Fedora’s OpenSSL build is actually a cut-down version
with many of the elliptic curve features removed due to patent concerns. These are available in stock OpenSSL and in other distros such as Ubuntu, so it’s a pain they’re not available in Fedora. Daniel Pocock provided a nice tutorial
on how to build an RPM that restores the functionality, but it’s a bit old now (Fedora 19, 2013) and generated errors when I tried to follow it more recently. Here’s an updated process that’ll work for OpenSSL 1.0.2k on Fedora 26.
Prepare the system
Remove the existing openssl-devel package and install the dependencies needed to build a new one. These all have to be done as root (e.g. by adding sudo to the front of them).
rpm -e openssl-devel
dnf install rpm-build krb5-devel zlib-devel gcc gmp-devel \
libcurl-devel openldap-devel NetworkManager-devel \
NetworkManager-glib-devel sqlite-devel lksctp-tools-devel \
Set up an rpmbuild environment
If you don’t already have one
. Something like this should do the trick.
Obtain the packages and build
The following will download the sources and apply a patch to reinstate the ECC functionality. This is broadly the same as Daniel's, but with more recent package links and an updated patch to work with them.
# Install the fedora RPM with all the standard Red Hat patches
rpm -i openssl-1.0.2k-1.fc25.src.rpm
# Install the stock OpenSSL source which doesn’t have the ECC code removed
# Patch the spec file to avoid all of the nasty ECC-destroying patches
patch -p0 < openssl.spec.ec-1.0.2k.patch
# And build
rpmbuild -bb openssl.spec
Install the OpenSSL packages
cd ~/rpmbuild/RPMS/$(uname -i)
rpm -Uvh --force openssl-1.0.2k*rpm openssl-devel-1.0.2k*rpm openssl-libs-1.0.2k*rpm
Once this has completed, your ECC functionality should be restored. You can check by entering
openssl ecparam -list_curves
to list the curves your currently installed package supports. That should be it. In case you want to use the slightly older 1.0.2j version of OpenSSL, you can follow my separate post
on the topic.