edit-icon download-icon

Upgrade ECS OpenSSL

Last Updated: May 07, 2018

To guarantee OpenSSL security, we recommend that you upgrade ECS OpenSSL to the latest version. This article describes the specific upgrading method.

Upgrade ECS OpenSSL

Connect to the ECS instance and open Shell.

Update OpenSSL by using the data source

  • For Alibaba Cloud Linux/CentOS systems, run the following command with the root permission:

    1. sudo yum update openssl
  • For Ubuntu Server/Debain systems, run the following command with the root permission:

    1. sudo apt-get update
    2. sudo apt-get upgrade

Update OpenSSL by using the compilation method

Download the latest version of OpenSSL (taking OpenSSL-1.1.0e as an example).

Note: The following compilation and upgrading operations have risks. We recommend that you perform the operations with professional technical support.

Run the following command with the root permission:

  1. wget https://www.openssl.org/source/openssl-1.1.0e.tar.gz
  2. tar zxvf openssl-1.1.0e.tar.gz
  3. cd openssl-1.1.0e
  4. ./config shared zlib
  5. make
  6. make install
  7. # Replace the old version of OpenSSL
  8. mv /usr/bin/openssl /usr/bin/openssl.old
  9. mv /usr/include/openssl /usr/include/openssl.old
  10. ln -s /usr/local/bin/openssl /usr/bin/openssl
  11. ln -s /usr/local/include/openssl/ /usr/include/openssl

Check the OpenSSL version

Run the openssl version -a command with the root permission.

The detail information about your OpenSSL version is returned as follows:

  1. OpenSSL 1.1.0e 16 Feb 2017
  2. built on: reproducible build, date unspecified
  3. platform: linux-x86_64
  4. compiler: gcc -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-1.1\"" -Wa,--noexecstack
  5. OPENSSLDIR: "/usr/local/ssl"
  6. ENGINESDIR: "/usr/local/lib/engines-1.1"

For more information, see the OpenSSL official vulnerability announcement.

Thank you! We've received your feedback.