Is it possible to build OpenSSL 1.1.1q with Fips support in RHEL 8? In RHEL 8.6, the supported version is OpenSSL 1.1.1k FIPS. But I want to upgrade this OpenSSL to the latest.
Thank you in advance.
Asked
Active
Viewed 147 times
1 Answers
2
Too long for a comment:
You probably want to do the wrong thing, as do many people that want to upgrade to the most recent version of OpenSSL (or any other system library or component).
They majority of people asking for such upgrades see a security notice such as https://www.cvedetails.com/cve/CVE-2022-2097/ and see that the vulnerability has been fixed in the latest release, "Fixed in OpenSSL 1.1.1q" and then want to upgrade to that release.
Generally they forget that from a security perspective you don't want to be running any specific OpenSSL version, you just don't want to be vulnerable to any known OpenSSL (or other) security vulnerabilities.
In general you already achieve that by regularly applying the security updates on your supported RHEL 8 release.
You may see an old version number for OpenSSL on your server but that does not mean that your system is vulnerable on account of the common practice in the "Enterprise" Linux distributions to "backport" security updates. The reasons for backporting and the process is pretty well described on RedHat.com. (Please read that whole article.)
rpm -q --changelog openssl
shows among others what CVE's and issues have been resolved already in the version your system's running.
The CVE above is bad example, or maybe not, because Red Hat determined that RHEL 8 is not vulnerable: https://access.redhat.com/security/cve/cve-2022-2097
If you really need to upgrade OpenSSL - be aware that it is a fairly critical component and lots of other elements on your system rely on it. I'd avoid upgrading the OS OpenSSL version and only link the specific application that needs the non-standard version to your custom OpenSSL version.
HBruijn
- 72,524
- 21
- 127
- 192