This may indicate wget is not using your newly built openssl 1.0.2 libraries.
Does ldd /usr/bin/wget | grep -e libcrypto -e libssl point to the libraries you built?
2 Likes
ldd /usr/bin/wget | grep -e libcrypto -e libssl
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f1119e00000)
libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f1119a1b000)
This is old libraries. libraries from 1.0.2 here:
/usr/local/ssl/lib/libcrypto.a
/usr/local/ssl/lib/libssl.a
How i can accept new libraries ?
I make openssl.conf in /etc/ld.so.conf.d and add in file:
/usr/local/ssl/lib
But ldconfig not found new libraries.
1 Like
Hm, but are those files with the .a extension actually libraries? Usually the extension is .so right? My (Gentoo) system for example does not have a libssl.a nor a libcrypto.a.
2 Likes
You need the .so (shared object) files, not the .a (archive) files.
Does it work after export LD_LIBRARY_PATH=/usr/local/ssl/lib ?
Anyway, it will be much easier to just build and install RPM packages for openssl-1.0.2 as described above, so everything will be in the expected locations automatically.
3 Likes
I recompile openssl with shared options to to receive .so libraries
./config shared
./make
./make install
Now in
/usr/local/ssl/lib
i have libraries:
libcrypto.so(symlink to libcrypto.so.1.0.0 in this folder)
libssl.so(symlink to libssl.so.1.0.0 in this folder)
ldconfig -v
/usr/local/ssl/lib:
libssl.so.1.0.0 -> libssl.so.1.0.0
libcrypto.so.1.0.0 -> libcrypto.so.1.0.0
But ldd /usr/bin/wget | grep -e libcrypto -e libssl show the same as in previous time.
Why openssl 1.0.2 compiles with 1.0.0 libraries?
1 Like
Because it has the same ABI version, that's why it can be a drop-in replacement.
1 Like
So, i install correct openssl with libs:
openssl version
OpenSSL 1.1.1f 31 Mar 2020
ldconfig -v
/usr/local/openssl/lib:
libssl.so.1.1 -> libssl.so.1.1
libcrypto.so.1.1 -> libcrypto.so.1.1
But why wget still to use oldest libs?
ldd /usr/bin/wget | grep -e libcrypto -e libssl
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f457cf7f000)
libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f457cb9a000)
1 Like
Probably because your wget's ELF file explicitely asks for the .10 so file? The dynamic linker can't find those .so.10 files anywhere except in /usr/lib64/.
You MIGHT be able to change this behaviour into success by using patchelf. However, I have NO idea how that's going to work out, so please back up your binary:
cp /usr/bin/wget /usr/bin/wget.old
patchelf --replace-needed libssl.so.10 libssl.so.1.1 /usr/bin/wget
patchelf --replace-needed libcrypto.so.10 libcrypto.so.1.1 /usr/bin/wget
This is assuming your wget binary is compatible with the 1.1 versions of the libraries. You might revert to the 1.0 versions and change the above patchelf commands accordingly.
3 Likes
Eh, now suddenly you're building OpenSSL 1.1.1 ? That won't work as a drop-in replacement for CentOS 6, you need OpenSSL 1.0.2 ...
3 Likes
So, euh, yeah, don't try to patch your wget to use the 1.1 libraries then 
2 Likes
This is getting a bit off-topic for the LE forum... Just follow @kstange's excellent guide above to build an OpenSSL 1.0.2 RPM for EL6, and you'll be fine.
3 Likes
Can you help me more about how to build this rpm?
- Download and extract https://vault.centos.org/7.9.2009/updates/Source/SPackages/openssl-1.0.2k-21.el7_9.src.rpm ?
- Change files
openssl-1.0.2a-env-zlib.patch
openssl-1.0.2j-deprecate-algos.patch
openssl-1.0.2a-fips-ctor.patch
openssl.spec
Right? - How build RPM after changes?
1 Like
Or just use curl.. I just span up a CentOS 6 Docker container with a failing wget, removed DST Root CA X3 from /etc/ssl/certs/ca-bundle.crt and /etc/ssl/certs/ca-bundle.trust.crt (not sure if really necessary) and curl just works.. Seems to link to NSS instead of OpenSSL.
2 Likes
Pretty much my same experience on CentOS 6, wget and openssl don't work but curl does
1 Like
I must say.. I have a hard time doing that. I run Gentoo on multiple systems, I'm not unfamiliar with compiling stuff, but the instructions linked are not that detailed I'm afraid. First of all, how do I unpack an .rpm? I read that rpm2cpio file.rpm | cpio -idmv does the trick, but the files I got didn't look like a regular source directory tree at all.. Just a bunch of .patch files and some others.
Further more, the instructions lack the exact build commands. For people familiar with compiling things, this might not be necessary, but for novice users they would be helpful. Although you could find the instructions online of course..
Edit: I don't think that RPM is the complete source?
[root@bcd17c8e9069 openssl]# rpm2cpio blaat.rpm | cpio -idmv
Makefile.certificate
README.FIPS
README.legacy-settings
ec_curve.c
ectest.c
hobble-openssl
make-dummy-cert
openssl-1.0.0-beta4-ca-dir.patch
openssl-1.0.0-timezone.patch
openssl-1.0.1c-aliasing.patch
openssl-1.0.1c-perlfind.patch
openssl-1.0.1i-algo-doc.patch
openssl-1.0.2a-apps-dgst.patch
openssl-1.0.2a-compat-symbols.patch
openssl-1.0.2a-defaults.patch
openssl-1.0.2a-dtls1-abi.patch
openssl-1.0.2a-env-zlib.patch
openssl-1.0.2a-fips-ctor.patch
openssl-1.0.2a-fips-ec.patch
openssl-1.0.2a-fips-md5-allow.patch
openssl-1.0.2a-ipv6-apps.patch
openssl-1.0.2a-issuer-hash.patch
openssl-1.0.2a-no-rpath.patch
openssl-1.0.2a-padlock64.patch
openssl-1.0.2a-readme-warning.patch
openssl-1.0.2a-rsa-x931.patch
openssl-1.0.2a-test-use-localhost.patch
openssl-1.0.2a-version-add-engines.patch
openssl-1.0.2a-version.patch
openssl-1.0.2a-x509.patch
openssl-1.0.2c-default-paths.patch
openssl-1.0.2c-ecc-suiteb.patch
openssl-1.0.2d-secp256k1.patch
openssl-1.0.2e-remove-nistp224.patch
openssl-1.0.2e-rpmbuild.patch
openssl-1.0.2e-speed-doc.patch
openssl-1.0.2e-wrap-pad.patch
openssl-1.0.2g-manfix.patch
openssl-1.0.2h-pkgconfig.patch
openssl-1.0.2i-chil-fixes.patch
openssl-1.0.2i-enc-fail.patch
openssl-1.0.2i-enginesdir.patch
openssl-1.0.2i-fips.patch
openssl-1.0.2i-secure-getenv.patch
openssl-1.0.2i-trusted-first-doc.patch
openssl-1.0.2j-deprecate-algos.patch
openssl-1.0.2j-downgrade-strength.patch
openssl-1.0.2j-krb5keytab.patch
openssl-1.0.2j-new-fips-reqs.patch
openssl-1.0.2k-backports.patch
openssl-1.0.2k-cc-reqs.patch
openssl-1.0.2k-cve-2017-3735.patch
openssl-1.0.2k-cve-2017-3736.patch
openssl-1.0.2k-cve-2017-3737.patch
openssl-1.0.2k-cve-2017-3738.patch
openssl-1.0.2k-cve-2018-0495.patch
openssl-1.0.2k-cve-2018-0732.patch
openssl-1.0.2k-cve-2018-0734.patch
openssl-1.0.2k-cve-2018-0737.patch
openssl-1.0.2k-cve-2018-0739.patch
openssl-1.0.2k-cve-2018-5407.patch
openssl-1.0.2k-cve-2019-1559.patch
openssl-1.0.2k-cve-2020-1971.patch
openssl-1.0.2k-fips-randlock.patch
openssl-1.0.2k-fix-9-lives.patch
openssl-1.0.2k-fix-one-and-done.patch
openssl-1.0.2k-hobbled.tar.xz
openssl-1.0.2k-long-hello.patch
openssl-1.0.2k-name-sensitive.patch
openssl-1.0.2k-no-ssl2.patch
openssl-1.0.2k-ppc-update.patch
openssl-1.0.2k-req-x509.patch
openssl-1.0.2k-rsa-check.patch
openssl-1.0.2k-s390x-update.patch
openssl-1.0.2k-starttls.patch
openssl-thread-test.c
openssl.spec
opensslconf-new-warning.h
opensslconf-new.h
renew-dummy-cert
9148 blocks
[root@bcd17c8e9069 openssl]#
2 Likes
Tried the following:
yum install -y make gcc perl pcre-devel zlib-devel
yum install rpm-build
yum install krb5-devel lksctp-tools-devel util-linux
mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo '%_topdir %(echo $HOME)/rpmbuild' > ~/.rpmmacros
cd ~/rpmbuild/SOURCES
curl -o blaat.rpm https://vault.centos.org/7.9.2009/updates/Source/SPackages/openssl-1.0.2k-21.el7_9.src.rpm
rpm2cpio blaat.rpm | cpio -idm
rm -f blaat.rpm
sed -i 's/secure_getenv(/getenv(/g' *patch
sed -i 's/%patch68 -p1 -b .secure-getenv/#%patch68 -p1 -b .secure-getenv/g' openssl.spec
rpmbuild SOURCES/openssl.spec
Does absolutely nothing 
Doesn't output an error, doesn't create any files outside the SOURCES directory, just absolutely, literally nothing..
2 Likes
I would recommend using rpm to install the source package (rpm -i <package filename>) rather than rpm2cpio. This should create a rpmbuild directory inside your current home directory containing all parts of openssl's packaging in the correct directory structure (SOURCES, SPECS, RPMS, etc). Then you need to run rpmbuild -bb <spec filename> to build the binary package from a spec file.
Sorry I didn't include this info in the original instructions. I've been using CentOS and building custom RPMs for a good 15 years, so some of these details didn't register as significant to me as I was writing. I had also meant to come back and try to help further but I didn't note the difference between watching and tracking a thread on Discourse. I should see further replies via email now!
4 Likes
Thanks for the instructions! I did not know (I also really don't care besides this entire thread being a Gentoo user 
) that installing a source RPM would install it into the appropriate file structure to be used for rpmbuild.
2 Likes
Hello,
I tried to buld the package for openssl, but when I want to install this, I have this message.
erreur: Dépendances requises:
libc.so.6(GLIBC_2.14)(64bit) est nécessaire pour openssl-1:1.0.2k-21.el7.x86_64
libc.so.6(GLIBC_2.15)(64bit) est nécessaire pour openssl-1:1.0.2k-21.el7.x86_64
openssl-libs(x86-64) = 1:1.0.2k-21.el7 est nécessaire pour openssl-1:1.0.2k-21.el7.x86_64
openssl-libs(x86-64) = 1:1.0.2k-21.el7 est nécessaire pour openssl-devel-1:1.0.2k-21.el7.x86_64
Did you know why I have this problem?
Thanks for your response.
2 Likes
I was successfully fixed for centos 6
Rebuild openssl 1.0.2k and ca-certificates from el7 and convert to el6 , wget , curl is working right now and also an error expire cert now has gone
everything work now.
For step i do like in previous post extract rpm and repack to el6 rpm
2 Likes