Recompile OpenSSL 1.1 & NGINX 1.25 for TLS 1.3 (CentOS 7)

Recompile OpenSSL 1.1 & NGINX 1.25 for TLS 1.3 (CentOS 7), following the scenario where you have already installed on the server o older version openssl associated with the nginx service.

More specifically, to be able to activate OpenSSL 1.1.1t for the service NGINX, which runs with an older version. OpenSSL 1.0.2k.

# nginx -V
nginx version: nginx/1.25.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
# openssl version -a
OpenSSL 1.1.1t  7 Feb 2023

This means that there are two different versions of OpenSSL. A version installed on the system by “yum"(1.0.2k-fips) and a version OpenSSL installed by manual compilation (openssl 1.1.1t).

Classically, most recommend reinstalling 'OpenSSL' at the server level. This would involve executing the command: yum remove openssl. But there is a big problem here. With the uninstallation of the old version OpenSSL, you may also need to uninstall some dependent apps. Such as: nginx, MariaDB-server, cerbotPlus many others.

A simpler solution is to recompile openssl 1.1 & nginx 1.25 for TLS 1.3.

Recompile tutorial OpenSSL 1.1 & NGINX 1.25 for TLS 1.3 (CentOS 7)

In my example, the recompilation is for nginx/1.25.0 & OpenSSL 1.1.1h using bookstores OpenSSL 1.1.1t.

Recompile NGINX.

1. Create the file:

sudo nano

where you add the script:


## nginx

if [ ! -f "${NGINX}" ];then

ND=$(basename $NGINX .tar.gz)
if [ ! -d "${ND}" ];then
    tar zxvf ${NGINX}

cd ${ND}

## pre require package
## yum install gcc pcre-devel zlib-devel

./configure --prefix=/etc/nginx \
    --sbin-path=/usr/sbin/nginx \
    --modules-path=/usr/lib64/nginx/modules  \
    --conf-path=/etc/nginx/nginx.conf \
    --error-log-path=/var/log/nginx/error.log \
    --http-log-path=/var/log/nginx/access.log \
    --pid-path=/var/run/ \
    --lock-path=/var/run/nginx.lock \
    --http-client-body-temp-path=/var/cache/nginx/client_temp \
    --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
    --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
    --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
    --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
    --user=nginx \
    --group=nginx \
    --with-compat \
    --with-file-aio \
    --with-threads \
    --with-http_addition_module \
    --with-http_auth_request_module \
    --with-http_dav_module \
    --with-http_flv_module \
    --with-http_gunzip_module \
    --with-http_gzip_static_module \
    --with-http_mp4_module \
    --with-http_random_index_module \
    --with-http_realip_module \
    --with-http_secure_link_module \
    --with-http_slice_module \
    --with-http_ssl_module \
    --with-http_stub_status_module \
    --with-http_sub_module \
    --with-http_v2_module \
    --with-mail \
    --with-mail_ssl_module \
    --with-stream \
    --with-stream_realip_module \
    --with-stream_ssl_module \
    --with-stream_ssl_preread_module \
    --with-openssl=../$(basename $OPENSSL .tar.gz)

sudo make install

nginx -V

Save the new file.

2. Make the new executable file:

chmod +x

Rewrite nginx.service

3. Make a backup of nginx.service.

cat /lib/systemd/system/nginx.service > /srv/nginx_service.txt

(you can choose any path you want for nginx_service.txt)

4. Create the file for the service nginx: nginx.service

sudo nano nginx.service

5. In the file the new file nginx.service add the lines:

##  /lib/systemd/system/nginx.service

Description=The NGINX HTTP and reverse proxy server

ExecStartPre=/usr/sbin/nginx -t
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID


6. Copy the file to 'daemon".

sudo cp nginx.service /lib/systemd/system/nginx.service

7. After the file has been copied, update the file permissions using the command:

sudo chmod 644 /lib/systemd/system/nginx.service

8. Reload the configuration systemd to take the changes into account using the command:

sudo systemctl daemon-reload

9. Restart ngnix.

sudo systemctl restart nginx

Recompile OpenSSL / NGINX for TLS 1.3

10. In the same folder where you have the files and nginx.service, create a new file:

sudo nano

Add the script:


## Compile OpenSSL


if [ ! -f "${DONE}" ] ;then

    tar zxvf ${OPENSSL}

    cd $(basename $OPENSSL .tar.gz)

    ./config shared no-idea no-md2 no-mdc2 no-rc5 no-rc4 --prefix=/usr/local/


    sudo make install

    cd ..

    touch ${DONE}

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib64/

read -n1 -r -p "$(/usr/local/bin/openssl version) - Press any key to continue..." key

source ./

Replace "OPENSSL=openssl-1.1.1h.tar.gz” with the version you want to install and recompile with NGINX.

11. Make the script executable:

chmod +x

12. Run the command:


Wait for the recompilation process to complete OpenSSL & NGINX.

Recompile OpenSSL 1.1 & NGINX 1.25 for TLS 1.3 (CentOS 7)

If we can help you or there are additions to be made, the comment section is open.

Passionate about technology, I write with pleasure on since 2006. You will find articles about operating systems written by me Windows, Linux, macOS, but also about web platforms such as WordPress and WooCommerce

How to » Linux » Recompile OpenSSL 1.1 & NGINX 1.25 for TLS 1.3 (CentOS 7)

Leave a Comment