LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-22-2017, 03:08 AM   #1
rao.moravineni@gmail.com
LQ Newbie
 
Registered: May 2015
Posts: 1

Rep: Reputation: Disabled
Lightbulb openssl upgrade from 0.9.8e to 1.0.2e on rhel5.7


I am working on upgrading OpenSSL 0.9.8e to 1.0.2e on RHEL5.7
can anyone advise the process and consequences and workarounds

Thanks in advance
 
Old 11-22-2017, 03:55 AM   #2
jsbjsb001
Member
 
Registered: Mar 2009
Location: hopefully somewhere on earth? ;)
Distribution: Whatever Linux distro that suits my needs!
Posts: 752

Rep: Reputation: 413Reputation: 413Reputation: 413Reputation: 413Reputation: 413
Quote:
Originally Posted by rao.moravineni@gmail.com View Post
I am working on upgrading OpenSSL 0.9.8e to 1.0.2e on RHEL5.7
can anyone advise the process and consequences and workarounds

Thanks in advance
You do understand that the latest version of RHEL is 7.4 ?

Do you have a subscription for RHEL?

If so, download the latest version of RHEL.

If not, you will not be able to download updates for it. And in addition, RHEL 5.7 is just way too old and therefore is no longer supported.

Why are you still using RHEL 5.7 ??

https://access.redhat.com/solutions/9934
 
Old 11-22-2017, 04:51 PM   #3
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 19,321

Rep: Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470
Quote:
Originally Posted by rao.moravineni@gmail.com View Post
I am working on upgrading OpenSSL 0.9.8e to 1.0.2e on RHEL5.7 can anyone advise the process and consequences and workarounds
No, because there aren't any. As said, RHEL 5.7 is ANCIENT, and totally unsupported (and has been for a while). The reason you pay for RHEL is to get support/updates/patches/security fixes, which include things like this.

Short answer: 5.7 can't do what you want; upgrade (and PAY FOR RHEL if you're going to use it). If you're not going to pay, load the latest version of CentOS.
 
Old 11-23-2017, 07:45 AM   #4
knudfl
LQ 5k Club
 
Registered: Jan 2008
Location: Copenhagen, DK
Distribution: pclos2017 CentOS6.9 CentOS7.4 + 50+ other Linux OS, for test only.
Posts: 16,755

Rep: Reputation: 3329Reputation: 3329Reputation: 3329Reputation: 3329Reputation: 3329Reputation: 3329Reputation: 3329Reputation: 3329Reputation: 3329Reputation: 3329Reputation: 3329
RHEL :
The packages gets updated with the latest security patches from later versions.

RHEL 5.x : Latest is RHEL 5.11 .
The ssl version is "openssl-0.9.8e-40.el5_11.x86_64.rpm"
http://vault.centos.org/5.11/updates..._11.x86_64.rpm

Changelog : The changes 2011 .. 2016 → attached.
-
Attached Files
File Type: txt changelog_2011-2016.txt (5.1 KB, 2 views)
 
Old 11-23-2017, 09:27 AM   #5
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 19,321

Rep: Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470
Quote:
Originally Posted by knudfl View Post
RHEL: The packages gets updated with the latest security patches from later versions.

RHEL 5.x : Latest is RHEL 5.11.
The ssl version is "openssl-0.9.8e-40.el5_11.x86_64.rpm"
http://vault.centos.org/5.11/updates..._11.x86_64.rpm

Changelog : The changes 2011 .. 2016 → attached.
knudfl, I hate to disagree, but I feel this approach isn't good. The OP will have many dependencies to download/install besides that one RPM, and even if they manage to get OpenSSL updated....their entire system is still old/unpatched, and is going to be vulnerable from many other points.

The OP would be best served by doing a complete system update to something current.
 
Old 11-23-2017, 09:57 AM   #6
knudfl
LQ 5k Club
 
Registered: Jan 2008
Location: Copenhagen, DK
Distribution: pclos2017 CentOS6.9 CentOS7.4 + 50+ other Linux OS, for test only.
Posts: 16,755

Rep: Reputation: 3329Reputation: 3329Reputation: 3329Reputation: 3329Reputation: 3329Reputation: 3329Reputation: 3329Reputation: 3329Reputation: 3329Reputation: 3329Reputation: 3329
@TB0ne, it was just a hint about updating ... to rhel 5.11 level.

The free repo
Code:
[CentOS 5.11]
name=CentOS-5.11-x86_64 
baseurl=http://vault.centos.org/5.11/os/x86_64/
enabled=1
gpgcheck=1

[CentOS 5.11-updates]
name=CentOS-5.11-updates-x86_64 
baseurl=http://vault.centos.org/5.11/updates/x86_64/
enabled=1
gpgcheck=1
 
Old 11-23-2017, 10:44 AM   #7
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 19,321

Rep: Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470
Quote:
Originally Posted by knudfl View Post
@TB0ne, it was just a hint about updating ... to rhel 5.11 level.

The free repo
Code:
[CentOS 5.11]
name=CentOS-5.11-x86_64 
baseurl=http://vault.centos.org/5.11/os/x86_64/
enabled=1
gpgcheck=1

[CentOS 5.11-updates]
name=CentOS-5.11-updates-x86_64 
baseurl=http://vault.centos.org/5.11/updates/x86_64/
enabled=1
gpgcheck=1
Gotcha. While that's not a bad idea, the OP is still far behind the curve at 5.11. If they're going to go down that road, it'd be far better off to just bite the bullet and upgrade to the latest-and-greatest CentOS (since they're not going to pay for RHEL).

Just my $0.02 worth, though. Doing small things like this is only staving off the inevitable.
 
1 members found this post helpful.
Old 11-23-2017, 11:30 AM   #8
scasey
Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.4
Posts: 422

Rep: Reputation: 145Reputation: 145
While not disagreeing at all with what TB0ne is saying, upgrading to the RHEL/CentOS 7.4 from 5.11 is very painful in a production system. I couldn't figure out how to do that without acquiring a new server, installing 7.4, and migrating existing content (web, email, database, code). The modifications required in the apache upgrade alone took several days to figure out, and I don't want to even talk about learning systemd(!)
All in all, it was a couple of weeks to get everything right, and even then there were several hours of headaches at the cutover 'cause of things I installed but didn't properly test (or test at all, in one most embarrassing case...)

To the OP: (from whom we may never hear again <sigh>) based on what knudfl posted, it's unlikely that you can get OpenSSL 1.0.2e to install/work properly on RHEL/CentOS 5.x -- not a risk I'd be willing to take on a production box if it's remote.
 
1 members found this post helpful.
Old 11-23-2017, 02:18 PM   #9
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 19,321

Rep: Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470
Quote:
Originally Posted by scasey View Post
While not disagreeing at all with what TB0ne is saying, upgrading to the RHEL/CentOS 7.4 from 5.11 is very painful in a production system. I couldn't figure out how to do that without acquiring a new server, installing 7.4, and migrating existing content (web, email, database, code). The modifications required in the apache upgrade alone took several days to figure out, and I don't want to even talk about learning systemd(!)
All in all, it was a couple of weeks to get everything right, and even then there were several hours of headaches at the cutover 'cause of things I installed but didn't properly test (or test at all, in one most embarrassing case...)

To the OP: (from whom we may never hear again <sigh>) based on what knudfl posted, it's unlikely that you can get OpenSSL 1.0.2e to install/work properly on RHEL/CentOS 5.x -- not a risk I'd be willing to take on a production box if it's remote.
I agree, it's painful, but can be reduced to an ache if you plan a bit. I'd just spin up the latest CentOS 7.4 in Virtualbox, and migrate/test my services there. Re-configure as needed, test until you get it right. Then get your downtime window, format/reload/copy configs from test machine to production. Done. Even IF things go pear shaped, you can use the Virtualbox as a (slower) production unit, and buy yourself a little time at least. Even easier; just buy a new hard-drive, and pull your old ones. They're cheap these days, so $59 bucks to have a great fallback position isn't bad.

And a side benefit is that you get to test your backups...because if they don't work on helping you get the test server built, they're sure not going to when your server REALLY dies.
 
1 members found this post helpful.
Old 11-23-2017, 02:27 PM   #10
scasey
Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.4
Posts: 422

Rep: Reputation: 145Reputation: 145
TB0ne: That's an excellent plan, and I'd probably have tried something like that if my old server hadn't begun throwing memory errors. It was > 8 years old and had been running non-stop for most of that time...probably hadn't been rebooted more than 5 or 6 times...it was time to upgrade.

Yes, I did get to use my backups and learn that they worked, so that part was good.
 
Old 11-24-2017, 11:05 AM   #11
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 19,321

Rep: Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470Reputation: 4470
Quote:
Originally Posted by scasey View Post
TB0ne: That's an excellent plan, and I'd probably have tried something like that if my old server hadn't begun throwing memory errors. It was > 8 years old and had been running non-stop for most of that time...probably hadn't been rebooted more than 5 or 6 times...it was time to upgrade
Yeah, hardware age/errors are a good time to upgrade. I always recommend to my clients that they plan on doing a total replacement of servers every five years, and to budget for it. That window seems to be good, because even though the hardware is five years old, you can still get replacement parts for a while, and putting that old server into a disaster-recovery center can be done for free, and will let you do a parallel upgrade (old one running while new one is being built). Always best to have a fallback position, in my opinion.
Quote:
Yes, I did get to use my backups and learn that they worked, so that part was good.
Doing a spot-check on backups is never a waste of time. Worked with someone once, and they needed a file from a month before, and they couldn't find it, and they called us (since we put things in). Sure enough..file not there. Reason? The person who was in charge of changing the tapes out just never did. They were "too expensive to waste", so that one LTO just got left in there, with an entire box still wrapped in plastic in the storage room.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] OpenSSL upgrade Iyyappan Linux - Server 3 12-28-2016 11:09 AM
[SOLVED] RHEL5.9 curl to https openssl/heartbleed issue MensaWater Red Hat 4 04-23-2014 04:50 PM
openssl 1.0.0g rpm for rhel5 gusthecat Linux - Software 5 04-02-2012 05:07 PM
rhel5 openssl-fips apache2 frndrfoe Linux - Server 0 04-09-2008 12:55 PM
openssl upgrade cuss Linux - General 12 03-11-2003 01:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 04:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration