openssl upgrade from 0.9.8e to 1.0.2e on rhel5.7

I am working on upgrading OpenSSL 0.9.8e to 1.0.2e on RHEL5.7
can anyone advise the process and consequences and workarounds

Thanks in advance

Quote:

Originally Posted by rao.moravineni@gmail.com I am working on upgrading OpenSSL 0.9.8e to 1.0.2e on RHEL5.7 can anyone advise the process and consequences and workarounds Thanks in advance

You do understand that the latest version of RHEL is 7.4 ?

Do you have a subscription for RHEL?

If so, download the latest version of RHEL.

If not, you will not be able to download updates for it. And in addition, RHEL 5.7 is just way too old and therefore is no longer supported.

Why are you still using RHEL 5.7 ??

https://access.redhat.com/solutions/9934

Quote:

Originally Posted by rao.moravineni@gmail.com I am working on upgrading OpenSSL 0.9.8e to 1.0.2e on RHEL5.7 can anyone advise the process and consequences and workarounds

No, because there aren't any. As said, RHEL 5.7 is ANCIENT, and totally unsupported (and has been for a while). The reason you pay for RHEL is to get support/updates/patches/security fixes, which include things like this.

Short answer: 5.7 can't do what you want; upgrade (and PAY FOR RHEL if you're going to use it). If you're not going to pay, load the latest version of CentOS.

RHEL :
The packages gets updated with the latest security patches from later versions.

RHEL 5.x : Latest is RHEL 5.11 .
The ssl version is "openssl-0.9.8e-40.el5_11.x86_64.rpm"
http://vault.centos.org/5.11/updates..._11.x86_64.rpm

Changelog : The changes 2011 .. 2016 → attached.
-

Quote:

Originally Posted by knudfl RHEL: The packages gets updated with the latest security patches from later versions. RHEL 5.x : Latest is RHEL 5.11. The ssl version is "openssl-0.9.8e-40.el5_11.x86_64.rpm" http://vault.centos.org/5.11/updates..._11.x86_64.rpm Changelog : The changes 2011 .. 2016 → attached.

knudfl, I hate to disagree, but I feel this approach isn't good. The OP will have many dependencies to download/install besides that one RPM, and even if they manage to get OpenSSL updated....their entire system is still old/unpatched, and is going to be vulnerable from many other points.

The OP would be best served by doing a complete system update to something current.

@TB0ne, it was just a hint about updating ... to rhel 5.11 level.

The free repo

Code:

[CentOS 5.11]
name=CentOS-5.11-x86_64 
baseurl=http://vault.centos.org/5.11/os/x86_64/
enabled=1
gpgcheck=1

[CentOS 5.11-updates]
name=CentOS-5.11-updates-x86_64 
baseurl=http://vault.centos.org/5.11/updates/x86_64/
enabled=1
gpgcheck=1

Quote:

Originally Posted by knudfl @TB0ne, it was just a hint about updating ... to rhel 5.11 level. The free repo Code: [CentOS 5.11] name=CentOS-5.11-x86_64 baseurl=http://vault.centos.org/5.11/os/x86_64/ enabled=1 gpgcheck=1 [CentOS 5.11-updates] name=CentOS-5.11-updates-x86_64 baseurl=http://vault.centos.org/5.11/updates/x86_64/ enabled=1 gpgcheck=1

Gotcha. While that's not a bad idea, the OP is still far behind the curve at 5.11. If they're going to go down that road, it'd be far better off to just bite the bullet and upgrade to the latest-and-greatest CentOS (since they're not going to pay for RHEL).

Just my $0.02 worth, though. Doing small things like this is only staving off the inevitable.

While not disagreeing at all with what TB0ne is saying, upgrading to the RHEL/CentOS 7.4 from 5.11 is very painful in a production system. I couldn't figure out how to do that without acquiring a new server, installing 7.4, and migrating existing content (web, email, database, code). The modifications required in the apache upgrade alone took several days to figure out, and I don't want to even talk about learning systemd(!)
All in all, it was a couple of weeks to get everything right, and even then there were several hours of headaches at the cutover 'cause of things I installed but didn't properly test (or test at all, in one most embarrassing case...)

To the OP: (from whom we may never hear again <sigh>) based on what knudfl posted, it's unlikely that you can get OpenSSL 1.0.2e to install/work properly on RHEL/CentOS 5.x -- not a risk I'd be willing to take on a production box if it's remote.

Quote:

Originally Posted by scasey While not disagreeing at all with what TB0ne is saying, upgrading to the RHEL/CentOS 7.4 from 5.11 is very painful in a production system. I couldn't figure out how to do that without acquiring a new server, installing 7.4, and migrating existing content (web, email, database, code). The modifications required in the apache upgrade alone took several days to figure out, and I don't want to even talk about learning systemd(!) All in all, it was a couple of weeks to get everything right, and even then there were several hours of headaches at the cutover 'cause of things I installed but didn't properly test (or test at all, in one most embarrassing case...) To the OP: (from whom we may never hear again <sigh>) based on what knudfl posted, it's unlikely that you can get OpenSSL 1.0.2e to install/work properly on RHEL/CentOS 5.x -- not a risk I'd be willing to take on a production box if it's remote.

I agree, it's painful, but can be reduced to an ache if you plan a bit. I'd just spin up the latest CentOS 7.4 in Virtualbox, and migrate/test my services there. Re-configure as needed, test until you get it right. Then get your downtime window, format/reload/copy configs from test machine to production. Done. Even IF things go pear shaped, you can use the Virtualbox as a (slower) production unit, and buy yourself a little time at least. Even easier; just buy a new hard-drive, and pull your old ones. They're cheap these days, so $59 bucks to have a great fallback position isn't bad.

And a side benefit is that you get to test your backups...because if they don't work on helping you get the test server built, they're sure not going to when your server REALLY dies.

TB0ne: That's an excellent plan, and I'd probably have tried something like that if my old server hadn't begun throwing memory errors. It was > 8 years old and had been running non-stop for most of that time...probably hadn't been rebooted more than 5 or 6 times...it was time to upgrade.

Yes, I did get to use my backups and learn that they worked, so that part was good.

Quote:

Originally Posted by scasey TB0ne: That's an excellent plan, and I'd probably have tried something like that if my old server hadn't begun throwing memory errors. It was > 8 years old and had been running non-stop for most of that time...probably hadn't been rebooted more than 5 or 6 times...it was time to upgrade

Yeah, hardware age/errors are a good time to upgrade. I always recommend to my clients that they plan on doing a total replacement of servers every five years, and to budget for it. That window seems to be good, because even though the hardware is five years old, you can still get replacement parts for a while, and putting that old server into a disaster-recovery center can be done for free, and will let you do a parallel upgrade (old one running while new one is being built). Always best to have a fallback position, in my opinion.

Quote:

Yes, I did get to use my backups and learn that they worked, so that part was good.

Doing a spot-check on backups is never a waste of time. Worked with someone once, and they needed a file from a month before, and they couldn't find it, and they called us (since we put things in). Sure enough..file not there. Reason? The person who was in charge of changing the tapes out just never did. They were "too expensive to waste", so that one LTO just got left in there, with an entire box still wrapped in plastic in the storage room.