CentOS7升级OpenSSL3.5.4
(1).实验环境
4核8G CentOS7.9.2009
配置阿里云yum源和阿里云epel源
(2).源码安装OpenSSL3.5.4
下载地址:https://openssl-library.org/source/
1、安装依赖
[root@localhost ~]# yum -y groupinstall "Development Tools" #安装Openssl的依赖 [root@localhost ~]# yum -y install perl-core zlib zlib-devel wget curl tar
2、编译安装
[root@localhost ~]# tar xvf openssl-3.5.4.tar.gz [root@localhost ~]# cd openssl-3.5.4 [root@localhost openssl-3.5.4]# ./Configure linux-x86_64 --prefix=/usr/local/openssl-3.5.4 --openssldir=/usr/local/openssl-3.5.4/ssl \ enable-zlib enable-threads enable-dynamic-engine shared # linux-x86_64 表示 64 位 Linux 系统(x86_64 架构) # --prefix=/usr/local/openssl-3.5.4 安装根目录 # --openssldir=/usr/local/openssl-3.5.4/ssl 运行时配置目录 # enable-zlib:启用压缩支持 # enable-threads 启用多线程支持 # enable-dynamic-engine 启用动态引擎加载 # shared:启用共享库(libssl.so / libcrypto.so) [root@localhost openssl-3.5.4]# echo $? #检查上一个命令是否有异常 0 [root@localhost openssl-3.5.4]# make -j$(nproc) #最大内核数进行编译 [root@localhost openssl-3.5.4]# echo $? #检查上一个命令是否有异常 0 [root@localhost openssl-3.5.4]# make install [root@localhost openssl-3.5.4]# echo $? #检查上一个命令是否有异常 0
3、配置环境变量
[root@localhost openssl-3.5.4]# echo "export PATH=/usr/local/openssl-3.5.4/bin:$PATH" >> /etc/profile
#.so(Shared Libraries)共享库,当您运行一个程序时,如果该程序依赖某些外部库文件,系统就会去这个文件中列出的路径里寻找这些库
[root@localhost openssl-3.5.4]# echo "export LD_LIBRARY_PATH=/usr/local/openssl-3.5.4/lib64${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}" >> /etc/profile
#.pc(pkg-config)包配置文件,用于存储系统上可用库的信息,包括版本信息、编译和连接需要的参数等
[root@localhost openssl-3.5.4]# echo "export PKG_CONFIG_PATH=/usr/local/openssl-3.5.4/lib64/pkgconfig${PKG_CONFIG_PATH:+:${PKG_CONFIG_PATH}}" >> /etc/profile
[root@localhost openssl-3.5.4]# source /etc/profile
(3).保命测试
1、验证命令行工具版本
检查当前默认版本。预期结果:显示你新安装的版本(如 OpenSSL 3.5.4)。-a 参数会显示编译路径等详细信息,确认它来自 /usr/local/openssl-3.5.4/ 而不是 /usr/。
[root@localhost openssl-3.5.4]# openssl version -a OpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025) built on: Thu Jan 22 00:59:55 2026 UTC platform: linux-x86_64 options: bn(64,64) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG OPENSSLDIR: "/usr/local/openssl-3.5.4/ssl" ENGINESDIR: "/usr/local/openssl-3.5.4/lib64/engines-3" MODULESDIR: "/usr/local/openssl-3.5.4/lib64/ossl-modules" Seeding source: os-specific CPUINFO: OPENSSL_ia32cap=0xfefa32034f8bffff:0x18400704219c27ab:0x00000810bc004410:0x0000000000000000:0x0000000000000000
检查旧版本是否还在。预期结果:显示旧版本(如 OpenSSL 1.0.2k)。这证明你没有删除或覆盖系统自带的旧版本,系统工具依然有“老库”可用。
[root@localhost openssl-3.5.4]# /usr/bin/openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
2、验证动态库链接
检查新命令依赖的库。预期结果:看到类似 libssl.so.3 和 libcrypto.so.3 的路径指向 /usr/local/openssl-3.5.4/lib64/
[root@localhost openssl-3.5.4]# ldd /usr/local/openssl-3.5.4/bin/openssl | grep ssl libssl.so.3 => /usr/local/openssl-3.5.4/lib64/libssl.so.3 (0x00007fe894dd0000) libcrypto.so.3 => /usr/local/openssl-3.5.4/lib64/libcrypto.so.3 (0x00007fe89465a000)
检查旧命令依赖的库。预期结果:看到类似 libssl.so.10 和 libcrypto.so.10 的路径指向 /lib64/ 或 /usr/lib64/
[root@localhost openssl-3.5.4]# ldd /usr/bin/openssl | grep ssl libssl.so.10 => /lib64/libssl.so.10 (0x00007ff956b5e000)
检查系统工具(如 curl)依赖的库。预期结果:必须指向旧版的 libssl.so.10。如果这里指向了新版,curl 很可能无法运行。
[root@localhost openssl-3.5.4]# ldd /usr/bin/curl | grep ssl libssl3.so => /lib64/libssl3.so (0x00007f2f8ce6b000) libssl.so.10 => /lib64/libssl.so.10 (0x00007f2f89fee000)
3、验证系统核心功能
测试 yum。预期结果:正常显示版本号。如果报错 libssl.so.10 或 libcrypto.so.10 找不到,说明系统库配置丢了,yum 无法使用。
[root@localhost openssl-3.5.4]# yum --version 3.4.3 Installed: rpm-4.11.3-48.el7_9.x86_64 at 2026-01-22 00:55 Built : CentOS BuildSystem <http://bugs.centos.org> at 2021-11-24 16:33 Committed: Michal Domonkos <mdomonko@redhat.com> at 2021-11-01 Installed: yum-3.4.3-168.el7.centos.noarch at 2026-01-11 11:26 Built : CentOS BuildSystem <http://bugs.centos.org> at 2020-10-01 17:03 Committed: CentOS Sources <bugs@centos.org> at 2020-09-29 Installed: yum-plugin-fastestmirror-1.1.31-54.el7_8.noarch at 2026-01-11 11:26 Built : CentOS BuildSystem <http://bugs.centos.org> at 2020-05-12 16:27 Committed: Michal Domonkos <mdomonko@redhat.com> at 2020-03-12
测试网络工具。预期结果:正常返回 HTTP 头信息。如果报错 SSL 相关错误,说明 curl 的依赖断了。
[root@localhost openssl-3.5.4]# curl -I http://www.baidu.com HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 0 Content-Type: text/html Pragma: no-cache Server: bfe Date: Thu, 22 Jan 2026 01:12:28 GMT
4、验证新版本功能
如果你升级是为了用新特性(如 TLS 1.3),可以用新命令测试。预期结果:能成功建立 TLS 1.3 连接。这证明新版本不仅安装了,而且功能正常。
[root@localhost openssl-3.5.4]# /usr/local/openssl-3.5.4/bin/openssl s_client -connect www.example.com:443 -tls1_3
Connecting to 104.18.27.120
CONNECTED(00000003)
depth=3 C=US, O=SSL Corporation, CN=SSL.com TLS ECC Root CA 2022
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
verify return:1
depth=1 C=US, O=SSL Corporation, CN=Cloudflare TLS Issuing ECC CA 3
verify return:1
depth=0 CN=example.com
verify return:1
---
Certificate chain
0 s:CN=example.com
i:C=US, O=SSL Corporation, CN=Cloudflare TLS Issuing ECC CA 3
a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA256
v:NotBefore: Dec 16 19:39:32 2025 GMT; NotAfter: Mar 16 18:32:44 2026 GMT
1 s:C=US, O=SSL Corporation, CN=Cloudflare TLS Issuing ECC CA 3
i:C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA384
v:NotBefore: May 29 19:49:45 2025 GMT; NotAfter: May 27 19:49:44 2035 GMT
2 s:C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
i:C=US, O=SSL Corporation, CN=SSL.com TLS ECC Root CA 2022
a:PKEY: EC, (secp384r1); sigalg: ecdsa-with-SHA384
v:NotBefore: Oct 21 17:02:23 2022 GMT; NotAfter: Oct 17 17:02:22 2037 GMT
3 s:C=US, O=SSL Corporation, CN=SSL.com TLS ECC Root CA 2022
i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
v:NotBefore: Aug 1 00:00:00 2025 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID5jCCA4ygAwIBAgIQHt6YMH6gWUgj6oG69hVKZzAKBggqhkjOPQQDAjBRMQsw
CQYDVQQGEwJVUzEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMSgwJgYDVQQDDB9D
bG91ZGZsYXJlIFRMUyBJc3N1aW5nIEVDQyBDQSAzMB4XDTI1MTIxNjE5MzkzMloX
DTI2MDMxNjE4MzI0NFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAQxGeN57lXS1F2bzwodXUhr+ATB5io3CVYr/hHs4/rb
3mvCUW52NRIbNkrRHQ2uMGU5uwBkjIaIDqay+5zgOsOUo4ICfzCCAnswDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBSDA/3n9vVKTRVB9O0iFtMyCj7KZjBsBggrBgEF
BQcBAQRgMF4wOQYIKwYBBQUHMAKGLWh0dHA6Ly9pLmNmLWkuc3NsLmNvbS9DbG91
ZGZsYXJlLVRMUy1JLUUzLmNlcjAhBggrBgEFBQcwAYYVaHR0cDovL28uY2YtaS5z
c2wuY29tMCUGA1UdEQQeMByCC2V4YW1wbGUuY29tgg0qLmV4YW1wbGUuY29tMCMG
A1UdIAQcMBowCAYGZ4EMAQIBMA4GDCsGAQQBgqkwAQMBATATBgNVHSUEDDAKBggr
BgEFBQcDATBTBgNVHR8ETDBKMEigRqBEhkJodHRwOi8vYy5jZi1pLnNzbC5jb20v
YWU4MDFlZDFjNTViYjU3OWQ3OTIwOGIwZDc3MmFjZmI4Y2MzYTIwOC5jcmwwDgYD
VR0PAQH/BAQDAgeAMA8GCSsGAQQBgtpLLAQCBQAwggEDBgorBgEEAdZ5AgQCBIH0
BIHxAO8AdgBkEcRspBLsp4kcogIuALyrTygH1B41J6vq/tUDyX3N8AAAAZsotfor
AAAEAwBHMEUCIH6tkhTl46lP0v/8OqzmV0Vv6DV2BwGM4ti3XoDRQ1nFAiEA86Rz
a7JZdJ606/IiceXynxVojyGT9ln8CuejwqnEv0EAdQDLOPcViXyEoURfW8Hd+8lu
8ppZzUcKaQWFsMsUwxRY5wAAAZsotfpMAAAEAwBGMEQCIHy1dzJqqc7jEtWwPemT
AYGpiVj3fLkRhQ3yac050aCYAiAaMfO5uaoqMBAyDjjmGbPuXR+Zj+0srsBcuev+
5cHDajAKBggqhkjOPQQDAgNIADBFAiEA8GtCQg+hhl3iG0L+9oJoB11mxvmgxw1W
ItuzTEQUqM8CIEsu4IvUQFmf2RYc3XiMWn+jQHISY/4G22VAmCdC9W28
-----END CERTIFICATE-----
subject=CN=example.com
issuer=C=US, O=SSL Corporation, CN=Cloudflare TLS Issuing ECC CA 3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 5070 bytes and written 1562 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 97546CE3CF4E86749ED4A2494FD3C14C077434FBCEE3FE68F58C6A5454BA3A75
Session-ID-ctx:
Resumption PSK: 6FE16808A8996D8679DCCA9814E3C51FE60D93E652D75DF9873C811468ECF2D065B002FD1784DE85548270621DB17876
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 64800 (seconds)
TLS session ticket:
0000 - 1c d6 82 8d 48 50 7f 53-43 94 58 b3 5e 3d b4 95 ....HP.SC.X.^=..
0010 - 5e 2b 49 86 bb c6 d9 d9-db 5f f6 d7 68 91 02 00 ^+I......_..h...
0020 - 25 70 cb ce ab e9 bf 36-49 1d 40 77 23 9d 49 70 %p.....6I.@w#.Ip
0030 - b5 3d 36 1e d4 e5 04 05-13 c6 59 6b bd 44 15 41 .=6.......Yk.D.A
0040 - 72 72 43 5b 13 ee a0 ac-5a 78 72 7d ab a9 10 11 rrC[....Zxr}....
0050 - fe 35 10 6c 8c eb 10 ee-9c ca 39 3c 44 49 c0 7b .5.l......9<DI.{
0060 - 5b 71 ee 77 b2 b0 92 bb-29 bb 79 54 42 89 e9 b2 [q.w....).yTB...
0070 - c2 b5 d3 8b 3a c2 27 bf-ce ca 03 34 38 65 39 80 ....:.'....48e9.
0080 - 4c e5 30 7e 9a b3 ed c6-fb ca 8a 84 f7 32 9a d8 L.0~.........2..
0090 - 56 0d e3 a3 e1 06 b5 5f-80 4d 0a e2 d1 cd ec 52 V......_.M.....R
00a0 - 46 ed 7a 82 3a 24 f4 f6-48 5c f6 21 c9 94 12 f0 F.z.:$..H\.!....
00b0 - b0 a8 52 3d e7 d7 25 89-79 16 a6 43 27 42 a7 8e ..R=..%.y..C'B..
Start Time: 1769044439
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 555BC06BCDC2C890C74F13C88B23F522B603509E757D8F96ABFE436195E67F04
Session-ID-ctx:
Resumption PSK: EAC151BD715F1532F5B0E2B61DA29A10910267103EF15CCBDC4AF87591A0159B80264D63AAF4C641D806F35BE54D0E4E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 64800 (seconds)
TLS session ticket:
0000 - 1c d6 82 8d 48 50 7f 53-43 94 58 b3 5e 3d b4 95 ....HP.SC.X.^=..
0010 - 62 17 1c d4 ae ef 17 81-c2 a2 62 c5 40 cb ca 24 b.........b.@..$
0020 - 58 4d 42 33 a0 78 92 b9-2c b3 4b d5 5e f2 6f 71 XMB3.x..,.K.^.oq
0030 - 74 f0 b2 1a 10 b4 a9 11-60 03 81 7d 28 4c 29 3e t.......`..}(L)>
0040 - d3 94 71 86 99 f0 86 82-93 7d ed 81 38 55 31 20 ..q......}..8U1
0050 - cf 63 c6 0d 9d b7 fa 49-5f 8c 7b b0 73 ca d0 87 .c.....I_.{.s...
0060 - 27 5d 98 46 25 dc 3a 14-f7 dd 98 a0 d0 83 92 5b '].F%.:........[
0070 - ae a3 f4 6b 78 e4 51 38-e0 06 25 7f 43 b3 67 1c ...kx.Q8..%.C.g.
0080 - 34 22 61 a5 d8 cd ed 8c-c4 9f 74 1a 7b f5 68 e9 4"a.......t.{.h.
0090 - 02 a6 f5 f1 79 d9 fc ae-90 83 e8 9d f3 cc cb b1 ....y...........
00a0 - 81 cb 05 e2 de 5f a6 15-16 9a 81 2d 81 98 17 bd ....._.....-....
00b0 - f3 e6 f0 e4 87 19 7a d1-b3 0e 40 2f 83 dd 65 a2 ......z...@/..e.
Start Time: 1769044439
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed
参考文档:https://blog.csdn.net/qq_39965541/article/details/150853159
浙公网安备 33010602011771号