Due to security issue, I would like to upgrade OpenSSL from version v1.1.1k to v3.0.8 in Rocky 8.6. I will upgrade the OpenSSL from source as follows:-(I only extract a portion of steps for the upgrade)
tar -zxvf openssl-3.0.8.tar.gz
./config –prefix=/usr/local/ssl –openssldir=/usr/local/ssl shared zlib
Is there any impact in OpenOnDemand for the upgrade?
I would expect issues for such a major upgrade. I really don’t know what all they would be though. Just do the typical steps of making backups of your system before the upgrade and being prepared to roll back if you encounter any issues.
@tdockendorf do you have any other guidance on this?
I would very strongly discourage upgrading OpenSSL like that on a system based on RedHat. RedHat and the downstream operating systems will backport security fixes into things like OpenSSL. Things like Nessus and other scanning tools rarely take into account that OpenSSL version 1.1.1g-16 will contain numerous security fixes (that’s what the “16” part helps denote). In RedHat based systems the version like 1.1.1g rarely gets upgraded to ensure system compatibility but RedHat will backport security fixes and bump that “release” number, ie “16”.
If you do need OpenSSL v3 I would recommend attempting to use “openssl3” RPMs from the OS repos rather than compiling from source. On RedHat it’s generally very bad idea to install things from source when the OS provides the RPMs.
Also if you upgrade OpenSSL that way, almost nothing on the system will use that since they are linked to the OS openssl. You’d have to go through a lot of work to update LD_LIBRARY_PATH and ldconfig to have the system use the source installed OpenSSL libraries instead of the ones from the OS. So those steps alone would not actually upgrade OpenSSL and would not improve security in any meaningful way.