OpenSSL 1.1.1 is not taking as latest on Centos7.7

I installed the package from EPEL Repo

[root@server ~]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
[root@server ~]# rpm -qa | grep openssl
openssl11-1.1.1c-2.el7.x86_64
openssl-libs-1.0.2k-19.el7.x86_64
openssl11-libs-1.1.1c-2.el7.x86_64
openssl-1.0.2k-19.el7.x86_64
xmlsec1-openssl-1.2.20-7.el7_4.x86_64
openssl-devel-1.0.2k-19.el7.x86_64
openssl098e-0.9.8e-29.el7.centos.3.x86_64
[root@server ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by TrevorH » 2020/06/23 15:38:00

The package from EPEL is not a replacement for the system openssl.

For the system openssl, it's entirely up to Red Hat as to whether they rebase it to 1.1.x but I suspect it's incredibly unlikely given that last time they rebased openssl (CentOS 6.5, Dec 2013) they broke so many things very badly. It was not a good experience.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

bheesham
Posts: 2
Joined: 2020/06/23 13:51:29

Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by bheesham » 2020/07/06 10:50:28

Any suggestions on how to upgrade OpenSSL1.1.1 on Centos7.7? We wanted to disable weak ciphers at CentOS Operating System level. With this current version, we need to manage these things through services like Apache/Nginix or any other application services.

Please advise !

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: Openssl 1.1.1 Centos 7.8 to get TLS1.3

Post by tunk » 2020/07/06 12:25:33

If you're concerned about security, then you may want to update to 7.8.

Post Reply