How to Safely Upgrade the OpenSSL Library on Debian

Last updated: November 7, 2024

Reviewed by: Hiks Gerganov
Baeldung Pro – Linux – NPI EA (cat = Baeldung on Linux)
announcement - icon

Learn through the super-clean Baeldung Pro experience:

>> Membership and Baeldung Pro.

No ads, dark-mode and 6 months free of IntelliJ Idea Ultimate to start with.

Partner – Orkes – NPI EA (tag=Kubernetes)
announcement - icon

Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.

Try a 14-Day Free Trial of Orkes Conductor today.

1. Introduction

Data security in transit is crucial. OpenSSL, a full-featured toolkit for Transport Layer Security (TLS) and Secure Sockets Layer (SSL), ensures the security of such data.

Conversely, various applications and services use OpenSSL to establish encrypted connections, verify digital certificates, and ensure data integrity. Regular updates to OpenSSL often include security patches to address newly discovered vulnerabilities, performance improvements that can enhance system efficiency or new features, and compatibility updates to support evolving security standards. Therefore, it’s crucial to perform upgrades.

When upgrading OpenSSL, it’s generally safer to first uninstall the current version before installing the new one. This helps prevent issues like leftover configuration files, incompatible components, or incomplete removal of deprecated features, which can occur when installing over an existing version.

In this tutorial, we explore how to safely upgrade the OpenSSL library on Debian. All instructions have been tested on Debian 11.

2. Current Environment Analysis and Preparation

Before initiating the OpenSSL upgrade, it’s usually best to assess and prepare the current environment.

2.1. Check Version

Let’s begin by updating the package repository using the apt update command:

$ sudo apt update

After that, we check the currently installed version of OpenSSL on the Debian machine using the openssl version command:

$ openssl version
OpenSSL 1.1.1n  15 Mar 2022 (Library: OpenSSL 1.1.1w  11 Sep 2023)

As shown above, we establish that an older version (1.1.1n) of the OpenSSL package is installed on the machine, while OpenSSL 1.1.1w is the latest version currently available in the package library. Therefore, it’s critical to perform the upgrade.

2.2. Simple Backups

For security reasons, let’s back up the currently installed openssl binary. We can confirm the location of this binary with the which command:

$ which openssl
/usr/bin/openssl

Then, create a backup directory named bak and move the openssl binary into it:

$ sudo mkdir ~/bak
$ sudo mv /usr/bin/openssl ~/bak

Now, we can go ahead and remove the existing OpenSSL package along with its configuration files using the purge utility:

$ sudo apt purge openssl
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
  ca-certificates* openssl*
0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
After this operation, 1,897 kB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 54240 files and directories currently installed.)
Removing ca-certificates (20210119) ...
...

Notably, this also removes the ca-certificates package. Hence, we might need to reinstall it later when performing the upgrade.

Additionally, let’s use the autoremove command to remove packages installed to satisfy dependencies for the OpenSSL package:

$ sudo apt autoremove

Thus, the environment is now ready for an upgrade.

3. Reinstalling via apt

The environment is now ready for a new clean OpenSSL installation.

3.1. Performing the Installation

If we try updating the package lists again with apt update, we get an SSL/TLS certificate verification error:

Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. 
Could not handshake: Error in the certificate verification.
...

However, we can fix this by simply reinstalling the ca-certificates package, which installs the latest OpenSSL package as a dependency:

$ sudo apt install ca-certificates
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  openssl
The following NEW packages will be installed:
  ca-certificates openssl
0 upgraded, 2 newly installed, 0 to remove and 45 not upgraded.
Need to get 158 kB/1,017 kB of archives.
After this operation, 1,897 kB of additional disk space will be used.
Do you want to continue? [Y/n] 
...
Setting up openssl (1.1.1w-0+deb11u1) ...
Setting up ca-certificates (20210119) ...
...

Based on the output above, openssl (1.1.1w-0+deb11u1) has been installed alongside the ca-certificates package.

3.2. Verify Upgrade

Of course, we can verify the upgrade by checking the openssl version:

$ openssl version
OpenSSL 1.1.1w  11 Sep 2023

Finally, we confirm this is the latest version by checking the available OpenSSL versions in the repository:

$ sudo apt-cache policy openssl
openssl:
  Installed: 1.1.1w-0+deb11u1
  Candidate: 1.1.1w-0+deb11u1
  Version table:
 *** 1.1.1w-0+deb11u1 500
        500 http://deb.debian.org/debian bullseye/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1n-0+deb11u5 500
        500 http://security.debian.org/debian-security bullseye-security/main amd64 Packages
        500 https://deb.debian.org/debian-security bullseye-security/main amd64 Packages

Thus, we see that the installed candidate is the latest package version, 1.1.1.w.

4. Reinstalling From Source

Installing and building the OpenSSL package from source is the best alternative when the package repository doesn’t have the desired version despite updating.

OpenSSL maintainers store the package code on GitHub and create regular release updates. For this tutorial, we’re upgrading to OpenSSL version 3.3.2.

4.1. Downloading the Package

Let’s download OpenSSL 3.3.2 from the OpenSSL release page:

OpenSSL 3.3.2 GitHub Release Page

 

In this case, we download it directly from the Web browser.

Alternatively, we can use the wget command in the CLI:

$ sudo wget https://github.com/openssl/openssl/archive/refs/tags/openssl-3.3.2.zip
--2024-10-28 12:32:48--  https://github.com/openssl/openssl/archive/refs/tags/openssl-3.3.2.zip
Resolving github.com (github.com)... 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
...
Saving to: ‘openssl-3.3.2.zip’

openssl-3.3.2.zip       [<=>                 ]  20.46M  1.39MB/s    in 17s     
...

Hence, the file is downloaded and saved as openssl-3.3.2.zip.

4.2. Installing Dependencies

Next, let’s install the build dependencies:

  • libz-dev
  • build-essential
  • checkinstall
  • zlib1g-dev

Again, we use apt for the purpose:

$ sudo apt install build-essential checkinstall zlib1g-dev libz-dev

Hence, we installed the necessary build dependencies.

4.3. Build and Install

Let’s unzip the source package code:

$ sudo unzip ~/openssl-3.3.2.zip

We can use the ls command to verify that the extracted files are in the automatically created openssl-openssl-3.3.2 directory:

$ ls ~/openssl-openssl-3.3.2/
ACKNOWLEDGEMENTS.md  demos             NOTES-NONSTOP.md     README-QUIC.md
apps                 doc               NOTES-PERL.md        ssl
...
config               include           os-dep               util
...
Configure            NEWS.md           README-FIPS.md
...

Next, we navigate to the openssl-openssl-3.3.2 directory and execute the config script, which prepares the source code for compilation:

$ cd ~/openssl-openssl-3.3.2/
$ sudo ./config --prefix=/usr/local/openssl shared
Configuring OpenSSL version 3.3.2 for target linux-x86_64
Using os-specific seed configuration
Created configdata.pm
Running configdata.pm
Created Makefile.in
Created Makefile
Created include/openssl/configuration.h

**********************************************************************
***                                                                ***
***   OpenSSL has been successfully configured                     ***
***                                                                ***
***   If you encounter a problem while building, please open an    ***
***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
***   and include the output from the following command:           ***
***                                                                ***
***       perl configdata.pm --dump                                ***
***                                                                ***
***   (If you are new to OpenSSL, you might want to consult the    ***
***   'Troubleshooting' section in the INSTALL.md file first)      ***
***                                                                ***
**********************************************************************

The above command configures the OpenSSL source code to be installed in the /usr/local/openssl/ directory, with the library built as a shared object.

Then, we create the Makefile and install the compiled libraries:

$ sudo make && sudo make install

Once the installation is complete, we can attempt to invoke the OpenSSL command-line tool located in the installation directory (/usr/local/openssl/):

$ /usr/local/openssl/bin/openssl
/usr/local/openssl/bin/openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory

However, upon execution, we might encounter an error as seen above. This error originates from the fact that the OpenSSL executable cannot find the required shared libraries:

$ find /usr/local -name "libssl.so.3"
/usr/local/openssl/lib64/libssl.so.3

Based on the output, the specific library is located in the /usr/local/openssl/lib64 path. Let’s add this library path to the systems library configuration:

$ echo "/usr/local/openssl/lib64" | sudo tee /etc/ld.so.conf.d/openssl.conf

Next, we update the system cache via the ldconfig command:

$ sudo ldconfig

Then, we try running the OpenSSL executable once more:

$ /usr/local/openssl/bin/openssl 
help:

Standard commands
asn1parse         ca                ciphers           cmp               
...

As seen above, the executable runs with no error.

4.4. Configure Executable and Verify Upgrade

For convenience, we can make OpenSSL run just by executing the openssl command instead of including the full path:

$ export PATH=/usr/local/openssl/bin:$PATH

Furthermore, to apply the configuration permanently, we add the path to the ~/.bashrc shell configuration file:

$ echo 'export PATH=/usr/local/openssl/bin:$PATH' >> ~/.bashrc
$ source ~/.bashrc

Now, let’s verify the configuration changes and upgraded version by running the openssl version command:

$ openssl version
OpenSSL 3.3.2 3 Sep 2024 (Library: OpenSSL 3.3.2 3 Sep 2024)

As seen above, we successfully upgraded the OpenSSL version from 1.1.1w to 3.3.2.

We can test the OpenSSL installation by generating a private key:

$ openssl genrsa -out private.key 2048
$ cat private.key
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC+kFt0vaTBukpC
...
iov8dx+PjHoffT79I3A/g0ZasQ==
-----END PRIVATE KEY-----

As shown above, the OpenSSL installation is functional.

5. Conclusion

In this article, we learned how to safely upgrade the OpenSSL library on Debian using an updated local repository and installing an upgraded version directly from the source.

While a repository upgrade is often easier, using the source code can always supply the latest developed version.