How do I install and build against OpenSSL 1.0.0 on Ubuntu?

Question

You can consider this a follow-up question to How do I install the OpenSSL C++ library on Ubuntu?

I'm trying to build some code on Ubuntu 10.04 LTS that requires OpenSSL 1.0.0.

Ubuntu 10.04 LTS comes with OpenSSL 0.9.8k:

$ openssl version
OpenSSL 0.9.8k 25 Mar 2009

So after running sudo apt-get install libssl-dev and building, running ldd confirms I've linked in 0.9.8:

$ ldd foo
        ...
        libssl.so.0.9.8 => /lib/i686/cmov/libssl.so.0.9.8 (0x00110000)
        ...
        libcrypto.so.0.9.8 => /lib/i686/cmov/libcrypto.so.0.9.8 (0x002b0000)
        ...

How do I install OpenSSL 1.0.0 and the 1.0.0 development package?

Update: I'm writing this update after reading SB's answer (but before trying it), because it's clear I need to explain that the obvious solution of downloading and installing OpenSSL 1.0.0 doesn't work:

After successfully doing the following (recommended in the INSTALL file):

  $ ./config
  $ make
  $ make test
  $ make install

...I still get:

OpenSSL 0.9.8k 25 Mar 2009

...and:

$ sudo apt-get install libssl-dev
Reading package lists... Done
Building dependency tree       
Reading state information... Done
libssl-dev is already the newest version.
The following packages were automatically installed and are no longer required:
  linux-headers-2.6.32-21 linux-headers-2.6.32-21-generic
Use 'apt-get autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

...and (just to make sure) after rebuilding my code, ldd still returns the same thing.

Update #2: I added the "-I/usr/local/ssl/include" and "-L/usr/local/ssl/lib" options (suggested by SB) to my makefile, but I'm now getting a bunch of undefine reference compile errors, for example:

/home/dspitzer/foo/foo.cpp:86: undefined reference to `BIO_f_base64'
/home/dspitzer/foo/foo.cpp:86: undefined reference to `BIO_new'

/usr/local/ssl/include/ contains only an openssl directory (which contains numerous .h files), so I also tried "-I/usr/local/ssl/include/openssl" but got the same errors.

Update #3: I tried changing the OpenSSL includes from (for example):

#include <openssl/bio.h>

...to:

#include "openssl/bio.h"

...in the .cpp source file but still get the same undefined reference errors.

Update #4: I now realize those undefined reference errors are linker errors. If I remove the "-L/usr/local/ssl/lib" from my Makefile, I don't get the errors (but it links to OpenSSL 0.9.8). The contents of /usr/local/ssl/lib/ are:

$ ls /usr/local/ssl/lib/
engines  libcrypto.a  libssl.a  pkgconfig

I added -lcrypto, and the errors went away.

Answer 1

Get the 1.0.0a source from here.

# tar -xf openssl-1.0.0a.tar.gz
# cd openssl-1.0.0a
# ./config
# sudo make install

This puts it in /usr/local/ssl by default

When you build, you need to tell gcc to look for the headers in /usr/local/ssl/include and link with libs in /usr/local/ssl/lib. You can specify this by doing something like:

gcc test.c -o test -I/usr/local/ssl/include -L/usr/local/ssl/lib -lssl -lcrypto

EDIT DO NOT overwrite any system libraries. It's best to keep new libs in /usr/local. Overwriting Ubuntu defaults can be hazardous to your health and break your system.

Additionally, I was wrong about the paths as I just tried this in Ubuntu 10.04 VM. Fixed.

Note, there is no need to change LD_LIBRARY_PATH since the openssl libs you link against by default are static libs (at least by default - there might be a way to configure them as dynamic libs in the ./config step)

You may need to link against libcrypto because you are using some calls that are built and defined in the libcrypto package. Openssl 1.0.0 actually builds two libraries, libcrypto and libssl.

EDIT 2 Added -lcrypto to gcc line.

Answer 2

Instead of:

    $ ./config
    $ make
    $ make test
    $ make install

Do:

    $ sudo ./config --prefix=/usr
    $ sudo make
    $ sudo make test
    $ sudo make install

This will help you update to openssl 1.0.1g to patch for CVE-2014-0160 (Heartbleed).

OpenSSL Security Advisory [07 Apr 2014]

TLS heartbeat read overrun (CVE-2014-0160)

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

Source: https://www.openssl.org/news/secadv_20140407.txt

Answer 3

Here's what solved it for me: Upgrade latest version OpenSSL on Ubuntu

Transcribing the main information:

Download the OpenSSL v1.0.0g source:

$ wget http://www.openssl.org/source/openssl-1.0.0g.tar.gz

Unpack the archive and install:

$ tar xzvf openssl-1.0.0g.tar.gz
$ cd openssl-1.0.0g
$ ./config
$ make
$ make test
$ sudo make install

All files, including binaries and man pages are install under the directory /usr/local/ssl. To ensure users use this version of OpenSSL instead of the previous version you must update the paths for man pages and binaries.

Edit the file /etc/manpath.config adding the following line before the first MANPATH_MAP:

MANPATH_MAP     /usr/local/ssl/bin      /usr/local/ssl/man

Update the man database (I honestly can't remember and don't know for sure if this command was necessary - maybe try without it and at the end when testing if the man pages are still the old versions come back and run mandb):

sudo mandb

Edit the file /etc/environment and insert the path for OpenSSL binaries (/usr/local/ssl/bin) before the path for Ubuntu's version of OpenSSL (/usr/bin). My environment file looks like this:

PATH="/usr/local/sbin:/usr/local/bin:/usr/local/ssl/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"

Logout and login and test:

$ openssl version
OpenSSL 1.0.0g 18 Jan 2012

Also test the man pages by running man openssl and at the very bottom in the left hand corner it should report 1.0.0g.

Note that although the users will now automatically use the new version of OpenSSL, existing programs (e.g. Apache) may not as they are linked against the libraries from the Ubuntu version.