Groesbeek, view of the 'National Liberation Museum 1944-1945' in Groesbeek. © Ton Kersten
Fork me on GitHub

Compiling OpenSSL and OpenSSH

2010-08-12 (63) by Ton Kersten, tagged as sysadm

My server at home runs CentOS 5 and this has OpenSSH version 4.3. Running updates doesn't update this version, because RedHat keeps the version number stable.

But I wanted a newer OpenSSH because of some nice new features. But when I do compile a new version I'm still stuck with old OpenSSL, and that's not what I want.

Well, you can guess it by now, this is what I did.

I first got the newest version of OpenSSL and compiled it with

./config shared --prefix=/usr/local/openssl
make install

this way this SSL is completely seperate from the one on the system, so nothing gets broken.

After this I wanted to compile OpenSSH, and I did get the message

configure: error: Your OpenSSL headers do not match your library

I took a look at Google and I found a lot of answers, including one where you had to copy all the header files all over the place. I was completely flabbergasted when I read this solution. A short example (there where a lot more. To protect this lunatic I removed his userid from the lines below)

cd /home/x/openssl/openssl-*
cd include/openssl
cp * /usr/include
cp * /usr/local/ssl/include
cp * /usr/local/ssl/include/openssl
cd /home/x/openssl/openssl-*/include/openssl
cp * /usr/local/ssl/include
cd /home/x/openssl/openssl-*
cp lib* /usr/local/ssl/lib/
cp lib* /usr/lib/
cd /home/x/openssl/openssl-*/include/openssl
cp * /usr/include/
cp * /usr/local/ssl/include/
cp * /usr/local/ssl/include/openssl

Well, let's put it this way: ARE YOU NUTS!!!

If you want to break things, that's the way to go.

And after all this copying he got the message:

Connecting to server...
OpenSSL version mismatch. Built against 90603f, you have 90607f
Couldn't read packet: Connection reset by peer

And guess what, this was solved with more copying of libraries and header files. What a mess. Thank God he lives in the States and his resume says he is only a Linux Systems Expert working for a brain surgeon. I'll reckon he will never touch my brain or machines.

I experimented somewhat with the configure options and it's quiet easy

export LDFLAGS=/usr/local/openssl/lib
./configure                                 \
    --with-pam                              \
    --with-kerberos5                        \
    --with-ssl-engine                       \
    --includedir=/usr/local/openssl/include \

and now OpenSSH compiles with the special OpenSSL without polluting your entire system.

Have fun and don't mess up!