I. Environment Preparation

1.1 Install RPM packaging, testing essential development tools

$ yum install -y rpm-build rpmlint rpmdevtools

1.2 Install the dependencies required for packaging and compiling

$ yum install -y gcc gcc-c++ make perl perl-WWW-Curl

 

II. Make the RPM package for OpenSSL

Note:

Remember! Do not use the root user to perform the packaging operation. This is dangerous because all binaries will be installed on the system before packaging, so you should package as a normal user to prevent system corruption.

2.1 Configuring the rpmbuild working directory

$ mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
$ echo "%_topdir %{getenv:HOME}/rpmbuild" > ~/.rpmmacros

2.2 Download the source package to the ~/rpmbuild/SOURCES directory

$ wget -O ~/rpmbuild/SOURCES/openssl-1.1.1k.tar.gz https://www.openssl.org/source/openssl-1.1.1k.tar.gz

2.3 Writing the spec file for the openssl 1.1.1k repository package

$ vim ~/rpmbuild/SPECS/openssl.spec
Name:		openssl		
Version:	1.1.1k
Release:	1%{?dist}
Summary:	Utilities from the general purpose cryptography library with TLS implementation
Group:		System Environment/Libraries
License:	GPLv2+
URL:		https://www.openssl.org/
Source0:	https://www.openssl.org/source/%{name}-%{version}.tar.gz
BuildRequires:	make gcc perl perl-WWW-Curl	
Requires:	%{name} = %{version}-%{release}
BuildRoot:	%_topdir/BUILDROOT

%global openssldir /usr/openssl

%description
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

%prep
%setup -q

%build
./config --prefix=%{openssldir} --openssldir=%{openssldir}
make %{?_smp_mflags}

%install
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%make_install
mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libssl.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libcrypto.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/bin/openssl %{buildroot}%{_bindir}

%clean
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}

%files
%{openssldir}
%defattr(-,root,root)
%{_bindir}/openssl
%{_libdir}/libcrypto.so.1.1
%{_libdir}/libssl.so.1.1


%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig

%changelog
* Sat May 08 2021 Hebin Wan <wanhebin@outlook.com> - 1.1.1k
- Rebuilt for https://www.openssl.org/source/openssl-1.1.1k.tar.gz

2.4 Testing with rpmlint

To avoid common errors, first use rpmlint to find errors in the SPEC file: ``

$ rpmlint ~/rpmbuild/SPECS/openssl.spec
0 packages and 1 specfiles checked; 0 errors, 0 warnings.

If errors/warnings are returned, use the “-i“ option to see more detailed information.

2.5 Building RPM packages from SPEC

$ rpmbuild -D "version 1.1.1k" -ba ~/rpmbuild/SPECS/openssl.spec

-ba Build source rpm package and binary rpm package

-bb Build binary rpm package only

-bs builds only source rpm packages

-bp Execute to %prep stage (decompress source and apply patch)

-bc Execute to %build stage (%prep, then compile)

-bi Execute to %install stage (%prep, %build, then install)

-bl Verify the %files section to see if the files exist

  • When the build completes, the RPM package is successfully built when it returns something like the following

rpmbuild_openssl-1.png

  • To view the successfully built RPM package

rpmbuild_openssl-2.png

The RPM package is generated in the RPMS folder, under x86_64, indicating the architecture applied, and since noarch is not specified for arch, the native architecture is used by default. The source RPM package is generated in the SRPMS folder.

2.6 Testing Built RPM Packages with rpmlint

rpmlint is used to check SPEC/RPM/SRPM for errors. You need to resolve these warnings before releasing the package. this page provides explanations of some common problems.

$ rpmlint ~/rpmbuild/SPECS/openssl.spec ~/rpmbuild/RPMS/x86_64/openssl-1.1.1k-1.el7.x86_64.rpm ~/rpmbuild/SRPMS/openssl-1.1.1k-1.el7.src.rpm

Generally, what is detected are some WARN messages, which do not affect the use of the software and can be ignored. If there is ERROR message, maybe it doesn’t affect the use either, but it is recommended to adjust and fix it according to the prompt.

 

III. Install and Upgrade OpenSSL

In general, the system already has openssl, so we can upgrade it directly.

Note:

Remember! When you do openssl upgrade, please operate from the test machine first, after upgrade, make sure there is no any problem, then upgrade according to the online environment one after another.

3.1 Check the current OpenSSL version on your system

Check the current version of openssl in your system

$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

Uninstall openssl

$ rpm -e openssl --nodeps

3.2 Upgrading OpenSSL Versions

Install the openssl version 1.1.1k that we just packaged

$ rpm -ivh ~/rpmbuild/RPMS/x86_64/openssl-1.1.1k-2.el7.x86_64.rpm --nodeps
Preparing...                          ################################# [100%]
Updating / installing...
   1:openssl-1.1.1k-2.el7             ################################# [100%]

Check the openssl version on your system again

$ openssl version
OpenSSL 1.1.1k  25 Mar 2021

Lucky for me, the upgrade was successful!

But whether it has any effect on system environment, other software functions, this needs us to test further, I will omit it here.

References