Re: Compile opensslß1.1.1k on CentOS8

Hal Murray halmurray+openssl at
Tue Jun 8 09:23:26 UTC 2021

janjust at said:
> As you found out, it is nearly impossible to swap out the existing  openssl
> 1.1.1g with a "stock" openssl version, as RedHat/CentOS have  applied patches
> to it. My advice would be: don't even try. If you *have  to* use openssl
> 1.1.1k, then switch to Fedora or to Ubuntu (not the LTS  releases). But keep
> in mind: - debian 10 uses openssl 1.1.1d - ubuntu seems to be at openssl
> 1.1.1j etc. 

There are two cases.  One is where you want to replace the system libraries so 
that all the installed programs that use libssl will now use your new version. 
 I agree doing that is crazy.  That's what distros are for.

But if you are working on a program and you want that one program to use a new 
version, that's not so hard.  The trick is to install your new version of 
openssl in /usr/local/ (or wherever).  Then you have to patch the build recipe 
for your program to look there.  This is how you would get your program ready 
for 3.0.0 or get a program that needs TLS1.3 to work on a distro that is stuck 
in the dark ages.

I use:
    ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared
to build and install OpenSSL, then, for waf:
        ctx.env.INCLUDES = ["/usr/local/ssl/include"]
        ctx.env.LIBPATH = ["/usr/local/ssl/lib"]

I don't remember where I found that config line.

These are my opinions.  I hate spam.

More information about the openssl-users mailing list