janjust@xxxxxxxxx said: > As you found out, it is nearly impossible to swap out the existing openssl > 1.1.1g with a "stock" openssl version, as RedHat/CentOS have applied patches > to it. My advice would be: don't even try. If you *have to* use openssl > 1.1.1k, then switch to Fedora or to Ubuntu (not the LTS releases). But keep > in mind: - debian 10 uses openssl 1.1.1d - ubuntu seems to be at openssl > 1.1.1j etc. There are two cases. One is where you want to replace the system libraries so that all the installed programs that use libssl will now use your new version. I agree doing that is crazy. That's what distros are for. But if you are working on a program and you want that one program to use a new version, that's not so hard. The trick is to install your new version of openssl in /usr/local/ (or wherever). Then you have to patch the build recipe for your program to look there. This is how you would get your program ready for 3.0.0 or get a program that needs TLS1.3 to work on a distro that is stuck in the dark ages. I use: ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared to build and install OpenSSL, then, for waf: ctx.env.INCLUDES = ["/usr/local/ssl/include"] ctx.env.LIBPATH = ["/usr/local/ssl/lib"] I don't remember where I found that config line. -- These are my opinions. I hate spam.