How To Check Openssl Version On Linux

Security audits often begin with a simple check of the OpenSSL version installed on your Linux machine. Knowing how to check openssl version on linux is a fundamental skill for system administrators, developers, and anyone responsible for maintaining secure servers. This guide walks you through every method, from the basic command to advanced verification techniques, ensuring you can always confirm your SSL library is up-to-date and secure.

OpenSSL is a critical component for encrypted communications on Linux. It powers HTTPS, SSH, and many other security protocols. An outdated version can leave your system vulnerable to known exploits. Checking your version regularly is a quick way to stay on top of security patches.

In this article, you will learn multiple ways to find your OpenSSL version. We cover command-line checks, package manager queries, and even how to verify the installed files. Each method is explained with clear steps and practical examples.

The most direct way to check your OpenSSL version is using the openssl version command. This command outputs the version number and build information. It works on virtually all Linux distributions without needing additional tools.

Open your terminal. Type the following command and press Enter:

openssl version

You will see output similar to this:

OpenSSL 1.1.1k  25 Mar 2021

The output shows the major version (1.1.1), the patch level (k), and the release date. This is the simplest method and works on Ubuntu, Debian, CentOS, Fedora, Arch Linux, and almost any other distribution.

For more detailed information, use the -a flag:

openssl version -a

This displays the full build configuration, including compiler flags, platform, and installed directories. It is useful for troubleshooting or when you need to verify how OpenSSL was compiled.

Using The Open Command With Full Path

Sometimes the openssl binary might not be in your PATH. You can locate it with which openssl or whereis openssl. Once you find the path, run it directly:

/usr/bin/openssl version

This ensures you are checking the correct binary, especially if you have multiple versions installed. It is a good habit for security audits.

Checking OpenSSL Version Via Package Manager

Each Linux distribution manages software packages differently. Using your package manager gives you the version that the system knows about, which may differ from the running binary. This is important for understanding what updates are available.

On Debian And Ubuntu (APT)

For systems using APT, run:

apt show openssl

Look for the Version: line in the output. Alternatively, use:

dpkg -l | grep openssl

This lists all installed packages containing “openssl” in their name. The version appears in the second column.

On Red Hat, CentOS, And Fedora (YUM Or DNF)

For older systems with YUM:

yum info openssl

For newer systems using DNF:

dnf info openssl

Both commands show the installed version and available updates. You can also query the RPM database directly:

rpm -qa | grep openssl

This prints all installed OpenSSL-related packages with their full version strings.

On Arch Linux (Pacman)

Arch users can check with:

pacman -Qi openssl

Or list all OpenSSL packages:

pacman -Q | grep openssl

On SUSE Linux (Zypper)

For openSUSE or SUSE Enterprise:

zypper info openssl

Or search installed packages:

rpm -qa | grep openssl

Verifying OpenSSL Library Version

OpenSSL consists of both a command-line tool and shared libraries. The library version might be different from the tool version. To check the library version, use:

openssl version -l

This shows the library version number. For even more detail, you can check the actual shared object files:

ls -l /usr/lib/x86_64-linux-gnu/libssl.so*

Or on 32-bit systems:

ls -l /usr/lib/i386-linux-gnu/libssl.so*

The file names include the version number. For example, libssl.so.1.1 indicates OpenSSL 1.1.x.

Using LDD To Confirm Linked Library

If you need to verify which OpenSSL library a specific program uses, run:

ldd /path/to/program | grep ssl

This shows the exact library path and version linked at runtime. It is useful for debugging compatibility issues.

Checking OpenSSL Version In Scripts

Automation scripts often need to check the OpenSSL version. You can capture the output in a variable and parse it. For example, in Bash:

version=$(openssl version | awk '{print $2}')
echo "OpenSSL version is $version"

This extracts just the version number (e.g., 1.1.1k). You can then compare it against a minimum required version. For more robust parsing, use cut or sed.

Here is a simple script to check if OpenSSL is at least version 1.1.1:

#!/bin/bash
min_version="1.1.1"
current=$(openssl version | awk '{print $2}' | cut -d'.' -f1-2)
if [[ "$current" < "$min_version" ]]; then
    echo "OpenSSL version $current is too old. Please upgrade."
else
    echo "OpenSSL version $current is sufficient."
fi

Understanding OpenSSL Version Numbers

OpenSSL version strings follow a specific format. For example, 1.1.1k breaks down as:

1 – Major version (breaking changes)
1 – Minor version (new features, backward compatible)
1 – Patch level (bug fixes)
k – Letter patch (incremental fixes after the dot release)

OpenSSL 3.x uses a slightly different scheme. For instance, 3.0.2 means major version 3, minor 0, patch 2. The letter suffix is only used in the 1.x series.

Knowing this helps you quickly assess if your version is current. The OpenSSL project maintains a list of supported versions and their end-of-life dates.

Common Issues When Checking OpenSSL Version

Sometimes the openssl command is not found. This usually means OpenSSL is not installed or the PATH is misconfigured. Install it using your package manager:

Debian/Ubuntu: sudo apt install openssl
CentOS/RHEL: sudo yum install openssl
Fedora: sudo dnf install openssl
Arch: sudo pacman -S openssl

Another common issue is having multiple OpenSSL versions installed. Use which openssl to see which binary runs first. You can also check echo $PATH to understand the search order.

If the version shown by openssl version differs from the package manager, you may have a custom build or a symlink pointing to a different location. Use readlink -f $(which openssl) to resolve the actual file.

Checking OpenSSL Version On Docker Containers

Inside a Docker container, you can check the OpenSSL version the same way as on a regular Linux system. Run:

docker exec -it container_name openssl version

Or if you are already inside the container, just use the standard command. This is important for container security audits, as base images may have outdated libraries.

You can also check the version during the Docker build process by adding a RUN command:

RUN openssl version

This prints the version to the build log, helping you verify the image is using the expected OpenSSL.

Why You Should Check OpenSSL Version Regularly

OpenSSL vulnerabilities are discovered frequently. The Heartbleed bug (CVE-2014-0160) affected versions 1.0.1 through 1.0.1f. More recent vulnerabilities like CVE-2022-3786 and CVE-2022-3602 impacted OpenSSL 3.x. Checking your version helps you know if you are exposed.

Security compliance frameworks like PCI DSS and HIPAA require keeping cryptographic libraries up-to-date. Regular version checks are a simple way to demonstrate compliance.

Additionally, some applications require specific OpenSSL versions. For example, Python 3.10+ needs OpenSSL 1.1.1 or later. Knowing your version prevents compatibility surprises.

Automating OpenSSL Version Checks

You can automate version checks using cron jobs or monitoring tools. Here is a simple cron job that emails you if the version is outdated:

0 6 * * * /usr/bin/openssl version | grep -q "1.1.1" || echo "OpenSSL needs update" | mail -s "OpenSSL Alert" admin@example.com

For more advanced monitoring, use tools like Nagios, Zabbix, or Prometheus. They can check the OpenSSL version as part of a broader security scan.

Configuration management tools like Ansible, Puppet, or Chef can also enforce version requirements. For example, an Ansible playbook might fail if the OpenSSL version is below a threshold.

Comparing OpenSSL Versions Across Multiple Servers

If you manage many Linux servers, you can check OpenSSL versions in bulk using SSH. Here is a one-liner using a loop:

for host in server1 server2 server3; do
    echo "$host: $(ssh $host 'openssl version')"
done

Or use a tool like pssh or ansible for parallel execution. This gives you a quick overview of which servers need updates.

You can also generate a report by saving the output to a file:

for host in $(cat servers.txt); do
    echo "$host: $(ssh $host 'openssl version')" >> openssl_versions.txt
done

Then sort and analyze the results to identify outliers.

Checking OpenSSL Version On Embedded Linux Systems

Embedded Linux systems like routers or IoT devices may have limited resources. The openssl version command still works, but the binary might be stripped or located in a non-standard path. Use find / -name openssl -type f 2>/dev/null to locate it.

Some embedded systems use BusyBox, which may include a minimal OpenSSL implementation. In that case, run busybox openssl version if available.

If the system lacks the openssl command entirely, you can check the library version by examining /lib/libssl.so* or using strings:

strings /lib/libssl.so.1.1 | grep "^OpenSSL"

This extracts the version string directly from the shared library.

Understanding OpenSSL FIPS Mode

Some environments require FIPS 140-2 compliance. OpenSSL can be compiled with FIPS support. To check if your installation is FIPS-enabled, run:

openssl version -f

If the output includes "fips", then FIPS mode is available. You can also check the FIPS module version:

openssl version -m

This shows the FIPS module version number. Note that FIPS mode must be explicitly enabled in the configuration file.

Updating OpenSSL After Checking Version

Once you know your OpenSSL version, you may need to update it. Use your package manager:

Debian/Ubuntu: sudo apt update && sudo apt upgrade openssl
CentOS/RHEL: sudo yum update openssl
Fedora: sudo dnf update openssl
Arch: sudo pacman -Syu openssl

After updating, verify the new version with openssl version. If you compiled OpenSSL from source, you will need to download the latest tarball and rebuild.

Remember to restart any services that use OpenSSL after updating, such as Apache, Nginx, or SSH. Otherwise, they may continue using the old library until the next reboot.

Common Mistakes When Checking OpenSSL Version

One common mistake is confusing the OpenSSL version with the LibreSSL version. Some systems, like OpenBSD, use LibreSSL instead. The command openssl version will still work, but it will show LibreSSL's version. Check the output for "LibreSSL" to confirm.

Another mistake is relying solely on the package manager version. The installed binary might be different if you compiled from source or installed via a third-party repository. Always verify with the actual binary.

Also, do not assume that the version shown by openssl version is the same as the library version used by applications. Use ldd or check the specific library files to be sure.

Using OpenSSL Version For Troubleshooting

When debugging SSL/TLS issues, the OpenSSL version can provide clues. For example, if a client reports a protocol mismatch, the server's OpenSSL version might not support the required TLS version. Use openssl s_client to test connections and compare with the version information.

If you encounter a "protocol version mismatch" error, check if your OpenSSL supports TLS 1.3. OpenSSL 1.1.1 and later include TLS 1.3 support. Older versions only support up to TLS 1.2.

You can also use the version to check for known vulnerabilities. The OpenSSL project maintains a security advisory page. Cross-reference your version with the advisories to see if you are affected.

Checking OpenSSL Version In Different Linux Distributions

While the basic command is the same, some distributions have unique quirks. For example, on Alpine Linux, OpenSSL might be replaced by LibreSSL. Run apk info openssl to see what is installed.

On Gentoo, you can check the version with equery list openssl or qlist -I openssl. Gentoo also allows multiple slots, so you may have several versions installed simultaneously.

On Slackware, use slackpkg info openssl or check /var/log/packages/ for the installed package file.

Regardless of distribution, the openssl version command remains the most reliable method.

Conclusion

Checking your OpenSSL version on Linux is a simple but essential task. Whether you use the basic openssl version command, query your package manager, or verify library files, you now have multiple reliable methods. Regular checks help you maintain security, ensure compatibility, and stay compliant with industry standards.

Make it a habit to check your OpenSSL version after system updates or when you install new software. Automation can help, but even a manual check once a month can catch outdated versions before they become a problem. Your Linux system's security depends on keeping cryptographic libraries current.

Frequently Asked Questions

What Is The Command To Check OpenSSL Version On Linux?

The primary command is openssl version. It prints the version number and build date. For more details, use openssl version -a