Upgrade openssl on 20.04

As we are coming up to ubuntu 20.04’s EOL on 23 April 2025, it’s openssl binary is still pinned down on version 1.x.x. Vulenrability scans identified by nessus [tenable.com], following [https://www.tenable.com/plugins/nessus/204924] has found the above and I have written the following script to automate patching openssl to version 3.0.15 in this example. The script needs running from a user with sudo permissions.

NOTE: care on this upgrade as ubuntu have announced they will maintain openssl 1.x.x until 20.04’s EoL (April 2025). Proceed with caution as some packages might break when upgrading to 3.x.x.

#!/bin/bash
# upgrade openssl to 3.0.15 on ubuntu 20.04
set -e

OPENSSL_VERSION="3.0.15"
OPENSSL_SCRIPT="/etc/profile.d/openssl.sh"

# update the system

sudo apt update -y && sudo apt upgrade -y

# cleanup any packages after os patch

sudo apt autoremove

# install prereqs

sudo apt install build-essential zlib1g-dev -y

# download the installer

sudo wget -P /usr/local/src https://github.com/openssl/openssl/releases/download/openssl-"$OPENSSL_VERSION"/openssl-"$OPENSSL_VERSION".tar.gz

# extract the package

sudo tar xzvf /usr/local/src/openssl-$OPENSSL_VERSION.tar.gz -C /usr/local/src/

#config, build and extract openssl
# below options passed to 'config' script are widely discussed here: https://github.com/openssl/openssl/blob/openssl-3.3/NOTES-UNIX.md

echo "Configuring OpenSSL..."
cd /usr/local/src/openssl-$OPENSSL_VERSION && sudo bash /usr/local/src/openssl-"$OPENSSL_VERSION"/config '-Wl,-rpath,$(LIBRPATH)'

echo "Building OpenSSL (this may take a while)..."
sudo make -C /usr/local/src/openssl-$OPENSSL_VERSION

echo "Installing OpenSSL..."
sudo make -C /usr/local/src/openssl-$OPENSSL_VERSION install

# backup old openssl binary

echo "Backing up the old OpenSSL binary..."
sudo mv /usr/bin/openssl /usr/bin/openssl.bak

# update system to use newly installed openssl

echo "Updating the system to use the new OpenSSL..."
sudo ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

# update the library paths

echo "Updating library paths, this might take a while..."
sudo echo "/usr/local/ssl/lib64" | sudo tee /etc/ld.so.conf.d/openssl-$OPENSSL_VERSION.conf
sudo ldconfig -v

sudo cat << EOF | sudo tee -a $OPENSSL_SCRIPT
OPENSSL_PATH="/usr/local/ssl/bin"
export OPENSSL_PATH
PATH=$PATH:$OPENSSL_PATH
export PATH
EOF

sudo chmod +x $OPENSSL_SCRIPT

echo "The script $OPENSSL_SCRIPT has been created and configured, executing script..."

sudo bash $OPENSSL_SCRIPT

#verify the new version

echo "Verifying the OpenSSL installation..."
openssl version

# clean up downloaded files

echo "Cleaning up downloaded files..."
sudo rm -rf /usr/local/src/openssl-*

echo "OpenSSL $OPENSSL_VERSION installation is complete!"