Join the community today
Register Now

Security OpenSSL January 26, 2017: OpenSSL 1.0.2k & 1.1.0d Security Update + Centmin Mod Nginx

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 27, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    30,152
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    4:54 AM
    Nginx 1.13.x
    MariaDB 5.5

    OpenSSL 1.0.2k Release Information



    OpenSSL folks are releasing OpenSSL 1.1.0d and 1.0.2k security updates on January 26th, 2017 - CVE-2017-3730, CVE-2017-3731, CVE-2017-3732, and backported patch fixed in OpenSSL 1.1.0c CVE-2016-7055. Centmin Mod 123.08stable only supports OpenSSL 1.0.2k for Nginx SSL. Centmin Mod 123.09beta01 supports both OpenSSL 1.1.0d and 1.0.2k for Nginx SSL.

    OpenSSL Security Vulnerabilitys Fixed include:
    • CVE-2017-3730
    • CVE-2017-3731
    • CVE-2017-3732
    • backported patch fixed in OpenSSL 1.1.0c CVE-2016-7055

    Notes:


    • Prior to Feb 25th, 2016, Centmin Mod Nginx from 1.2.3-eva2000.08 (123.08stable) onwards by default are compiled against LibreSSL 2.2 instead of OpenSSL 1.0.2k, so generally don't need updating for Centmin Mod Nginx side. But CentOS system OpenSSL may need updates.
    • After Feb 25th, 2016, Centmin Mod 123.08stable version of Nginx has switched back to being compiled against OpenSSL 1.0.2+ for out of box defaults due to Nginx 1.9.12 compatibility issues with LibreSSL. While 123.09beta01 has switched back to LibreSSL 2.4 branch.

    Centmin Mod LEMP Upgrade OpenSSL 1.0.2k



    For Centmin Mod LEMP stack 1.2.3-eva2000.08 stable and higher, there's 2 parts to updating OpenSSL - system YUM package back ported update + Nginx OpenSSL static compilation for front facing Nginx server and https/SSL.

    For Centmin Mod 1.2.3-eva2000.08 stable (123.08stable) and higher (including betas) you need to do 2 updates:
    1. System OpenSSL update for CentOS
    2. Nginx recompile with OPENSSL_VER='1.0.2k' variable set. Check your updated Centmin Mod centmin.sh to see if OPENSSL_VER='1.0.2k' is set. If not set, then you need to manually update and edit your server copy of by setting OPENSSL_VERSION='1.0.2k' in your persistent config file (create it if it doesn't exist) at /etc/centminmod/custom_config.inc and add to it
      Code (Text):
      OPENSSL_VERSION='1.0.2k'
    Centmin Mod Nginx doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version.

    Code (Text):
     ldd `which nginx` | grep ssl


    will come back empty for Centmin Mod Nginx based servers.

    System OpenSSL update for CentOS



    Usually Redhat and CentOS back port patches so you will see something like OpenSSL 1.0.1e-XX where XX is incremented version number with fixed patches. Will update this post once Redhat/CentOS have an updated YUM package.

    Also sometimes Redhat or CentOS system versions won't be affected by the OpenSSL source listed bugs/security issues. You have to read each CVE* listing on Red Hat and CentOS bug trackers to see if they apply or not.

    CentOS/Redhat system OpenSSL updates

    CentOS 7
    Code (Text):
    TBA
    


    CentOS 6
    Code (Text):
    TBA
    


    For CentOS 7
    Code (Text):
    rpm -qa --changelog openssl | head -n8
    TBA
    


    For CentOS 6

    CentOS system openssl update seems to be out for CentOS 6 - not yet for CentOS 7
    Code (Text):
    rpm -ql --changelog openssl | head -n13
    TBA
    


    For auto daily updates check out yum-cron for auto updates.

    Code (Text):
    yum list updates -q | grep openssl
    


    Code (Text):
    rpm -qa --changelog openssl | head -n11
    


    To update
    Code (Text):
    yum -y update

    Note: after system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.

    Nginx recompile with OPENSSL_VER='1.0.2k'



    • Prior to Feb 25th, 2016, Centmin Mod Nginx from 1.2.3-eva2000.08 (123.08stable) onwards by default are compiled against LibreSSL 2.2 instead of OpenSSL 1.0.2k, so generally don't need updating for Centmin Mod Nginx side. But CentOS system OpenSSL may need updates.
    • After Feb 25th, 2016, Centmin Mod 123.08stable version of Nginx has switched back to being compiled against OpenSSL 1.0.2+ for out of box defaults due to Nginx 1.9.12 compatibility issues with LibreSSL. While 123.09beta01 has switched back to LibreSSL 2.4 branch.
    To update if you are using OpenSSL and not the prior default Centmin Mod Nginx LibreSSL, edit your centmin.sh file variable for OPENSSL_VERSION. There's 2 ways to do that:
    1. Best way is to use centmin.sh menu option 23 submenu option 2 for auto updating Centmin Mod code as outlined at centminmod.com/upgrade.html and at https://community.centminmod.com/threads/new-08-beta-menu-option-updating-centmin-mod-via-git.3084/. If Centmin Mod code has been updated, that method will auto update centmin.sh to latest version which already has OPENSSL_VERSION='1.0.2k' set. After updating via git centmin.sh menu option 23 submenu options, verify in centmin.sh that OPENSSL_VERSION='1.0.2k' is set.
    2. If you do not have centmin.sh menu option 23 submenu option 1 for git environment setup or if centmin.sh doesn't have OPENSSL_VERSION='1.0.2k' set, then you need to manually update and edit your server copy of by setting OPENSSL_VERSION='1.0.2k' in your persistent config file (create it if it doesn't exist) at /etc/centminmod/custom_config.inc and add to it
      Code (Text):
      OPENSSL_VERSION='1.0.2k'
      Then run centmin.sh menu option 4 to recompile Nginx. When prompted select yes or no from YUM checks, select NO (really system OpenSSL update step above wouldn't be needed if you select yes to YUM checks here ;) ). Then when prompted specify Nginx version = 1.11.9 or newer. Let Nginx recompile run to completion, it should say Nginx installed successfully. Check if Nginx compiled against 1.0.2k using Nginx -V command
    You can tell if your Centmin Mod Nginx is using OpenSSL or LibreSSL via output of SSH command
    Code (Text):
    nginx -V


    If using LibreSSL, built with line will list such
    Code (Text):
    nginx -V
    nginx version: nginx/1.11.9
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.4.4


    If using OpenSSL, built with line will list such
    Code (Text):
    nginx -V
    nginx version: nginx/1.11.9
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with OpenSSL 1.0.2k  26 Jan 2017
    
     
    Last edited: Jan 27, 2017
  2. eva2000

    eva2000 Administrator Staff Member

    30,152
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    4:54 AM
    Nginx 1.13.x
    MariaDB 5.5
    As Centmin Mod Nginx defaults to LibreSSL for SSL, if you want to use OpenSSL 1.0.2k with Nginx SSL, need to set in persistent config file at /etc/centminmod/custom_config.inc the following variable
    Code (Text):
    LIBRESSL_SWITCH='n'
    

    Then run centmin.sh menu option 4 to recompile Nginx.

    So update your Centmin Mod code as outlined at Upgrade Centmin Mod - CentminMod.com LEMP Nginx web stack for CentOS via centmin.sh menu option 23 submenu option 2 first
    Code (Text):
    --------------------------------------------------------
         Centmin Mod Menu 123.09beta01 centminmod.com
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install/Reinstall Redis PHP Extension
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Install/Re-Install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + Cache Plugin
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 23
    --------------------------------------------------------
    

    centmin.sh menu option 23 submenu option 2
    Code (Text):
    
    --------------------------------------------------------
            Centmin Mod Updater Sub-Menu          
    --------------------------------------------------------
    1). Setup Centmin Mod Github Environment
    2). Update Centmin Mod Current Branch
    3). Update Centmin Mod Newer Branch
    4). Exit
    --------------------------------------------------------
    Enter option [ 1 - 4 ] 2
    --------------------------------------------------------
    

    select 4 to exit out of submenu, select 24 to exit out of centmin.sh, then re-cd into /usr/local/src/centminmod and re-run centmin.sh menu option 4
    Code (Text):
    cd /usr/local/src/centminmod
    ./centmin.sh
    


    Or if you don't want to use centmin.sh menu option 23, you can do straight git pull update via
    Code (Text):
    cd /usr/local/src/centminmod
    git stash
    git pull
    ./centmin.sh
    


    FYI, this forum is now using Nginx 1.11.9 + OpenSSL 1.0.2k via LIBRESSL_SWITCH='n' based centmin.sh menu option 4 recompile

    Code (Text):
    --------------------------------------------------------
         Centmin Mod Menu 123.09beta01 centminmod.com
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install/Reinstall Redis PHP Extension
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Install/Re-Install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + Cache Plugin
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 4
    --------------------------------------------------------
    

    Code (Text):
    Do you want to run YUM install checks ?  [y/n]
    
    This will increase your upgrade duration time wise.
    Check the change log centminmod.com/changelog.html
    to see if any Nginx or PHP related new additions
    which require checking YUM prequisites are met.
    If no new additions made, you can skip the
    YUM install check to speed up upgrade time.
    
     [y/n]: n
    

    Code (Text):
    Nginx Upgrade - Would you like to continue? [y/n] y
    
    Install which version of Nginx? (version i.e. type 1.11.9): 1.11.9


    End result
    If your nginx -v output shows built with LibreSSL instead, then this OpenSSL 1.0.2k update doesn't apply to you. I'd expect LibreSSL 2.4.5 release soon for similar security fixes as right now LibreSSL 2.4.4 is latest still.
     
    • Like Like x 1
  3. eva2000

    eva2000 Administrator Staff Member

    30,152
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    4:54 AM
    Nginx 1.13.x
    MariaDB 5.5
    More details on security issues fixed in OpenSSL 1.0.2k and 1.1.0d OpenSSL Patches Four Vulnerabilities | SecurityWeek.Com

    For CVE-2017-3730 specifically CVE-2017-3730: OpenSSL 1.1.0 remote client denial-of-service, affects servers as well (+ PoC)
     
    Last edited: Jan 27, 2017
  4. eva2000

    eva2000 Administrator Staff Member

    30,152
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    4:54 AM
    Nginx 1.13.x
    MariaDB 5.5
    For Redhat/CentOS system OpenSSL
    As expected as Redhat/CentOS use OpenSSL 1.0.1e with backported fixes and these seem to be related to OpenSSL 1.0.2+ and 1.1.0+ which only Centmin Mod Nginx uses for ALPN protocol and HTTP/2 support.
     
  5. eva2000

    eva2000 Administrator Staff Member

    30,152
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    4:54 AM
    Nginx 1.13.x
    MariaDB 5.5
  6. CarpCharacin

    CarpCharacin Member

    213
    14
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +18
    Local Time:
    12:54 PM
    1.13.0
    MariaDB 10
    Does this apply if I am using LetsEncrypt?
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,152
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    4:54 AM
    Nginx 1.13.x
    MariaDB 5.5
    applies if Nginx uses OpenSSL

    As per bottom of 1st post above. You can tell if your Centmin Mod Nginx is using OpenSSL or LibreSSL via output of SSH command
    Code (Text):
    nginx -V


    If using LibreSSL, built with line will list such
    Code (Text):
    nginx -V
    nginx version: nginx/1.11.9
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.4.4


    If using OpenSSL, built with line will list such
    Code (Text):
    nginx -V
    nginx version: nginx/1.11.9
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with OpenSSL 1.0.2k  26 Jan 2017
    
     
    • Informative Informative x 1
  8. CarpCharacin

    CarpCharacin Member

    213
    14
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +18
    Local Time:
    12:54 PM
    1.13.0
    MariaDB 10
    I just recompiled nginx. nginx -V says it is using libressl. What is the difference? Isn't libressl a fork of openssl?
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,152
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    4:54 AM
    Nginx 1.13.x
    MariaDB 5.5
    Yup, so you're fine, Centmin Mod defaults to LibreSSL for Nginx unless you set LIBRESSL_SWITCH='n' in persistent config /etc/centminmod/custom_config.inc BEFORE centmin.sh menu option 4 nginx compiles.
     
    • Like Like x 1
  10. CarpCharacin

    CarpCharacin Member

    213
    14
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +18
    Local Time:
    12:54 PM
    1.13.0
    MariaDB 10
    This is the full output of nginx -V.
    Code (Text):
    nginx version: nginx/1.11.9
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.4.4
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -mfpmath=sse -g -O3 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion -Wno-c++11-compat-deprecated-writable-strings -Wno-write-strings' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --add-module=../nginx-module-vts --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../libressl-2.4.4